Rootkit Hunter

Martin Marcher martin.marcher at openforce.com
Sat Dec 23 10:21:09 UTC 2006 

Hi,

Am 23.12.2006 um 04:20 schrieb mehul:

> But how good are they in detecting rootkits?

They are only a light indication they are as good as most virus  
scanners under windows, they know what the authors told them to  know.
Personally I use a combination of chkrootkit, rkhunter, logcheck,  
logwatch, also rkhunter has the ability to md5sum binaries (but I  
don't do that since I expect that if someone is in my box he'll just  
update those)

Watching you logfiles closely and filtering out data that you know is  
good (do not try to only get informed about what you know is bad) -  
this is why i use logcheck and not mainly logwatch, logwatch is only  
there to inform me about a few cron scripts where I am up to this  
date to lazy to figure out a regex for logcheck - and examine this  
data regularly. I get my reports houlry which is usually a mail of  
about 1k from different boxes.

This is for Windows an Unix:

a) Script Kiddies aren't a thread if you use Brain V1.0
b) If someone creates a new piece of malware you are not safe unless  
you AV Software/Rootkit hunter/whatever knows about it
c) If someone really wants to hack you (and he knows his business)  
you won't know about it until it's to late

So in essence what do you mean by how good they are?
The number of rootkits they know about?


> While going through a thread on gentoo forums(sorry don't have that  
> url now), I read that
> it's quite possible to hijack important processes and also  
> 'contaminate'
> these rootkit checkers.

Yes that is possible, however it is very unlikely that this will  
happen (imho) beacuse:

a) Home grown Unix machines aren't an interesting target (there are  
to few of them)
b) If someone with the abilities to do that decides to hack/crack  
your computer you will either recognize by a non working box, or you  
won't because he doesn't want to know


> So, it's better to use them from a live system
> than from the system that could be compromised?

That is true for all monitoring systems, it's better to check the  
probably infected system from a system that is proven to be clean.


> Also, can these apps detect all rootkits?

No, only the ones they know about.

afaik, unix rootkits aren't quite the same as windows viruses most of  
them are carefully handcrafted and targeted at being invisible and  
also keeping a backdoor open, not doing something that would kills  
your data.

hth
martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2474 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20061223/39de84d5/attachment.bin>

More information about the ubuntu-users mailing list