On Sunday 16 July 2006 21:36, Hemmann, Volker Armin wrote: > oh, and read this: > http://www.chkrootkit.org/faq/
Interesting ... How accurate is chkproc? If you run chkproc on a server that runs lots of short time processes it could report some false positives. chkproc compares the ps output with the /proc contents. If processes are created/killed during this operation chkproc could point out these PIDs as suspicious. "no, if you chroot, the binaries from the chroot are used. use chkrootkit without chrooting - best with full path (/usr/sbin/chkrootkit)" The problem is if I do not chroot chkrootkit will scan the knoppix CD - tried it :). It needs to access the live proc etc on a running system. Dave -- [email protected] mailing list
