Is the part of the filesystem which handles links in kernel space or user space?
That would make a great deal of difference as this rootkit tool evolves. At the
moment it appears it is "contagious", meaning Linux installs can become
infected. Since the files that are infected are shared system
Are rpm and the check sum tools statically linked? If not, hiding
copies of them might not help if libraries have been compromised. But
busybox is statically linked, and it looks like it can be easily used to
replace most commands used to check security without going to the trouble
of
Very simple.
This rootkit works in user space by coopting glib. The new versions tell the
user what the rootkit wants it to use. It creates a new user. This user has an
exception to the /etc/passwd etc rewrites on the way to the application from the
disk. The files involved do not show up in
Jdow,
Why are you looking at that for root kit prevention?
It's a very old fashion approach, I would use the RPM's verify command or one
of the many filesystem check sum tools available for that instead.
Either one can tell you if any critical binaries or libraries have been
compromised
Thanks Vladimir,
I suppose I could pull the necessary files from busybox as a means of keeping a
more generic Linux system in security trim. This might be a useful tool set to
suggest upstream. A statically linked less would allow a quick check for the
hidden user. A statically linked
This query may belong on some MATE list, but I cannot find one. On my
office SL 7 with MATE, when I click on a GUI application, as it is
loading, the GUI arrow becomes a spinning dots-within-circle. On my
nominally same environment on my laptop, it does not, and there is no
"starting"
Hi jdow!
On 2016.09.06 at 23:15:04 -0700, jdow wrote next:
> Is there any source for a VI, VIM, or even EMACS that has all libraries
> compiled into it statically? That would make monitoring for the rootkit much
> easier. The same could be said for utilities such as chkrootkit. With
> compiled
Is there any source for a VI, VIM, or even EMACS that has all libraries compiled
into it statically? That would make monitoring for the rootkit much easier. The
same could be said for utilities such as chkrootkit. With compiled in static
libraries these level three (user space) rootkits can't
