Rootkit
Rick Stevens
rstevens at internap.com
Tue Oct 23 21:37:34 UTC 2007
On Tue, 2007-10-23 at 23:16 +0200, Jordi Prats wrote:
> But it does check for some listening ports. There is not a better tool
> for that?
The best tool for that is nmap (or for the GUI users, nmap-fe).
>
> Maybe a combination of chkrootkit -d with some AV? Any recomendation?
>
> Thanks,
> Jordi
>
> Dave Burns wrote:
> > On 10/22/07, Jordi Prats <jprats at cesca.es> wrote:
> >> About this discussion, chkrootkit are for live systems, isn't it?
> >> There's any tool to do rootkit analysis on a "dead" system?
> >>
> >> I'm thinking of check for rootkits on snapshots of the file system of a
> >> virtual machine to determine if the running virtual machine is compromised.
> >>
> >
> > Use -r switch? As long as you can mount the dead system as a (possbily
> > ro) filesystem, I don't see why not.
> >
> > Dave
> >
> > chkrootkit --help
> > Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...]
> > Options:
> > -h show this help and exit
> > -V show version information and exit
> > -l show available tests and exit
> > -d debug
> > -q quiet mode
> > -x expert mode
> > -r dir use dir as the root directory
> > -p dir1:dir2:dirN path for the external commands used by chkrootkit
> > -n skip NFS mounted dirs
> >
>
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- When in doubt, mumble. -
----------------------------------------------------------------------
More information about the users
mailing list