SUMMARY: port/process association

From: Adrian Gschwend <adrian.gschwend_at_bfh.ch>
Date: Tue May 11 2004 - 12:24:11 EDT
On Tue, 11 May 2004 15:27:02 +0200, Adrian Gschwend wrote:

Hi again!

> I have a Solaris 8 box that seems to be rooted or otherwise cracked, and
> it looks like it is abused as SPAM-relay. I do see from which port it is
> sending the SPAM but I cannot associate a process to it.
> 
> How can I get that information on Solaris?

thanks to all who responded fast as usual! Here is the summary:

The tool I was looking for is "lsof" and it is available at sunfreeware.
Thanks to Rick, Tony, Marcos (aka gandalf ;) and John!

Rick also proposed to get chkrootkit too (which is a good idea on this
box I fear...)

from Tery:
It is not unusual for crackers to mask their activities by replacing key 
utilities with modified copies of the same utilities.  These modified
utilities show everything but the activity of the cracker.  You have to
get a known good copy of the utilities you are using.  These can be used
off the installation CDs if you mount them on the computer.  The known
good utilities will show the relationships you seek.  Trust NOTHING off
the cracked box.
--

cu

Adrian


-- 
Adrian Gschwend
System Administrator
University of applied sciences
Biel, Switzerland
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue May 11 12:24:05 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:30 EST