Detecting root kits?
brian
lists at karas.net
Mon Jun 23 10:21:10 EDT 2003
FWIW, I've also found a lot of rootkits hidden in the /home and games
directories on various systems. For starters, I'd also compare the
sizes of your various utils, like top, ls, more, etc to known good
utils. If you can mount the infected disk on another clean server as RO
to analyze it, that would also make diagnosis easier.
On Mon, 2003-06-23 at 10:03, Ben Boulanger wrote:
> On Mon, 23 Jun 2003, Dan Coutu wrote:
> > Any pointers to where I can learn more about the different types of
> > rootkits and how to counter or detect them are also welcome.
>
> The chkrootkit package is a quick once over. The best place to look is in
> /dev, as that's where a lot of rootkits hide their stuff. I find a
> command like this is pretty useful:
> find /dev -ls -maxdepth 1|grep d[-r][-w]
>
> and then make sure those directories that it returns are actually supposed
> to be there. ls is almost always trojaned, hence the reason to use find.
>
> Also, a useful command is RPM -Va. The output is documented in man rpm,
> but it checks all of the files from RPMs for changes. You could also make
> this quicker by targetting things like passwd or util-linux.
>
> Ben
--
brian <lists at karas.net>
More information about the gnhlug-discuss
mailing list