On Sat, 2003-11-22 at 12:39, Sam Barnett-Cormack wrote: > > > > What you should do against it is remove the server from the net, backup > > any data (avoiding executables) and reinstall. Then have everyone who > > ever used a password on the server change their passwords. Rootkits tend > > to install a backdoor for access (Eg. second sshd) and to replace common > > binaries (ls, ps) to hide their presence. chkrootkit can only find > > rootkits that have been sloppily constructed. > > Actually, chkrootkit will probably be able to find all but the best, as > long as the author keeps it up to date. It detects the common > modifications to binaries as well. I think chkrootkit is a great tool, but my point is it is only as good as the executable it is calling. If a rootkit replaced the "test" functionality of bash to always return false for the existence of the files making up the rootkit, suddenly that rootkit is invisible. I would consider any rootkit that replaces binaries, but neglexts to replace those binaries that can be used to detect it, sloppily written. It would be straightforward for a rootkit writer to examine all the tests done by chkrootkit and to replace each binary involved to render a newly created rootkit "invisible". Cheers, Ben
