>From: Ed DeHart <dehart @
>Intruders also replace the ifconfig program with a hacked version that
>will not report if the interface is in promiscious mode. df, du, and
>netstat have also been found to be replaced.
The ps command should be added to this list. A friend found a kit on his
system which included the above mentioned utilities, and a version of ps
with a configuration file where you could list the names of programs which
will never appear in a ps listing. The name of the sniffer program was in
this list. Some attempt was made to fix the checksums of replaced programs,
and to correct the modification date (but not the inode change dates).
A trojan ls command was also included.