Quote:
Originally Posted by knasbas
How do i trace what a user been doing?
|
On the simple side, using ...
tcpdump and/or
pftop (if installed)
you can "watch" your box's actual network traffic to see who's NOW talking to you and with whom your talking to. If you cannot account for the sessions you see, then you are OPERATING as compromised host.
The very nature of an IM/IRC "bot" would suggest that you're going to see lots and lots of sessions.
In the bash history, where you see
are obfuscated and powerful system calls, where the hacker knows what 21.21 is.
/S