Detecting root kits?
Ben Boulanger
ben at blackavar.com
Mon Jun 23 11:33:33 EDT 2003
On Mon, 23 Jun 2003, Michael O'Donnell wrote:
> For reasons already mentioned by Derek and others,
> the results obtained from chkrootkit are only
> trustworthy in the positive case. A negative result
> is inconclusive, since you're basically asking the
> compromised system, "Hey! Are you compromised?"
Then by this logic, -anything- you do, except for pulling the drive and
mounting it in a system or booting off of a CD is suspect. While the most
correct way, it's also the most impractical. You can find rootkits on
systems with a much more minimal effort. Will you find the really good
hackers? No - but you won't find them if you boot off of a CD either.
The short of it is, if you think you're compromised, you probably are.
Look around and you're sure to find something. Real hackers don't go
after these kind of boxes - not even as jump points. You're dealing with
script kiddies and script kiddies tend to not cover tracks well.
Ben
--
Thought for the day: Never be afraid to try something new. Remember that
amateurs built the Ark. Professionals built the Titanic.
More information about the gnhlug-discuss
mailing list