Rootkit signatures?

Kenny Lussier klussier at gmail.com
Thu Jun 25 08:56:52 EDT 2009


Hi All,

I have a mandate to install "anti-virus and anti-malware software on
all servers". Since all of our servers are Linux, this was further
clarified to mean "rootkit detection software". I have looked at
several rootkit detectors, and they all appear to be fairly old. My
guess is, it isn't really worth it, since a rootkit is going to be
personalized and customized to the system being attacked (but hey,
what do I know... :-) ). I have found a few apps that are essentially
just a list of files and directories that are common to some older
rootkits, and if anything in the list is found, it sets off the alert.

I can do the same thing with Tripwire, which is already on every
system. What I am trying to do is either compile an extensive list of
rootkit properties, or subscribe to a rootkit signature feed (like a
Nessus feed). Does anyone know of the existence of either of these
things?

TIA,
Kenny


More information about the gnhlug-discuss mailing list