not if system is already compromised
|
| Author | Content |
|---|---|
| gus3 Jan 28, 2008 9:04 AM EDT |
If the system is already compromised, then assuming a rootkit detector will work is dicey at best. A rootkit which is on guard against the detector can still fool the user/administrator into thinking the system is healthy. http://gus3.typepad.com/i_am_therefore_i_think/2007/08/secur... Admins need to learn to think like the bad guys, not just blindly follow installation instructions from some website. |
| phsolide Jan 28, 2008 9:15 AM EDT |
My own small experience is that more rootkits exist than chrootkit checks for. In 2001, I had a Solaris box get owned, and a rootkit get installed. It was a user-level rootkit, no kernel module involved, but it was a combination of "URK" and the "Tragedy/DOR" rootkit. At the time, chrootkit could not detect it. "top" did reveal two unnatural /usr/lib/sched processes running, and "echo *" revealed files that "ls" did not show. The Solaris 2.8 "truss" command showed "ps", "ls", "find", etc redirected through some weird stuff. Rootkits seem philosophically interesting, a lot like Rene Descartes "Evil Genius": http://en.wikipedia.org/wiki/Evil_genius I also have to note that rootkits began on Unix (SunOS 4, if you believe the history accounts) and only later moved to Windows, a lot like worms, viruses, PPP, TCP/IP, multi-tasking and any number of other things. |
| tracyanne Jan 28, 2008 11:59 AM EDT |
Quoting:I also have to note that rootkits began on Unix (SunOS 4, if you believe the history accounts) and only later moved to Windows, a lot like worms, viruses, PPP, TCP/IP, multi-tasking and any number of other things. Where they thrived. Well the viruses, rootkits, worms and other malware. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!