On Wed, 2007-10-24 at 00:02 +0200, Jordi Prats wrote: > Hi, > I'm refering that on a dead filesystem witch is the best tool to check > if there is any rootkit. "chkrootkit -r /path/to/dead/filesystem" will check a dead filesystem for most of the common rootkits. It won't find all of them, however. > I do not want to check listening ports because it would check the wrong > machine. You can't check for listening ports unless the system is live. In that case, you'd use nmap--preferably from a different system or from some unwritable media so you know you're using an uncompromised version of nmap. > Rick Stevens wrote: > > On Tue, 2007-10-23 at 23:16 +0200, Jordi Prats wrote: > >> But it does check for some listening ports. There is not a better tool > >> for that? > > > > The best tool for that is nmap (or for the GUI users, nmap-fe). > > > >> Maybe a combination of chkrootkit -d with some AV? Any recomendation? > >> > >> Thanks, > >> Jordi > >> > >> Dave Burns wrote: > >>> On 10/22/07, Jordi Prats <jprats@xxxxxxxx> wrote: > >>>> About this discussion, chkrootkit are for live systems, isn't it? > >>>> There's any tool to do rootkit analysis on a "dead" system? > >>>> > >>>> I'm thinking of check for rootkits on snapshots of the file system of a > >>>> virtual machine to determine if the running virtual machine is compromised. > >>>> > >>> Use -r switch? As long as you can mount the dead system as a (possbily > >>> ro) filesystem, I don't see why not. > >>> > >>> Dave > >>> > >>> chkrootkit --help > >>> Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...] > >>> Options: > >>> -h show this help and exit > >>> -V show version information and exit > >>> -l show available tests and exit > >>> -d debug > >>> -q quiet mode > >>> -x expert mode > >>> -r dir use dir as the root directory > >>> -p dir1:dir2:dirN path for the external commands used by chkrootkit > >>> -n skip NFS mounted dirs > >>> > > ---------------------------------------------------------------------- > > - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - > > - CDN Systems, Internap, Inc. http://www.internap.com - > > - - > > - When in doubt, mumble. - > > ---------------------------------------------------------------------- > > > ---------------------------------------------------------------------- - Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx - - CDN Systems, Internap, Inc. http://www.internap.com - - - - Grabel's Law: 2 is not equal to 3--not even for large values of 2. - ----------------------------------------------------------------------
