[lug] intrusion

bgiles at coyotesong.com bgiles at coyotesong.com
Wed Jun 13 12:53:11 MDT 2007


# netstat -l | grep tcp
# netstat -l | grep udp

and use 'lsof -i tcp:xxxx' and 'lsof -i udp:xxxx' to identify the
processes behind unknown ports, and 'lsof -p pid' to identify all files
that the process has opened.  You want to be sure that, e.g., 'sshd' is
the expected ssh daemon and not malware using the same name to trick the

It should go without saying that that specific IP address should be
blocked by the firewall.

More information about the LUG mailing list