not if system is already compromised

Story: Linux Detecting RootkitsTotal Replies: 2
Author Content
gus3

Jan 28, 2008
9:04 AM EDT
If the system is already compromised, then assuming a rootkit detector will work is dicey at best. A rootkit which is on guard against the detector can still fool the user/administrator into thinking the system is healthy.

http://gus3.typepad.com/i_am_therefore_i_think/2007/08/secur...

Admins need to learn to think like the bad guys, not just blindly follow installation instructions from some website.
phsolide

Jan 28, 2008
9:15 AM EDT
My own small experience is that more rootkits exist than chrootkit checks for.

In 2001, I had a Solaris box get owned, and a rootkit get installed. It was a user-level rootkit, no kernel module involved, but it was a combination of "URK" and the "Tragedy/DOR" rootkit.

At the time, chrootkit could not detect it. "top" did reveal two unnatural /usr/lib/sched processes running, and "echo *" revealed files that "ls" did not show. The Solaris 2.8 "truss" command showed "ps", "ls", "find", etc redirected through some weird stuff.

Rootkits seem philosophically interesting, a lot like Rene Descartes "Evil Genius": http://en.wikipedia.org/wiki/Evil_genius

I also have to note that rootkits began on Unix (SunOS 4, if you believe the history accounts) and only later moved to Windows, a lot like worms, viruses, PPP, TCP/IP, multi-tasking and any number of other things.
tracyanne

Jan 28, 2008
11:59 AM EDT
Quoting:I also have to note that rootkits began on Unix (SunOS 4, if you believe the history accounts) and only later moved to Windows, a lot like worms, viruses, PPP, TCP/IP, multi-tasking and any number of other things.


Where they thrived.

Well the viruses, rootkits, worms and other malware.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!