[guenthert]

> - It opens a backdoor on the server and listens for TOR communications.

So a `lsof -iTCP` should list it, right? Is it using TCP port 9050 or a custom port?

EDIT: Ha, they are (not surprisingly) way ahead of me. From the article: "The malware continues to copy itself from memory to half a dozen other locations, with names that appear as conventional system files. It also drops a rootkit and a few popular Linux utilities that were modified to serve as user land rootkits (i.e. ldd, lsof)."

[crackez]

There's always - cat /proc/net/tcp*

And remember: echo * can be your "ls" in a pinch.

[Pesthuf]

But let’s be honest, there’s no reason to use these unless you already know your server is compromised. In which case the server would be taken down rather than ssh‘d into.

And even then the attacker could patch cat, bash, provide sneaky aliases or just compromise Libc altogether.

[rurban]

Not with a kernel module. Then this is also compromised