On Fri, 01 Apr 2011 19:41:24 +0200 Yago Jesus <yjesus@security- projects.com> wrote: >I Think this could be interesant for the list: > >http://www.astalavista.com/files/file/15864-ncom-libcall-hijacking- rootkit/ >
Thanks Yago. There's another reference to "/lib/libncom.so.4.0.1" on stackoverflow.com. BTW the ncom.txt author was wrong as about 8 years ago the ld.so.preload rootkit already did hide processes by subverting /etc/ld.so.preload with "libshow.so. I do like the fact he says "If a process is running and being hidden, however, unhide detects it perfectly". While RKH does check preloading running a separate file integrity checker (Samhain, Aide or even tripwire) is always good IMO (second opinion). Regards, unSpawn --- ------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
