Rootkit Hunter
Martin Marcher
martin.marcher at openforce.com
Sat Dec 23 10:21:09 UTC 2006
Hi,
Am 23.12.2006 um 04:20 schrieb mehul:
> But how good are they in detecting rootkits?
They are only a light indication they are as good as most virus
scanners under windows, they know what the authors told them to know.
Personally I use a combination of chkrootkit, rkhunter, logcheck,
logwatch, also rkhunter has the ability to md5sum binaries (but I
don't do that since I expect that if someone is in my box he'll just
update those)
Watching you logfiles closely and filtering out data that you know is
good (do not try to only get informed about what you know is bad) -
this is why i use logcheck and not mainly logwatch, logwatch is only
there to inform me about a few cron scripts where I am up to this
date to lazy to figure out a regex for logcheck - and examine this
data regularly. I get my reports houlry which is usually a mail of
about 1k from different boxes.
This is for Windows an Unix:
a) Script Kiddies aren't a thread if you use Brain V1.0
b) If someone creates a new piece of malware you are not safe unless
you AV Software/Rootkit hunter/whatever knows about it
c) If someone really wants to hack you (and he knows his business)
you won't know about it until it's to late
So in essence what do you mean by how good they are?
The number of rootkits they know about?
> While going through a thread on gentoo forums(sorry don't have that
> url now), I read that
> it's quite possible to hijack important processes and also
> 'contaminate'
> these rootkit checkers.
Yes that is possible, however it is very unlikely that this will
happen (imho) beacuse:
a) Home grown Unix machines aren't an interesting target (there are
to few of them)
b) If someone with the abilities to do that decides to hack/crack
your computer you will either recognize by a non working box, or you
won't because he doesn't want to know
> So, it's better to use them from a live system
> than from the system that could be compromised?
That is true for all monitoring systems, it's better to check the
probably infected system from a system that is proven to be clean.
> Also, can these apps detect all rootkits?
No, only the ones they know about.
afaik, unix rootkits aren't quite the same as windows viruses most of
them are carefully handcrafted and targeted at being invisible and
also keeping a backdoor open, not doing something that would kills
your data.
hth
martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2474 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20061223/39de84d5/attachment.bin>
More information about the ubuntu-users
mailing list