[oclug] r00tk1t

[Ross Jordan]

> 
> >From the list below, I gather the rootkit stuff only whacks the
> binaries, and not the kernel itself.  So, one could "cat" through
> /proc instead of using `ps', for looking for errant processes.  Also,
> one could use the emacs directory editor to look for files. It's
> curious that "find" and "echo" aren't whacked (echo * makes for a
> jiffy ls, especially if your PATH is hosed, or worse, your /bin).

One way I remember hearing to "discover" hidden processes was to go
through every pid from 0..max(PID) and send a SIGCONT. Compare
success to what ps tells you should be there. Of course, one needs
a good kill or other signal sending program...

-Ross


-- 
"Trying to make bits uncopyable is like trying to make water not wet.
The sooner people accept this, and build business models that take
this into account, the sooner people will start making money again". 
	-- Bruce Schneier