Re: Anti-Rootkit app
- From: Jan Münther <jan.muenther@xxxxxxxxx>
- Date: Tue, 15 Jan 2008 00:41:09 +0100
Howdy,
If you want to verify that nobody has changed files on your system,The point really is that people expect way too much from Tripwire-style file integrity checkers. No self respecting rootkit author nowadays writes anything that is based on replacing system binaries.
you can use a tripwire-like system. Mtree(1) actually includes
tripwire-like functionality, which I've used quite successfully in the
past.
I think that the latter is more realistic, but that's just my humble
opinion.
Typically, there are KLD based rootkits, or even just ones that live in memory, which are impossible to catch with this approach. From what I recall (been ages since I looked into this) chkrootkit and rkhunter do some basic things to try and detect whether syscalls got hooked, but is absolutely nothing I would rely on. As Michael has pointed out, detecting a running rootkit is hard, if not close to impossible, if you have a skilled attacker (which, granted, is rarely the case).
I'd put more stress on the preventive side of things, use MAC etc., and just generally monitor your system well, update it, and maintain it wisely - I think that's effort better spent.
Cheers,
Jan
--
Jan Muenther, CTO Security, n.runs AG
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
- References:
- Anti-Rootkit app
- From: Jordi Espasa Clofent
- Re: Anti-Rootkit app
- From: Michael W. Lucas
- Anti-Rootkit app
- Prev by Date: FreeBSD Security Advisory FreeBSD-SA-08:02.libc
- Next by Date: Re: Anti-Rootkit app
- Previous by thread: Re: Anti-Rootkit app
- Next by thread: Added native socks support to libc in FreeBSD 7
- Index(es):
