Re: chkrootkit-0.31 and possible bug?
On Thu, 6 Jun 2002, Willi Dyck wrote:
> On Thu, Jun 06, 2002 at 01:33:30PM -0400, Phillip Hofmeister did this all over the keyboard:
> > Hi,
> >
> > It is possible your rootkit check sent up a false flag. It is also possible
> > (though unlikely) the attacker rigged the kernel to report any changed
> > files with the same data they had before, with the same timestamp (this
> > is a stretch...). If you can afford some down time boot the system
> > with a rescue disk (clean kernel) and use some clean tools on it...
>
> If loadable module support wouldn't be compiled in, it would require to
> recompile the kernel in order to implement such modifications, wouldn't
> it? And recompiling the kernel would require to reboot the system, but
> it wasn't for sure! If only I hadn't compiled the kernel with module
> support build in, but it was neccessery, sad but true.
> I can check the kernel/whole system from my backups.
>
> But to me it seems that chkrootkit likely did trigger something wrong,
> although I can't bet on it.
>
> Thank you very much for every hint.
>
> Willi
>
nope.
i think you can change things at running time through /dev/kmem or so.
you do not need modules support.
by the way can i something against "/dev/kmem attacks"?
have a look at www.phrack.com
tom
------ .-.
free source for free users! /v\ L I N U X
// \\ >Phear the Penguin<
/( )\
^^-^^
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: