[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re: Backdoor over http(s)?? -> how to trust chkrootkit

Hi again,

Am Die, den 13.01.2004 schrieb Tobias Weisserth um 18:18:
> > To be shure, I got a new chkrootkit tarball, but the machine is clean.
> > Nothing is corrupted in /etc /var /usr /lib /bin /dev /root /sbin etc....
> You can't be sure since chkrootkit kind of depends on a clean system to
> say it's clean. See above.

This is from the chkrootkit FAQ:

Which commands does chkrootkit use?

The following commands are used by the chkrootkit script: 

awk, cut, echo, egrep, find, head, id, ls, netstat, ps, strings, sed,

Can I trust these commands on a compromised machine?

Probably not. We suggest you follow one of the alternatives below: 

     1. Use the `-p path' option to supply an alternate path to binaries
        you trust: 
        # ./chkrootkit -p /cdrom/bin
     2. Mount the compromised machine's disk on a machine you trust and
        specify a new rootdir with the `-r rootdir' option: 
        # ./chkrootkit -r /mnt



Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here