[oclug]chkrootkit

[Ross Jordan]

> 
> Hi all,
> I recently downloaded and compiled 'chkrootkit', the latest version from
> Freshmeat, and I was wondering about something: I installed MDK 9.0 a
> few weeks ago, so if some cracker had installed a rootkit, would
> chkrootkit be able to detect it now?
Possibly.

> What I mean is this: since it isn't a fresh install which was
> immediately verified by chkrootkit, then how does chkrootkit determine
> if some of my files have been changed since the time I installed?

Two things:
* chkrootkit doesn't work by watching changes in files (programs
  like tripwire or aide do that)
* chkrootkit can tell you if you have a rootkit in some cases, but
  it certainly can't tell you that you don't -- in other words there's
  no guarantee.

As I understand the program, it does a number of tricks to determine
strange cases as well as looking for certain well known rootkits.
(One trick I remember hearing it did was to send a signal to every
 possible pid number comparing results to processes listed in /proc
 -- this was a way to identify "hidden" processes)

-Ross