Detecting root kits?

Ben Boulanger ben at blackavar.com
Mon Jun 23 11:33:33 EDT 2003


On Mon, 23 Jun 2003, Michael O'Donnell wrote:
> For reasons already mentioned by Derek and others,
> the results obtained from chkrootkit are only
> trustworthy in the positive case.  A negative result
> is inconclusive, since you're basically asking the
> compromised system, "Hey!  Are you compromised?"

Then by this logic, -anything- you do, except for pulling the drive and 
mounting it in a system or booting off of a CD is suspect.  While the most 
correct way, it's also the most impractical.  You can find rootkits on 
systems with a much more minimal effort.  Will you find the really good 
hackers?  No - but you won't find them if you boot off of a CD either.

The short of it is, if you think you're compromised, you probably are.  
Look around and you're sure to find something.  Real hackers don't go 
after these kind of boxes - not even as jump points.  You're dealing with 
script kiddies and script kiddies tend to not cover tracks well. 

Ben

-- 

Thought for the day: Never be afraid to try something new.  Remember that
amateurs built the Ark.  Professionals built the Titanic.




More information about the gnhlug-discuss mailing list