(SOLVED)Do you use chrootkit?

Thor@Flanders · 2011-01-30 12:25:35

Hi,

One thing I'm somewhat scared of is a rootkit, and possible rightfully so.
I read in the wiki that chrootkit can help. Does anyone here use chrootkit? What do I need to be prepared for when I start using it? Perhaps more aptly: what manual do I find where?

Thanks

Thor
Edit - as far as I know I've not been outside the repo...
Edit - the reason for my question is that I have two PC's, both have netstat the one has 104048 bytes in size, the one on Arch has 92152 bytes in size, both yield version 1.42, even when I reinstalled the whole net-tools package.
I "live" behind a router, so, there is an extra level here, but still...

Thanks loafer, I found the site...

Last edited by Thor@Flanders (2011-01-31 09:29:23)

loafer · 2011-01-30 12:39:57

http://www.chkrootkit.org/

chkrootkit -h prints the help message.

It may also be useful to run it in conjunction with rkhunter (and always beware of false positives).

xdemo · 2011-01-30 20:09:10

The main thing you should be aware of is false-positives. As with any malware/rootkit scanner its possible to give false information.

Just do a web search for common "falsies" you might get, rather than panic. If i remember chrootkit throws a warning or two about symlinks in /bin on archlinux , but is all normal.

Thor@Flanders · 2011-01-30 20:24:20

Thanks xdemo,

It's the panic I'll have to learn to deal with - but I'm getting there

During the day I did some "checks" (netstat, portscan from an other PC on my network, testing for compromised software,...) and everything seems in order, oh well, seems like a normal "too-much-time-on-my-hands-sunday"...

Cant w8 4 the workweek to begin

Thor

Awebb · 2011-01-30 20:46:12

What makes you think you might have a rootkit to deal with? Are there any signs?

litemotiv · 2011-01-30 22:40:05

Thor@Flanders wrote:

Edit - the reason for my question is that I have two PC's, both have netstat the one has 104048 bytes in size, the one on Arch has 92152 bytes in size, both yield version 1.42, even when I reinstalled the whole net-tools package.

That doesn't say anything Thor, different compiler options, different architecture perhaps, etc.

Thor@Flanders · 2011-01-31 09:21:34

Hi,

@Awebb - well, I did a "PS -Af" and saw "rtkit" in the list, so (curious as I am) I entered

whatis rtkit

and got

nothing appropriate

so...off to Yahoo, where that came back with ... "rootkit" - hence the whole confusion...but, I sniffed around (and learned) and did some tests. All ports are tightly closed and the software that can be compromised (PS, netstat, nmap and so on) still seem to be intact. At the time I was somewhat alarmed though...
@litemotiv - this could wel be, I looked at a netstat in Debian and the one on my Arch. Okay, so sticking to the repo is the plan. And this spawns yet something else to learn: preperly compiling from source - see? This was helpful!!!

Thanks (again) for your reassuring words

Thor

perhaps sharing what I learned where?
- http://linuxdevcenter.com/pub/a/linux/2 … tkits.html
- http://www.usenix.org/publications/logi … tkits.html
and
- http://linuxgazette.net/182/crawley.html

(marking this as solved now!)

Last edited by Thor@Flanders (2011-01-31 09:28:26)

litemotiv · 2011-01-31 09:29:40

Thor@Flanders wrote:

(marking this as solved now!)

Don't forget.

Last edited by litemotiv (2011-01-31 09:30:18)

Arch Linux

#1 2011-01-30 12:25:35

(SOLVED)Do you use chrootkit?

#2 2011-01-30 12:39:57

Re: (SOLVED)Do you use chrootkit?

#3 2011-01-30 20:09:10

Re: (SOLVED)Do you use chrootkit?

#4 2011-01-30 20:24:20

Re: (SOLVED)Do you use chrootkit?

#5 2011-01-30 20:46:12

Re: (SOLVED)Do you use chrootkit?

#6 2011-01-30 22:40:05

Re: (SOLVED)Do you use chrootkit?

#7 2011-01-31 09:21:34

Re: (SOLVED)Do you use chrootkit?

#8 2011-01-31 09:29:40

Re: (SOLVED)Do you use chrootkit?

Board footer