[clue-tech] rootkit detection
David L. Anselmi
anselmi at anselmi.us
Tue Nov 1 09:02:26 MST 2005
Jeff Cann wrote:
> One of our DMZ webservers had an unexpected failure the other day.
[...]
> I used rkhunter which showed no problems. I'm wondering if I should run other
> detection measures?
If you're paranoid you just check all your binaries against your
tripwire (et. al.) database. ;-)
You might set up a sniffer/IDS/ntop on traffic from that box and see if
anything unusual shows up. Or you could configure the firewall to block
everything not absolutely necessary (I wonder what kind of netfiltering
you can do above layer 4) and log any failures.
Dave
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list