Rootkit signatures?
Kenny Lussier
klussier at gmail.com
Thu Jun 25 09:59:08 EDT 2009
On Thu, Jun 25, 2009 at 9:26 AM, Ted Roche<tedroche at tedroche.com> wrote:
> Kenny:
>
> You might want to check out http://www.chkrootkit.org/ - the software is
> simple to install and run from cron (see the FAQs) and the site has "Related
> Links" to some good resources.
Ted,
I probably should have listed the rootkit detection systems that I
have looked at. chkrootkit is one of them. The last release was Dec.
2007. I have also looked at OSSEC, rkhunter, and about 40 others that
all suffer from age and incompleteness. Another problem with all of
these is that they run locally and report locally. If I were to write
a rootkit, the first thing that I would do is check for rootkit
detectors and neutralize it if I found it. With Tripwire, or any other
remote scanner, the ability to modify the check is eliminated.
Thanks,
Kenny
More information about the gnhlug-discuss
mailing list