Re: rootkit not found by rkhunter

To: debian-security@lists.debian.org
Subject: Re: rootkit not found by rkhunter
From: Mark van Walraven <markv@netvalue.net.nz>
Date: Mon, 5 Oct 2009 09:29:54 +1300
Message-id: <[🔎] 20091004202954.GM15686@mvw.netvalue.net.nz>
In-reply-to: <[🔎] 20091004161048.GS22686@morgul.net>
References: <[🔎] 20091004141535.GA23593@openlib.org> <[🔎] 20091004110747.4b289a37.michael.s.gilbert@gmail.com> <[🔎] 20091004154452.GB23636@openlib.org> <[🔎] 20091004161048.GS22686@morgul.net>

> AFAIK, the best way to know if you're running a stale kernel is to
> compare the uptime of the machine against the mtime of the actual kernel
> (using, e.g. "stat /boot/vmlinuz-2.6.26-2-686").  If the uptime of the
> machine places the last reboot sometime before the kernel was updated,
> you're not up to date.  If there's a better way to test this, I'd love
> to know about it.

Comparing the outputs of:

	sed -n 's/[^(]*(Debian \([^)]*\)).*/\1/p' /proc/version

and:

	dpkg -s $(dpkg -S $(readlink /vmlinuz) | cut -d: -f1) |
		awk '/^Version: / {print $2}'

has worked well for me - thanks to the kernel team for including the
version and revision!

Mark.

Reply to:

Follow-Ups:
- Re: rootkit not found by rkhunter
  - From: Jörg Sommer <joerg@alea.gnuu.de>

References:
- rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>
- Re: rootkit not found by rkhunter
  - From: Michael S Gilbert <michael.s.gilbert@gmail.com>
- Re: rootkit not found by rkhunter
  - From: Thomas Krichel <krichel@openlib.org>
- Re: rootkit not found by rkhunter
  - From: Noah Meyerhans <frodo@morgul.net>

Prev by Date: Re: rootkit not found by rkhunter
Next by Date: Re: rootkit not found by rkhunter
Previous by thread: Re: rootkit not found by rkhunter
Next by thread: Re: rootkit not found by rkhunter
Index(es):
- Date
- Thread