chkrootkir LKM Trojan ?
Brian McKee
brian.mckee at gmail.com
Wed Jul 19 12:59:56 UTC 2006
On 18/07/06, ubuntu at rio.vg <ubuntu at rio.vg> wrote:
> Brian McKee wrote:
> > On 17/07/06, boricua <boricua at despiertapr.com> wrote:
> >
> >> how do u know rkhunter was not comprimise
> >
> > rkhunter does check itself as it's first step !
>
> Think about that for a moment.
>
> Let's say I write a rootkit that is rkhunter-aware. It searches out
> rkhunter, and modifies it when found. What do you think my first change
> to rkhunter will be?
Let's say I write a rootkit that is rkhunter aware, and chkrootkit aware, and
modifies all the binaries on your machine invisibly - how do you find it?
Answer, you dont, because you never went looking.
But that root kit has never been written.
We can reduce this to absurdity. If God wants to rootkit you, he will.
As for your original question, installing it before you suspect problems
and storing the checksums offline is the recommended proceedure I believe.
If he wants to check now, I'd install rkhunter on a known good machine
of the same distro and
compare checksums that way.
More information about the ubuntu-users
mailing list