Detecting root kits?
Jason Stephenson
jason at sigio.com
Mon Jun 23 10:47:31 EDT 2003
Dan Coutu wrote:
> I also know how to detect this particular hack but it involves a lot of
> manual effort with copying known good utilities (like ls and lsof) and
> examining a number of different directories and files. Quite time
> consuming.
Did the root kit actually replace ls entirely or did it copy it
somewhere else and put in a new binary? I recall seeing one Solaris root
kit that replaced several file checking utilties, but it made a
directory under /dev and stored the originals there. Apparently, the new
binaries actually used the old ones and mangled their output.
More information about the gnhlug-discuss
mailing list