24 Feb
2010
24 Feb
'10
8:03 a.m.
On 2/23/2010 5:38 PM, Nathan Ward wrote:
Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely to not work if there's a rootkit on the box. The whole point of a rootkit is to hide processes and files from these tools.
Get some statically linked versions of these bins on to the server, and hope they haven't patched your kernel.
See if you can get a binary of busybox which has those tools and they're all contained in the binary. It should run from any folder. http://busybox.net Very handy. --Curtis