Thanks for the speedy response!
The overwhelming solution is "lsof". I _knew_ I'd heard of one before....!
lsof's "home" is vic.cc.purdue.edu:/pub/tools/unix/lsof and it runs
on lots of different machines.
Additional advice: re-install from distribution media (or upgrade to 4.1.4),
install trip-wire and tcp-wrappers. This will help detect any new attempts
at system breakins. (Something no-one mentioned: mount any disk you can
as nosuid to stop suid programs being placed in strange locations). I'm
actually running similar home-hacked code to detect strange/modified suid/sgid
programs, but re-installing from media is the best way of removing trojans
(not all root processes are suid/sgid - eg run from rc/cron/init/inetd).
Thanks to:
Rachel Polanskis
Reto Lichtensteige
Neil Clifford
Benjamin Cline
Rich Kulawiec
Jean Paul Racine
rgds
Stephen
-=-=-=- Original Request -=-=-=-=-
Dear all,
a Sparc 2/SunOS 4.1.3_U1 system I run (public access BBS) has been hacked
using 8lgm code (sigh...). I've put all the patches on from the recommended
list to close holes, but I'm worried about any trojans that may have been
installed (eg network traffic snooping). I guess that any snooper like
this would have to keep a file open, so is there any program for 4.1.3_U1
that can tell me what files are open and where they are?
Thanks!
rgds
Stephen
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:09 CDT