Re: have I been rooted?

To: "David H. Clymer" <david@nittanylink.com>
Cc: debian-isp@lists.debian.org
Subject: Re: have I been rooted?
From: Donovan Baarda <abo@minkirri.apana.org.au>
Date: 15 Mar 2003 09:44:21 +1100
Message-id: <1047681862.1277.2.camel@ngapa.apana.org.au>
In-reply-to: <1047668692.6431.1740.camel@0x44.org>
References: <1047668692.6431.1740.camel@0x44.org>

On Sat, 2003-03-15 at 06:04, David H. Clymer wrote:
> I just ran chkrootkit,and it at one point, indicates that I may have an
> LKM rootkit installed on my box (see output below). I then downloaded
> and installed sash, and when I run chkrootkit as sashroot, It doesnt
> detect anything (also see output below). Which should I believe? Is
> there any way to determine if there is indeed a LKM rootkit installed
> without downtime (or at least a minimum). This box serves as mailserver
> for approximatly 600 users, has no backup or secondary server (all very
> bad things, i know, but cash is very, very short) and is administered
> remotely, so and taking it down, wiping/reinstalling, is not an option
> at this point. 

I had a similar scare with chkrootkit when I first started using it. It
turns out that it can occasionally give "false positives". Something to
do with processes completing and vanishing in the middle of checking if
processes are trying to hide themselves.

This is documented somewhere... I did a google search and found
something which explained this behaviour.

-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: have I been rooted?
  - From: debian@computerdatasafe.com.au

References:
- have I been rooted?
  - From: "David H. Clymer" <david@nittanylink.com>

Prev by Date: have I been rooted?
Next by Date: easy lilo question
Previous by thread: have I been rooted?
Next by thread: Re: have I been rooted?
Index(es):
- Date
- Thread