[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881

Osamu Aoki on 25/08/08 16:41, wrote:
On Thu, Aug 14, 2008 at 10:51:56PM +0100, Adam Hardy wrote:
Adam Hardy on 13/08/08 10:27, wrote:
apt-cache show tripwire Description: file and directory integrity
checker Tripwire is a tool that aids system administrators and users
in monitoring a designated set of files for any changes.  Used with
system files on a regular (e.g., daily) basis, Tripwire can notify
system administrators of corrupted or tampered files, so damage
control measures can be taken in a timely manner.
I don't have access to a floppy or cdrom drive - the server is hosted
somewhere at an ISP. I think any cracker would just re-run tripwire
if they found it installed.
The only suggestion so far is that I script a solution (or adapt existing ones).

Have you looked at harden-doc and its friends in archive.  (Many are
virtual packages to lead you to the good tools) tripwire is just one of
the tools.
I do not think you need to have CDROM to be sure and your quick
scripting may not come close to tripwire which protect itself with

Even for simple hush you do not need home made hush.  Have you looked
at debsum?  If a pakage is tampered, debsum gets updated and detectable.

That's a distinct possibility. For instance,

debsums procps

would give an immediate sign that something has been rooted.

That is assuming that the rootkit is not smart enough to cover its tracks in the package MD5 checksums. Could that be 'rooted' too?

Thanks and regards

Reply to: