Checking by watching machine's current network traffic
- often inefficient because traffic may be infrequent
- scanning: traffic to many similar IP addresses
- spoofed packets: match MAC address but not IP address
- unexpected IRC traffic coming from the machine
- typically, could watch all traffic except ports 25,80
Traffic to standard backdoor TCP ports
- port 1524 (ingreslock)
- port 600 (pcserver)
- port 750 (kerberos)