SUMMARY: what files are open

From: Stephen Harris (sweh@mpn.com)
Date: Wed Aug 28 1996 - 01:16:26 CDT


Thanks for the speedy response!

The overwhelming solution is "lsof". I _knew_ I'd heard of one before....!

lsof's "home" is vic.cc.purdue.edu:/pub/tools/unix/lsof and it runs
on lots of different machines.

Additional advice: re-install from distribution media (or upgrade to 4.1.4),
install trip-wire and tcp-wrappers. This will help detect any new attempts
at system breakins. (Something no-one mentioned: mount any disk you can
as nosuid to stop suid programs being placed in strange locations). I'm
actually running similar home-hacked code to detect strange/modified suid/sgid
programs, but re-installing from media is the best way of removing trojans
(not all root processes are suid/sgid - eg run from rc/cron/init/inetd).

Thanks to:

Rachel Polanskis
Reto Lichtensteige
Neil Clifford
Benjamin Cline
Rich Kulawiec
Jean Paul Racine

rgds
Stephen

-=-=-=- Original Request -=-=-=-=-

Dear all,

  a Sparc 2/SunOS 4.1.3_U1 system I run (public access BBS) has been hacked
  using 8lgm code (sigh...). I've put all the patches on from the recommended
  list to close holes, but I'm worried about any trojans that may have been
  installed (eg network traffic snooping). I guess that any snooper like
  this would have to keep a file open, so is there any program for 4.1.3_U1
  that can tell me what files are open and where they are?

  Thanks!

rgds
Stephen



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:09 CDT