On Tue, 2007-10-23 at 23:16 +0200, Jordi Prats wrote: > But it does check for some listening ports. There is not a better tool > for that? The best tool for that is nmap (or for the GUI users, nmap-fe). > > Maybe a combination of chkrootkit -d with some AV? Any recomendation? > > Thanks, > Jordi > > Dave Burns wrote: > > On 10/22/07, Jordi Prats <jprats@xxxxxxxx> wrote: > >> About this discussion, chkrootkit are for live systems, isn't it? > >> There's any tool to do rootkit analysis on a "dead" system? > >> > >> I'm thinking of check for rootkits on snapshots of the file system of a > >> virtual machine to determine if the running virtual machine is compromised. > >> > > > > Use -r switch? As long as you can mount the dead system as a (possbily > > ro) filesystem, I don't see why not. > > > > Dave > > > > chkrootkit --help > > Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...] > > Options: > > -h show this help and exit > > -V show version information and exit > > -l show available tests and exit > > -d debug > > -q quiet mode > > -x expert mode > > -r dir use dir as the root directory > > -p dir1:dir2:dirN path for the external commands used by chkrootkit > > -n skip NFS mounted dirs > > > ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - When in doubt, mumble. - ----------------------------------------------------------------------