[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Chrootkit compares the current state of the system to a point in time when you know for sure that the system was secure. In other words, you run it initially after building your system, and it makes a note of the sizes and modification dates of certain (or all?) key system files. For each subsequent test, chrootkit compares the current file sizes/modification dates with the originals, and if there's any difference it'll warn you. A typical way for someone to invade a Linux/Unix environment is to replace the "ls" command with a modified version, which will not show up any alterations the "hacker" has made to the system. Chrootkit would notice the "ls" executable was different to the original, thus warning you of a potential problem. There's probably a lot more to Chrootkit than this, but I've never seen it spot any problems in the real world (yet, fingers crossed!) Jeremy -- Jeremy Pearson ICT Technician Five Islands School, St Marys, Isles of Scilly, TR21 0JY Tel: 01720 422929 Fax: 01720 422969 Web: fisonline.org.uk jeremypearson@xxxxxxxxxxxxxxxxxxxxxxxxx -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html