If you want to get additional safety against rootkits, consider installing
an IDS on every fresh installed server. If you just want to be sure, that
the ps and netstat command have not been touched by an intruder, you could
write a script that compares a checksum of these files each time you login
to the server. In order to always have clean binaries ready you could also
place them somewhere on the server on an unmounted, encrypted partition. But
I admit that it is a bit much of work :-)
Regards
Reto Inversini
----- Original Message -----
From: "Richard Clyne"
You could use a live eval version of the linux distribution to get 'safe' copies of the binaries. Richard
-----Original Message----- From: Michael Appeldorn [SMTP:appeldorn@codixx.de] Sent: 09 November 2001 13:55 To: Michael Bailey Cc: suse-security@suse.com Subject: RE: [suse-security] Let's assume a rootkit on our box
I may be reinventing the wheel here but wouldn't it be possible to put 'rootkit vulnerable' binaries on a floppy and leave it in the drive with the tab set to read only?
Then, it should be possible to use uncompromised binaries like ps if you're suspicious of those on your hard drive.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com