rjordan at student.math.uwaterloo.ca
Wed Oct 30 17:55:17 EST 2002
> Hi all,
> I recently downloaded and compiled 'chkrootkit', the latest version from
> Freshmeat, and I was wondering about something: I installed MDK 9.0 a
> few weeks ago, so if some cracker had installed a rootkit, would
> chkrootkit be able to detect it now?
> What I mean is this: since it isn't a fresh install which was
> immediately verified by chkrootkit, then how does chkrootkit determine
> if some of my files have been changed since the time I installed?
* chkrootkit doesn't work by watching changes in files (programs
like tripwire or aide do that)
* chkrootkit can tell you if you have a rootkit in some cases, but
it certainly can't tell you that you don't -- in other words there's
As I understand the program, it does a number of tricks to determine
strange cases as well as looking for certain well known rootkits.
(One trick I remember hearing it did was to send a signal to every
possible pid number comparing results to processes listed in /proc
-- this was a way to identify "hidden" processes)
More information about the OCLUG