You are not logged in.
Pages: 1
Hi,
One thing I'm somewhat scared of is a rootkit, and possible rightfully so.
I read in the wiki that chrootkit can help. Does anyone here use chrootkit? What do I need to be prepared for when I start using it? Perhaps more aptly: what manual do I find where?
Thanks
Thor
Edit - as far as I know I've not been outside the repo...
Edit - the reason for my question is that I have two PC's, both have netstat the one has 104048 bytes in size, the one on Arch has 92152 bytes in size, both yield version 1.42, even when I reinstalled the whole net-tools package.
I "live" behind a router, so, there is an extra level here, but still...
Thanks loafer, I found the site...
Last edited by Thor@Flanders (2011-01-31 09:29:23)
Offline
chkrootkit -h prints the help message.
It may also be useful to run it in conjunction with rkhunter (and always beware of false positives).
All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.
Offline
The main thing you should be aware of is false-positives. As with any malware/rootkit scanner its possible to give false information.
Just do a web search for common "falsies" you might get, rather than panic. If i remember chrootkit throws a warning or two about symlinks in /bin on archlinux , but is all normal.
Linux 2.6.38-ck x86_64 / xfce
Offline
Thanks xdemo,
It's the panic I'll have to learn to deal with - but I'm getting there
During the day I did some "checks" (netstat, portscan from an other PC on my network, testing for compromised software,...) and everything seems in order, oh well, seems like a normal "too-much-time-on-my-hands-sunday"...
Cant w8 4 the workweek to begin
Thor
Offline
What makes you think you might have a rootkit to deal with? Are there any signs?
Offline
Edit - the reason for my question is that I have two PC's, both have netstat the one has 104048 bytes in size, the one on Arch has 92152 bytes in size, both yield version 1.42, even when I reinstalled the whole net-tools package.
That doesn't say anything Thor, different compiler options, different architecture perhaps, etc.
ᶘ ᵒᴥᵒᶅ
Offline
Hi,
@Awebb - well, I did a "PS -Af" and saw "rtkit" in the list, so (curious as I am) I entered
whatis rtkit
and got
nothing appropriate
so...off to Yahoo, where that came back with ... "rootkit" - hence the whole confusion...but, I sniffed around (and learned) and did some tests. All ports are tightly closed and the software that can be compromised (PS, netstat, nmap and so on) still seem to be intact. At the time I was somewhat alarmed though...
@litemotiv - this could wel be, I looked at a netstat in Debian and the one on my Arch. Okay, so sticking to the repo is the plan. And this spawns yet something else to learn: preperly compiling from source - see? This was helpful!!!
Thanks (again) for your reassuring words
Thor
perhaps sharing what I learned where?
- http://linuxdevcenter.com/pub/a/linux/2 … tkits.html
- http://www.usenix.org/publications/logi … tkits.html
and
- http://linuxgazette.net/182/crawley.html
(marking this as solved now!)
Last edited by Thor@Flanders (2011-01-31 09:28:26)
Offline
(marking this as solved now!)
Don't forget.
Last edited by litemotiv (2011-01-31 09:30:18)
ᶘ ᵒᴥᵒᶅ
Offline
Pages: 1