On 22 Sep 2003, Jason Dixon wrote: > On Mon, 2003-09-22 at 20:28, Benjamin J. Weiss wrote: > > > I'd say don't download and compile chrootkit. Instead, download the > > knoppix security tools distribution (http://www.knoppix-std.org/), burn it > > to a CD, then boot from it and *then* run chrootkit, which is on the CD. > > This way you will *ABSOLUTELY KNOW* that you are running a safe version of > > chrootkit that will tell you whether or not you've been compromised. > > > > It takes a bit longer to download, but you'll always have it in your > > toolkit, and it makes for great peace of mind. > > Uh, how are you suggesting that downloading chkrootkit from a > third-party source is any safer from the developer source? This is why > you verify the md5 checksum.
Um...Jason...the CERT training that I went to stated (though I have not verified it externally) that it is still possible to fool chkrootkit if you are running it in a "compromised environment". We were taught that the best way to go is to run it from a "clean" medium, such as knoppix, to ensure that any of the binaries or LKM's aren't spoofing you. I know, you specifically stated that you should use good binaries...but this is easier and (AFAIK) foolproof... Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
