I always use
> netstat -atupn
That shows all open tcp and udp ports. Invoke this before you start
Firefox. The list should be empty or only contain sockets on the
loopback network interface (127.0.0.*, ::1). To disable unnecessary
network daemons use:
> systemctl disable avahi-daemon/other-daemon
> systemctl stop avahi-daemon
For init opening RPC sockets you may need:
> systemctl disable rpcbind.socket
> systemctl stop rpcbind.socket
You may also uninstall unnecessary software:
> apt-get remove kdeconnect
View all processes with
> ps ax
That may also be of help:
> pstree -p
To identify the executable of a process
> ls -l /proc/1234/exe
And to identify the package an executable belongs to:
> dpkg -S /bin/bash
If rkhunter should once not yield the desired results then use
debcheckroot: https://www.elstel.org/debcheckroot/
Also helpful:
> systemctl -t service -a
If you have a rootkit that does f.i. infect system libraries like glibc
you will not see anything in the netstat nor in the ps ax output because
these utilities can be replaced by utilities that do not return things
belonging to the rootkit. To be sure that your system is clean you will
need to use debcheckroot as rkhunter only knows a certain set of well
known rootkits. However in this case rkhunter may have found something
though.
Am 08.05.20 um 13:08 schrieb shirish शिरीष:
Anyways, I don't really know much about netstat hence used ss which is
a utility to investigate sockets. Fortunately the version of iproute2
has version 5.6.0-1 which gives the option of doing something like -
# ss -p