On 03-Oct-04 Maura Edelweiss Monville wrote:
[...] Sorry for my ignorance ... what is a "a rootkit hunter" ?????
Regards, Maura
Myself I hadn't even heard of "rootkit" until very recently when
someone posted to linux-users@lists.man.ac.uk that he had been
infected twice over. In his explanation to me he wrote:
"An apache vulnerability is where carefully crafted information
is sent to such a web server, thus overrunning a buffer or
such-like, and being able to install and execute arbitrary code.
A rootkit is the stuff script-kiddies (people who use software
provided from elsewhere) install on your machine, in an attempt
to replace core utilities (ls, find, ps, top, ....) by ones that
don't show illicit activity, even when it is taking place.
In my case they don't seem to have gained root access, so have
been unable to totally screw my machine, but they installed their
own telnetd, nmap, stealth scanners and other software.
The main problem is that chkrootkit (www.chkrootkit.org) doesn't
scan for these rootkits, since they are not included. It is still
worth your while to use chkrootkit!"
So I went to
http://www.chkrootkit.org
and installed chkrootkit anyway! There may be other rootkit-checkers
out there which may be preferable. There is a lot of info on this
site about how rootkits work.
Some of chkrootkit's tests are a bit dumb, and likely to throw up
false positives (which is way better than false negatives!).
In particular, any file under /usr/lib/ whose filename begins with
a "." will be flagged up. Since these can be created by standard
software (e.g. perl, java) they need not be, and probably are not,
sinister. But don't take this for granted either!
I hope this helps!
Ted.
--------------------------------------------------------------------
E-Mail: (Ted Harding)