[NTLUG:Discuss] Understanding rootkits writeup
Thomas Cameron
thomas.cameron at camerontech.com
Thu Aug 14 14:50:22 CDT 2003
On Thu, 2003-08-14 at 10:31, Kenneth Loafman wrote:
>
> Thanks for the URL. I got hit by a rootkit many months ago (4 days out
> of date on an SSH patch) and the only way I discovered it was that 'ps
> -ef' started returning the wrong info, more like 'ps aux' than anything
> else. That got me to looking and I found it. What a wakeup call!
>
> Looks like even that won't work with the newer kits. From what I read,
> the kit will not change any outward appearance with its presence. I
> guess I'll need to spend some time looking at IDS and everything else.
>
> ...Ken
tripwire is your friend. I use it religiously on all my servers and I
*know* when something changes or is added to my machines. Either it
shows up in the daily tripwire report, or the tripwire report is hosed
up. Eihter way, time to take the box down and check it out.
TC
More information about the Discuss
mailing list