[clue-tech] rootkit detection
Bruce Ediger
eballen1 at qwest.net
Tue Nov 1 06:36:57 MST 2005
On Tue, 1 Nov 2005, Jeff Cann wrote:
> I used rkhunter which showed no problems. I'm wondering if I should run other
> detection measures? Perhaps running chkrootkit *and* rkhunter? Maybe I'm
> just paranoid. This box is fairly hardened, with only ports 80, 25, 22 open.
> We're running tomcat, postfix, and openssh on those ports.
I have to increase your paranoia, but....
My experience is that chrootkit and rkhunter don't detect some rootkits.
I had a Solaris machine rooted a few years ago, and when I last looked
at chrootkit last year, it still probably wouldn't have found it.
It comes done to epistemology anyway, not math or logic, so this shouldn't
surprise anyone.
My advice:
Just keep an eye on that machine. Rootkits tend to make "ls" and "ps"
act funny. The rootkit I found wouldn't show files with "01" in the
names. Recompile "ls" and "ps" from scratch, see if they agree
with the stock "ls" and "ps" output.
Rootkits make machines "feel slow", or boot slowly or something.
Nothing definite, usually ambiguous.
--
Bruce Ediger
720-932-1954
eballen1 at qwest.net
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list