On Mon, 2003-09-22 at 20:42, Benjamin J. Weiss wrote: > On 22 Sep 2003, Jason Dixon wrote: > > > On Mon, 2003-09-22 at 20:28, Benjamin J. Weiss wrote: > > > > > I'd say don't download and compile chrootkit. Instead, download the > > > knoppix security tools distribution (http://www.knoppix-std.org/), burn it > > > to a CD, then boot from it and *then* run chrootkit, which is on the CD. > > > This way you will *ABSOLUTELY KNOW* that you are running a safe version of > > > chrootkit that will tell you whether or not you've been compromised. > > > > > > It takes a bit longer to download, but you'll always have it in your > > > toolkit, and it makes for great peace of mind. > > > > Uh, how are you suggesting that downloading chkrootkit from a > > third-party source is any safer from the developer source? This is why > > you verify the md5 checksum. > > Um...Jason...the CERT training that I went to stated (though I have not > verified it externally) that it is still possible to fool chkrootkit if > you are running it in a "compromised environment". We were taught that > the best way to go is to run it from a "clean" medium, such as knoppix, to > ensure that any of the binaries or LKM's aren't spoofing you. > > I know, you specifically stated that you should use good binaries...but > this is easier and (AFAIK) foolproof...
I'm happy that your CERT training prepared you for small/home-office operations. However, many of us work and exist in environments where carrying around a CD doesn't scale. My suggestion can be quickly and easily performed on remote systems. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
