Re: [SLUG] slowdown

From: steve szmidt (steve@szmidt.org)
Date: Thu Feb 14 2008 - 00:00:18 EST


On Wednesday 13 February 2008, ronan wrote:
> >> Don't forget that much of the point to a rootkit is that the tools
> >> that you would use to diagnose your system have been altered to help
> >> hide to rootkit. There might be processes and connections that your
> >> tools aren't showing you.
> >
> > Hmm. What can I use to find out if there's something untoward going
> > on? I can wait until the network _should_ be idle, kill all daemons
> > netstat lists, and then see what the router says is happening.
>
> There are tools (chkroot??) that can detect some known rootkits. You
> could also copy-in some known-good binaries (top, ps) from another
> machine, and run those. Of course, if the rootkit hid itself by changing
> /proc instead of changing the tools, that wouldn't help. I've never had
> to deal with this before, anyone else?
>
> --ronan

Start up in single user mode, then network without X and compare with full X
running. Once in X shut down every utility one at a time leaving a bare bone.
Plus you can always load a different window manager (like ICE) and see it it
still runs slowly.

-- 

Steve Szmidt

"They that would give up essential liberty for temporary safety deserve neither liberty nor safety." Benjamin Franklin ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:01:27 EDT