On Sat, Aug 16, 2014 at 1:52 AM, Scott Bonds <sc...@ggr.com> wrote: > On Fri, Aug 15, 2014 at 10:50:55AM -0500, Adam Thompson wrote: >> While a long way from perfect, tools such as "chkrootkit" and "rkhunter" >> might shed some light on your situation. >> As Giancarlo said, check every machine that's closely interconnected, not >> just the one compromised server you've noticed. >> I haven't used them under OpenBSD, so not sure how effective they'll be >> (both projects claim to support OpenBSD), but they're probably more >> appropriate than clamscan(1) which looks for mostly MS Windows-based >> viruses, not rootkits. > > Thank you for the suggestion. I just ran both chkrootkit and rkhunter. > chkrootkit didn't find any matches. rkhunter had a couple warnings but > to my eye they checkout out, i.e. warning that pkg_info is a perl > script. > > That said, I'm going to make chkrootkit and rkhunter a regular part of > my maintenance regime, perhaps add them as daily cron jobs.
Both give warnings that look like false positives, but are really asking you, "Is this something you intended, or would have intended had you known the package did it this way?" (The warning on pkg_info is one such.) It takes a while to learn to weed through them. (I'm still not very used to it.) Speaking of which, is tripwire still considered useful, if set up right? -- Joel Rees Be careful where you see conspiracy. Look first in your own heart.
