Re: Re[2]: Chkrootkit
On Thu, 24 Apr 2003 19:32:01 +0200
Kay-Michael Voit <kay@voits.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: MD5
>
> DCE> for (1) I guess you can put the binaries in a read-only medium
> DCE> and run them from there, like a CD-ROM or a write-protected
> DCE> floppy/flash-medium.
> Well, the attacker could just stop the cronjob... but great idea
> though.
> My server is a remote rootserver, so this no solution for me...
In this case, don't run in quiet mode. you'll recieve an email every
day(?) but you'll know that no-one has disabled this cron. If you have
many servers, and you don't want to go through too many
chkrootkit emails, then configure your mail server to put these mails in
some folder and run some script to let you know if something is
not right (you didn't recieve all the emails, some suspicious line,
etc...).
Bye
>
> DCE> I am not sure I got what you mean in (2)
> I mean that the quiet output is not quiet. I would exspect that there
> is only output if there a problem, but it still says that eth0 is in
> promisc mode.
> If I understand promisc mode, this is not a problem, so I can't fix
> it, so there will always be output (which I dont want, because cron
> sends a mail then)
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6
>
> iQEVAwUAPqgflp9LInC1Fu5pAQG9kQf8DZUnDsiMYsTKFIiHOpo6G2i8k0p+jUn/
> j87PCCzTZZhRzoAyXMVrpD1dx9LP96uLOENorDDj0U4wvsjbYx1Q0wg1GQivSd9T
> Uwaq2ZZNLw4QlIOV9sZ7Obn3JfQmPH88ofeqlIk21p+XZbitoeEK7d16wU6EDD8v
> KhqA8aL9EwL+2dB7/Aj/PpYcrwD7beA3hfjQ6PgZLhW7o0gyfrl4mv7InrrmSAuc
> eCSCWFKEnzIDzRbfcZo7Bz6aptwd3FqmWcLL9655LQQ1k5JzI1oeflR1PPjGocZE
> yxXijaDOjrjFDy9La418s5IkwoN0GyusaWopW/hrfI/16KPFTVKdtQ==
> =aqwa
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
--
Haim
Reply to: