[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881


On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
> Adam Hardy on 13/08/08 10:27, wrote:
>> Martin on 12/08/08 16:34, wrote:
>>> On Tue, Aug 12, 2008 at 5:12 PM, Adam Hardy <adam.ant@cyberspaceroad.com>
>>> wrote:
>>>> The question is, what do I replace chkrootkit with, especially if stuff
>>>> like rkhunter's not much better?
>>> tripwire maybe?
>>> apt-cache show tripwire Description: file and directory integrity
>>> checker Tripwire is a tool that aids system administrators and users
>>> in monitoring a designated set of files for any changes.  Used with
>>> system files on a regular (e.g., daily) basis, Tripwire can notify
>>> system administrators of corrupted or tampered files, so damage
>>> control measures can be taken in a timely manner. 
>> I don't have access to a floppy or cdrom drive - the server is hosted
>> somewhere at an ISP. I think any cracker would just re-run tripwire
>> if they found it installed.
> The only suggestion so far is that I script a solution (or adapt existing ones).

Have you looked at harden-doc and its friends in archive.  (Many are
virtual packages to lead you to the good tools) tripwire is just one of
the tools.   

I do not think you need to have CDROM to be sure and your quick
scripting may not come close to tripwire which protect itself with

Even for simple hush you do not need home made hush.  Have you looked
at debsum?  If a pakage is tampered, debsum gets updated and detectable.

> Surely there's a package available that's made for people with 1 or 2 
> hosted servers that need a foolproof cracker alarm? 

Are you saying package available is not good enough?

> Looking through apt-cache search, there seem to be loads of nasty
> packages available for people who might want to attack my server, but
> not much that I can use to check whether I've been rooted.

I do not understand what is "nasty".

Anyway, all your answer is in harden-doc.

Also available on web as:


Reply to: