On Monday 17 July 2006 21:35, Hans-Werner Hilse wrote: > Hi, > > On Mon, 17 Jul 2006 19:36:30 +0100 > > Dave S <[EMAIL PROTECTED]> wrote: > > How accurate is chkproc? > > If you run chkproc on a server that runs lots of short time processes it > > could report some false positives. chkproc compares the ps output with > > the /proc contents. If processes are created/killed during this operation > > chkproc could point out these PIDs as suspicious. > > > > That fits in with the fact that chkrootkit & rkhunter now report clean (& > > also fits in with someone tinkering from the inside !) > > The problem I see here is that you can't expect chkrootkit to find > something when scanning from a clean base (Live-CD) when the only hint > you had was an alert from chkproc. You probably would have gotten the > alert from chkrootkit in the first place. chkproc inspects the > currently running system (and the /proc for the currently running > kernel). I.e. if it has no signature for the rootkit itself, it can't > find it again from that "clean" kernel. > > Do you have the possibility to monitor internet connections on an > intermediary gateway? I think monitoring it for a few days would give > you a better hint if there might be something active. > > And there are other things to think about. Do you have a webserver > running? Nope
> CGI scripts? Nope > PHP applications? Nope > Do you have other network > reachable services? Nope none outside of my LAN > > Were you running a firewall? Yep - a netgear router firewall, NAT & state aware > > The past kernel bugs had very early exploit scripts. It is really a > no-brainer to insert a rootkit if something lets you, say, write a > script to /tmp and call it by exploitable buffer overflows, badly > written CGI... > > And remember that there's (nearly) no possibility for a positive proof > of the non-existence of a root kit. I am now seriously considering installing tripwire - To be sure of a clean tripwire database I know it means a clean install ... gulp ... > > -hwh -- gentoo-user@gentoo.org mailing list