Hello, >I can determine when a Windows box has been owned easily. >How do you determine if you have a KLM on your Linux box?
On both occasions, you need to shut down the computer and boot it from an alternative source (like CD-ROM with MS-DOS), then load drivers for the file system (NTFS, EXT2, ReiserFS, etc.) and then run a virus scanner. Or just relocate the suspect hard drive into another known clean machine and perform virus scanning with your favourite Windows/Unix antivirus software. It is a fact of life that certain sophisticated Windows and Un*x root kits cannot be detected in runtime any more after they were installed. You must shut down the OS and investigate using an external standpoint, that is an alternative OS boot. (*) Here is an article about sophisticated Windows Rootkits, they are now truly en par with their Un*x conterparts: http://www.securityfocus.com/news/2879 Sincerely: Tamas Feher. (*) PS: It should be noted that some true server machines, like the IBM AS/400 have alternative boot path support by factory default. Un*x and Windows has a long way to go regarding reliability and security measures before they can catch IBM's monsters. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
