Detecting root kits?
Chris Brenton
cbrenton at chrisbrenton.org
Mon Jun 23 12:16:42 EDT 2003
Michael O'Donnell wrote:
>
> If that minimal effort yields a positive result, yay!
> I was just pointing out that one ought not feel too comfy
> if a minimal effort yields a negative result.
Agreed. If chkrootkit, RPM or what ever finds what you are looking for,
cool. If not, its time to mount the drive in a remote system.
If you are wondering just how evil these kits can be, some further reading:
http://www.sans.org/resources/idfaq/knark.php
Note that knark can render MD5 and other checks useless while its loaded
in the kernel.
HTH,
C
More information about the gnhlug-discuss
mailing list