> Even when I run chkrootkit I don't feel safe cause if you're system has been > owned, are you sure you can trust the results the anti rootkit is reporting > you? Well... you can certainly trust them if they're telling you that you are totally screwed. It's if they're telling you that there is no problem that you will experience some ambiguity. So it might tell you when you need to start thinking about a re-install. There are probably better ways, but this one is pretty easy, good for lazy ignorant types like me. You can trust the results if you reboot your system from a CD, with the caveat that there might be some new exploit that rkhunter and chkrootkit do not know about. Or a bot that runs only in memory and so went away (for now) when you rebooted (only to return later probably). Even without rebooting, it gives your intruders one more thing to think about and bungle. If you attribute them with god-like powers of foresight and concentration, there's no point in trying to avoid intrusions - this god-like being will certainly know some unpublicized exploit and predict every countermeasure you take and set up some kernel hack that tells you everything is fine when it is not. On the other hand, if they are merely human, it will be worth the trouble. The lock on my front door can be picked, but I still lock it when I leave the house. > >From my point of view, if you got a rootkit the best thing you can do it, > firstly, figure out how you got hacked and then just re-install the system, > otherwise, the system is not going to be truly reliable anymore. Well, yeah. But how do you know you've got a rootkit and how do you figure out how you've been hacked? rkhunter or chkrootkit can tell you a lot about that, though it's true that they may tell you nothing. They're a couple of tools in the kit. You are also assuming that it is practical to take the system offline. I'd say you definitely should have enough slack in your plans that you could take any particular machine offline and re-install it, but sometimes people find themselves facing unanticipated trade-offs and would like to have the option of doing something quicker though perhaps more risky. Well, let's hope we never go there. There's also the case where things are less clear cut - maybe there's something wrong, but you don't yet know. I guess monitoring your network traffic may be less ambiguous, but hey, who's to say the hacker can't fool you there too? Whatever the intruder does, it is possible to try to camouflage it, given time and ingenuity. Just because there are stealth bombers doesn't mean you turn off your radar. Of course, all this makes me want to move "learn about snort" higher on my list of things I need to do. What method do you use to watch out for intrusion attempts? buena suerta, Dave
