[oclug]chkrootkit

GR Gaudreau transop at sympatico.ca
Wed Oct 30 22:14:31 EST 2002 

On Wed, 2002-10-30 at 18:13, Ian Wormsbecker wrote:
> On October 30, 2002 05:36 pm, GR Gaudreau wrote:
> > Hi all,
> > I recently downloaded and compiled 'chkrootkit', the latest version from
> > Freshmeat, and I was wondering about something: I installed MDK 9.0 a
> > few weeks ago, so if some cracker had installed a rootkit, would
> > chkrootkit be able to detect it now?
> >
> > What I mean is this: since it isn't a fresh install which was
> > immediately verified by chkrootkit, then how does chkrootkit determine
> > if some of my files have been changed since the time I installed?

> [ross]
> Two things:
> * chkrootkit doesn't work by watching changes in files (programs
>   like tripwire or aide do that)
> * chkrootkit can tell you if you have a rootkit in some cases, but
>   it certainly can't tell you that you don't -- in other words there's
>   no guarantee.
> 
> As I understand the program, it does a number of tricks to determine
> strange cases as well as looking for certain well known rootkits.
> (One trick I remember hearing it did was to send a signal to every
>  possible pid number comparing results to processes listed in /proc
>  -- this was a way to identify "hidden" processes)


[gr]   Thanks for the info, Ross.

 
> [ian] 
> Chkrootkit seems to work in some cases, but is not correct all the time. Like 
> Ross said, it uses some trickery to try to find odd ball things, and also 
> looks around for typical rootkit installations and hidden directories in 
> wierd places and such.
<snipped for brevity> 
> Your best bet to determine compromises is to keep good log files, preferably 
> logging to another machine in case an attacker does penetrate your machine, 
> run tripwire or some such file auditing tool (I have used samhain in the 
> past), and having backups of anything vital just in ase. Obviously keeping 
> patches up to date is vital.


[gr]   Oki doki, I'll check out those proggys and have a go at them.

Thanks to both you and Ross for your time and info. :-)


-- 
GR Gaudreau
"Half the lies they told me aren't true!"
~ Yogi Berra

More information about the OCLUG mailing list