On Fri, 01 Apr 2011 19:41:24 +0200 Yago Jesus <yjesus@security-
projects.com> wrote:
>I Think this could be interesant for the list:
>
>http://www.astalavista.com/files/file/15864-ncom-libcall-hijacking-
rootkit/
>

Thanks Yago. There's another reference to "/lib/libncom.so.4.0.1" 
on stackoverflow.com. BTW the ncom.txt author was wrong as about 8 
years ago the ld.so.preload rootkit already did hide processes by 
subverting /etc/ld.so.preload with "libshow.so. I do like the fact 
he says "If a process is running and being hidden, however, unhide 
detects it perfectly". While RKH does check preloading running a 
separate file integrity checker (Samhain, Aide or even tripwire) is 
always good IMO (second opinion). 


Regards,
unSpawn
---


------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to