But it does check for some listening ports. There is not a better tool
for that?
Maybe a combination of chkrootkit -d with some AV? Any recomendation?
Thanks,
Jordi
Dave Burns wrote:
On 10/22/07, Jordi Prats <jprats@xxxxxxxx> wrote:
About this discussion, chkrootkit are for live systems, isn't it?
There's any tool to do rootkit analysis on a "dead" system?
I'm thinking of check for rootkits on snapshots of the file system of a
virtual machine to determine if the running virtual machine is compromised.
Use -r switch? As long as you can mount the dead system as a (possbily
ro) filesystem, I don't see why not.
Dave
chkrootkit --help
Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
