Security and Ignorance
On a current Slashdot discussion appears the brazen comment:
Why do “security experts” like these folks always suggest using nmap to determine what services you are running? Have these folks never heard of netstat?
Sigh. A little knowledge is dangerous, but even a little knowledge is totally lacking in this comment.
It all comes down to trust. In the case of a compromised system, trust is a dangerous thing. Many worms and trojans, in order to hide themselves, will replace the common administration commands (like ps, top, and netstat) with special versions which hide the compromising process. Running ps aux or netstat -utlnp may reveal nothing; only delving into the /proc directory is guaranteed to show what programs are actually running:
cd /procfor i in */exe ; do echo $i $(readlink $i)done
Why use readlink in a loop, instead of simply running ls -l /proc/*/exe? Because ls is one of the most commonly used commands in Unix, it is the primary target for substitution.
If you want to know the plainest network status of a system, your best option is to run NMap from another system. This will maximize the chance of catching the worm or trojan in action. Since NMap does its thing through the network, rather than on the device under test, it allows the administrator to run a relatively more secure OS (such as Ubuntu Linux or OpenBSD) directly on the network with the affected device.
Once the ports in question are identified, the next best step is to capture the network traffic for analysis, using either Wireshark (formerly Ethereal) or the slightly less useful tcpdump. During the capture, it will be a good idea to look on the Web for information regarding the TCP or UDP port(s) and the running worm/trojan.
If you’re relying on netstat to tell you what’s running on a possibly compromised system, good luck. You aren’t yet thinking like the bad guys, and luck is all you’ve got.