Hi, On Mon, 17 Jul 2006 19:36:30 +0100 Dave S <[EMAIL PROTECTED]> wrote:
> How accurate is chkproc? > If you run chkproc on a server that runs lots of short time processes it > could report some false positives. chkproc compares the ps output with > the /proc contents. If processes are created/killed during this operation > chkproc could point out these PIDs as suspicious. > > That fits in with the fact that chkrootkit & rkhunter now report clean (& > also > fits in with someone tinkering from the inside !) The problem I see here is that you can't expect chkrootkit to find something when scanning from a clean base (Live-CD) when the only hint you had was an alert from chkproc. You probably would have gotten the alert from chkrootkit in the first place. chkproc inspects the currently running system (and the /proc for the currently running kernel). I.e. if it has no signature for the rootkit itself, it can't find it again from that "clean" kernel. Do you have the possibility to monitor internet connections on an intermediary gateway? I think monitoring it for a few days would give you a better hint if there might be something active. And there are other things to think about. Do you have a webserver running? CGI scripts? PHP applications? Do you have other network reachable services? Were you running a firewall? The past kernel bugs had very early exploit scripts. It is really a no-brainer to insert a rootkit if something lets you, say, write a script to /tmp and call it by exploitable buffer overflows, badly written CGI... And remember that there's (nearly) no possibility for a positive proof of the non-existence of a root kit. -hwh -- gentoo-user@gentoo.org mailing list