Archives
Archives
| From: | Kyle Bader <kyle.bader@×××××.com> | ||
|---|---|---|---|
| To: | gentoo-user@l.g.o | ||
| Subject: | Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice | ||
| Date: | Tue, 10 Aug 2010 13:51:56 | ||
| Message-Id: | AANLkTi=xp4tCzG6FiSO4VTgcSTFE2TmN0P2FJf6GVT=e@mail.gmail.com | ||
| In Reply to: | Re: [gentoo-user] Re: Rooted/compromised Gentoo, seeking advice by Mick |
||
| 1 | > |
| 2 | > Another idea to help with your forensics would be to bring a netstat and |
| 3 | > lsof |
| 4 | > binary over to your machine and run them to see which actors are running |
| 5 | > and |
| 6 | > trying to get out. That could help you detect what is running on that |
| 7 | > machine |
| 8 | > and google your way from there. |
| 9 | |
| 10 | |
| 11 | If your kernel has been subverted then userland is irrelevant, a kit can |
| 12 | simply hook the system calls those binaries use and return whatever it wants |
| 13 | you to know. |
| 14 | |
| 15 | -- |
| 16 | |
| 17 | Kyle |