Re: Chkrootkit
On Thu Apr 24, 2003 at 07:0001PM +0200, Kay-Michael Voit wrote:
> I'm just setting up my first webserver in a productive environment.
> Now I wonder how I could use chkrootkit.
>
> My first idea was to run a cronjob, butI have two problems with this
> solution:
>
> 1) An attacker could just change the chkrootkit binaries. If I'm
> right, chkrootkit is nearly worthless, unless it has just been
> installed.
I'm not completly aware of what chrootkit actually does, so please
correct me if I'm wrong, but: for the checks chkrootkit has to do it
has to rely on the system calls the kernel provides and that most likely
are altered by an installed root kit, so it also seems somehow worthless
to me to run it on a regular basis.
Another point against chkrootkit, it has the same principle design
weaknesses as virus scanners for Windows: it only can detect knows root
kits but not new ones that have enough difference from the existing
ones, and the only principle statement it can make is "I did (not) find
a root kit" which differs significantly from the actually desired one
"There is (no) root kit".
Configure your server in a secure way, follow security announcements of
all relevant software, probably use some useful way of intrusion
detection like tripwire, and you should be on the safe side.
--
Michael Bergbauer <michael@noname.franken.de>
use your idle CPU cycles - See http://www.distributed.net for details.
Visit our mud Geas at geas.franken.de Port 3333
Reply to: