Re: Chkrootkit

To: Kay-Michael Voit <kay@voits.net>
Cc: debian-security@lists.debian.org
Subject: Re: Chkrootkit
From: Sven.Riedel@tu-clausthal.de
Date: Fri, 25 Apr 2003 10:40:12 +0200
Message-id: <[🔎] 20030425084012.GB5344@moog.heim1.tu-clausthal.de>
Reply-to: Sven.Riedel@tu-clausthal.de
In-reply-to: <[🔎] 16021196058.20030424190001@voits.net>
References: <[🔎] 16021196058.20030424190001@voits.net>

Hi,
this is not exactly a reply to your question, just a general pointer:
whatever you do, don't rely solely on chkrootkit. One woody-box I know
of just recently got cracked, and had the viceroy rootkit installed. It
was a very poorly done rootkit to boot (ls, ps, netstat etc were all
dynamically linked to libc.so.5, which didn't exist on the machine,
/sbin, /bin and /usr/sbin had tons of ext2-attrs attached, /var/log was
wiped and syslogd killed etc).

Turns out, the latest debian chkrootkit (0.40?) didn't find a thing and 
declared the box as clean. 

After seeing that I recommend tripwire over chkrootkit to anyone that
asks, even if tripwire is higher in maintanance.

Regs,
Sven

-- 
Sven Riedel                      sr@gimp.org
Osteroeder Str. 6 / App. 13      sven.riedel@tu-clausthal.de
38678 Clausthal                  "Python is merely Perl for those who
                                  prefer Pascal to C" (anon)

Reply to:

References:
- Chkrootkit
  - From: Kay-Michael Voit <kay@voits.net>

Prev by Date: Re: Presentation
Next by Date: Snort exploit in wild.
Previous by thread: Re: Chkrootkit
Next by thread: Presentation
Index(es):
- Date
- Thread