Ben de Luca wrote:
BTW - I keep being surprised to hear even security experts advise to run
"chkrootkit" (and I'm not a security expert or a paranoid user/admin)
- if a
machine was hacked then there is a good chance that "chkrootkit" would
also be hacked to disguise the rootkit, wouldn't it? (it's not far
fetched -
see viruses attacking anti-virus programs).
Its just another tool in the box, I have never seen it return a
positive result. Thats part of the fun of running it im waiting to see
it do so.
Hi Ben,
Ff. is a sample of positvie result showing possible
Loadable Kernel Module (LKM) Trojan:
[EMAIL PROTECTED] chkrootkit-0.45]# ./chkrootkit
.........snipped.................
Searching for ESRK rootkit default files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have 3 process hidden for readdir command
You have 3 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... br0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
.........snipped..................
O Plameras
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html