Ben de Luca wrote:
BTW - I keep being surprised to hear even security experts advise to run
"chkrootkit" (and I'm not a security expert or a paranoid user/admin) - if a
machine was hacked then there is a good chance that "chkrootkit" would
also be hacked to disguise the rootkit, wouldn't it? (it's not far fetched -
see viruses attacking anti-virus programs).
Its just another tool in the box, I have never seen it return a positive result. Thats part of the fun of running it im waiting to see it do so.
Hi Ben,
Ff. is a sample of positvie result showing possible Loadable Kernel Module (LKM) Trojan:
[EMAIL PROTECTED] chkrootkit-0.45]# ./chkrootkit
.........snipped................. Searching for ESRK rootkit default files... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... br0: not promisc and no PF_PACKET sockets Checking `w55808'... not infected .........snipped..................
O Plameras
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
