Detecting root kits?
Tom Fogal
tfogal at io.iol.unh.edu
Mon Jun 23 09:54:46 EDT 2003
> Last week I uncovered a RedHat box that had been rooted (fortunately it
> had only recently been installed and nothing important was on it.)
> Rather than me having to go through a hands-on intensive process of
> analyzing every other Linux system on the LAN are there tools that I can
> use to determine whether or not this SOB got into other systems?
>
> Any pointers to where I can learn more about the different types of
> rootkits and how to counter or detect them are also welcome.
>
> Thanks!
> --
i seem to remember freebsd having a nightly cronjob script that would save
the md5sum of every file on the system to a file.. and then compare it with
the md5sum of the same file that it generated 24 hours before. differences were
mailed to root.. i always thought this to be a good idea, perhaps you could
implement it yourself? seems like a simple shell script.
anyway, that solution doesnt work well in your current situation. do you have
another box w/ the same updates, that you know is clean? you could compare
md5's from that one...
HTH,
-tom
> Dan Coutu
> Managing Director
> Snowy Owl Internet Consulting, LLC
> http://www.snowy-owl.com/
>
>
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
More information about the gnhlug-discuss
mailing list