> > I also would not rely on chkrootkit. I ran a root war once where i > downloaded > the gunu source for the su command backdoored it with a second arg and > installed it using touch to change the date. chkrootkit did not detect > this > change. Chkrootkit is designed to check "known" root kits, so of course it wouldn't find a changed binary you hacked yourself. If you wanted to catch something like this, you would want tripwire installed. But yes, you are correct, never rely solely on chkrootkit. It's best to check servers that you think are hacked with a number of utils. Even then I generally don't trust the server and make the admins reinstall it. But that could be seen as going overboard by some people. What I tend to recommend to people is to use packages for everything. This way you know the MD5's for all the binaries on your servers. With this model it's very easy to scan for changed files. But this is only really any good if you know your MD5 binary is valid and that you have mounted the bad disk in a known good box, otherwise clever kernel module rootkits can fool you. - Simon -- Simon Allard Senior Systems Programmer IHUG NZ Ltd
Attachment:
smime.p7s
Description: S/MIME cryptographic signature