Jim Cornette wrote:
Pedro Fernandes Macedo wrote:
At the place where I worked , we used both checkrootkit (which gave
good results on distros without NPTL) and integrit. The bad thing
about integrit is learning to see what you changed (through updates
and changes in configurations) and what a invader changed.... This is
really problematic when you do a massive upgrade (or when you upgrade
a big package , like xorg , for instance) and you end with a integrit
report with 2000+ files changed in the system...
Thanks for the tips. Digging through 2000+ reported changes does not
sound like a picnic. I guess my paraniod approach regarding not doing
on-line transactions is my safest bet. I'll check out integret to see
how this program fares.
Just remmembered what we used to do to make our lifes easier at work...
We disabled any automatic system updates (this way , you know exactly
what you change on the machine). After each manual update or
reconfiguration , integrit is run again to update its database... This
way , if for some reason you receive a message containing unexpected
changes , then it's probably a invasion..
--
Pedro Macedo
(who used to be paranoic , but got tired of it... :) )
