transop at sympatico.ca
Wed Oct 30 22:14:31 EST 2002
On Wed, 2002-10-30 at 18:13, Ian Wormsbecker wrote:
> On October 30, 2002 05:36 pm, GR Gaudreau wrote:
> > Hi all,
> > I recently downloaded and compiled 'chkrootkit', the latest version from
> > Freshmeat, and I was wondering about something: I installed MDK 9.0 a
> > few weeks ago, so if some cracker had installed a rootkit, would
> > chkrootkit be able to detect it now?
> > What I mean is this: since it isn't a fresh install which was
> > immediately verified by chkrootkit, then how does chkrootkit determine
> > if some of my files have been changed since the time I installed?
> Two things:
> * chkrootkit doesn't work by watching changes in files (programs
> like tripwire or aide do that)
> * chkrootkit can tell you if you have a rootkit in some cases, but
> it certainly can't tell you that you don't -- in other words there's
> no guarantee.
> As I understand the program, it does a number of tricks to determine
> strange cases as well as looking for certain well known rootkits.
> (One trick I remember hearing it did was to send a signal to every
> possible pid number comparing results to processes listed in /proc
> -- this was a way to identify "hidden" processes)
[gr] Thanks for the info, Ross.
> Chkrootkit seems to work in some cases, but is not correct all the time. Like
> Ross said, it uses some trickery to try to find odd ball things, and also
> looks around for typical rootkit installations and hidden directories in
> wierd places and such.
<snipped for brevity>
> Your best bet to determine compromises is to keep good log files, preferably
> logging to another machine in case an attacker does penetrate your machine,
> run tripwire or some such file auditing tool (I have used samhain in the
> past), and having backups of anything vital just in ase. Obviously keeping
> patches up to date is vital.
[gr] Oki doki, I'll check out those proggys and have a go at them.
Thanks to both you and Ross for your time and info. :-)
"Half the lies they told me aren't true!"
~ Yogi Berra
More information about the OCLUG