Detecting root kits?
Ben Boulanger
ben at blackavar.com
Mon Jun 23 10:03:21 EDT 2003
On Mon, 23 Jun 2003, Dan Coutu wrote:
> Any pointers to where I can learn more about the different types of
> rootkits and how to counter or detect them are also welcome.
The chkrootkit package is a quick once over. The best place to look is in
/dev, as that's where a lot of rootkits hide their stuff. I find a
command like this is pretty useful:
find /dev -ls -maxdepth 1|grep d[-r][-w]
and then make sure those directories that it returns are actually supposed
to be there. ls is almost always trojaned, hence the reason to use find.
Also, a useful command is RPM -Va. The output is documented in man rpm,
but it checks all of the files from RPMs for changes. You could also make
this quicker by targetting things like passwd or util-linux.
Ben
--
"Truth or reality is avoided when it is painful. We can revise
our 'maps' only when we have the discipline to overcome that pain.
To have such discipline, we must be totally dedicated to truth. We
must always hold truth to be more vital to our self-interest than
our comfort. Conversely, we must always consider our personal
discomfort relatively unimportant and, indeed, even welcome it, in
the search for truth. Mental health is an ongoing process of
dedication to reality at all costs"
M. Scott Peck, M.D. (The Road Less Traveled, "Part One: Discipline")
More information about the gnhlug-discuss
mailing list