Horse scanner ready
Okay, if anything else was installed and hidden somewhere (it could be activated from an init.d script, all the original stuff could just be more "trojan" for the horse), presuming they are still using wget and ping, just open a terminal and run this script in the foreground for a few hours.
Code:
#!/bin/sh
while :
do
check=`ps -o pid,cmd -A | egrep '\bwget\b|\bping\b'`
if [ -n "$check" ]; then
echo "!!-> pid $check <-!!"
fi
sleep 1
done
It shouldn't produce any output unless someone runs ping or wget:
Code:
root ~/shell: ./check.sh
!!-> pid 28140 ping bbc.co.uk <-!!
!!-> pid 28140 ping bbc.co.uk <-!!
!!-> pid 28140 ping bbc.co.uk <-!!
!!-> pid 28140 ping bbc.co.uk <-!!
!!-> pid 28140 ping bbc.co.uk <-!!
!!-> pid 28140 ping bbc.co.uk <-!!
Which ping and wget do not start by themselves.
Bookmarks