[NTLUG:Discuss] Understanding rootkits writeup
Kenneth Loafman
ken at lt.com
Thu Aug 14 10:31:41 CDT 2003
David Brown wrote:
> Hey all,
>
> I found a great writeup on Detecting and Understading rootkits by Arturo
> Alberto Busleiman over on rootprompt.org. I thought it very interesting
> and informitive and figured I would share.
>
> http://www.net-security.org/dl/articles/Detecting_and_Understanding_rootkits.txt
Thanks for the URL. I got hit by a rootkit many months ago (4 days out
of date on an SSH patch) and the only way I discovered it was that 'ps
-ef' started returning the wrong info, more like 'ps aux' than anything
else. That got me to looking and I found it. What a wakeup call!
Looks like even that won't work with the newer kits. From what I read,
the kit will not change any outward appearance with its presence. I
guess I'll need to spend some time looking at IDS and everything else.
...Ken
More information about the Discuss
mailing list