Tha is bad and very sad. Chkrootkits are somehow helpful though some reports are misleading. Besides from tripwire, AIDE package shows you server integrity check reports. this informs you of new files, file/folder modifications, changes and deletions and other differences from its database findings. On the other hand, logwatch shows you server statistics, one of them is ssh connection attempts, failures and successful. and more.
you might as well run anew or your backup server, play with the compromised system and try to reproduce how the entry was made ;) avoiding him the next time around. atleast gather most of his footprints, it takes time, but somehow it will save your boxes (more likely your job) in the next future ,who knows ;) none of us is safe anymore, even g00gle algorithm sniffs yours. goodluck! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogelio Serrano Sent: Friday, April 28, 2006 7:00 AM To: Philippine Linux Users' Group (PLUG) Technical Discussion List Subject: Re: [plug] LKM root kit On 4/28/06, Paul Patrick C. Prantilla <[EMAIL PROTECTED]> wrote: > Hello, > > I just wanted to mention to the original poster that there are cases > of false positives regarding the line "You have X process hidden for > readdir command" from chkrootkit. You can read about them in google. > I've also experienced such false positives before. > > Still, as the others advice...you should of course still take the > necessary precaution steps. I just thought to mention about false > positives because I've never actually seem to have reliable output > with rkhunter or chkrootkit and hardly rely on them anymore...and I > read about people who feel the same way. I like using file integrity > checkers like tripwire instead. > > -Paul > > I agree.I use integrit myself. -- www.smsglobal.net SMS Global Ltd Short Message Service For Seafarers _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.1/326 - Release Date: 4/27/2006 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.1/326 - Release Date: 4/27/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.385 / Virus Database: 268.5.1/326 - Release Date: 4/27/2006 _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
