>> Don't forget that much of the point to a rootkit is that the tools
>> that you would use to diagnose your system have been altered to help
>> hide to rootkit. There might be processes and connections that your
>> tools aren't showing you.
>
> Hmm. What can I use to find out if there's something untoward going
> on? I can wait until the network _should_ be idle, kill all daemons
> netstat lists, and then see what the router says is happening.
>
There are tools (chkroot??) that can detect some known rootkits. You
could also copy-in some known-good binaries (top, ps) from another
machine, and run those. Of course, if the rootkit hid itself by changing
/proc instead of changing the tools, that wouldn't help. I've never had
to deal with this before, anyone else?
--ronan
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:01:21 EDT