[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881

Adam Hardy on 13/08/08 10:27, wrote:
Martin on 12/08/08 16:34, wrote:
On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <adam.ant@cyberspaceroad.com>
The question is, what do I replace chkrootkit with, especially if stuff
like rkhunter's not much better?

tripwire maybe?

apt-cache show tripwire Description: file and directory integrity checker Tripwire is a tool that aids system administrators and users in monitoring
a designated set of files for any changes.  Used with system files on a
regular (e.g., daily) basis, Tripwire can notify system administrators of
corrupted or tampered files, so damage control measures can be taken in a
timely manner.

I don't have access to a floppy or cdrom drive - the server is hosted somewhere at an ISP. I think any cracker would just re-run tripwire if they
found it installed.

The only suggestion so far is that I script a solution (or adapt existing ones).

Surely there's a package available that's made for people with 1 or 2 hosted servers that need a foolproof cracker alarm? Looking through apt-cache search, there seem to be loads of nasty packages available for people who might want to attack my server, but not much that I can use to check whether I've been rooted.


Reply to: