[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Bell wrote:
On Thursday 19 May 2005 11:48, Grant Sewell wrote:One thing that strikes me with this comment should be fairly obvious. If you run chrootkit for the first-time on an already cracked system, then it will consider the cracked files to be "normal".This comment is made in the package blurb, prior to installation and therefore infers to me that one shouldn't rely on chrootkit to find everything - even after a squeeky clean install.
The only rootkit I saw in the wild (Eek - not a lot of sleep for a few days) was spotted easily by chrootkit, even after just bunging it in /root after infection (we just needed to know what was wrong). In this case I think it spotted differences between /proc and the list of running processes returned by the modified "ps" executable or library. Although some difference between "ps" and /proc can occur on correctly configured systems the nature and number of differences gave the blighter away. Generally when a rootkit is in place it is there for a purpose, so you can snaffle the traffic on the wire (from a different box), and see there is rogue traffic (might be hard if the box is busy or the traffic is https, or tunnels over DNS or some such. It is impossible to be 100% confident a system hasn't been compromised. What makes you think it has? As the rootkit we had made the system unstable, which is very unusual for Linux boxes, but also there were other bad signs. We use fingerprinting tools (tripwire) at work to help look for rogue file changes (also handy if your fellow admin forgets to mention something they changed). If you haven't fingerprinted a clean system, you can still use the packaging tool to test for file consistency. Debian dpkg for example stores checksums for every file installed that way. Not perfect as a sufficiently able rootkit could hide itself (unless you boot from clean media), but is most cases rootkits are only trying to evade accidental discovery not prolonged and detailed investigation. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCjNniGFXfHI9FVgYRAhN6AJ4vZRVk8yQJz2IbEAKPUHUc9Hq4HACffNfD /SNcgX2WXANiH6vzW/tyJos= =6EAW -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html