AW: strange connection on port 111.. more question

From: Stefan Osterlitz (ostrlitz@blox.de)
Date: 08/17/01


From: "Stefan Osterlitz" <ostrlitz@blox.de>
To: <focus-linux@securityfocus.com>
Subject: AW: strange connection on port 111.. more question
Date: Fri, 17 Aug 2001 15:55:52 +0200
Message-ID: <C5FEADB4FB3EE543959CE43DEE2ABE4E35FC@trendserver.blox.blox.ag>


> : You can _never_ find out if the box is cracked within the
> environment that

You might even try comparing the output of two processes in
near-to-real time.
If you mount your reference tools (including the comparison routine)
from read-only media,
you can check this with most of the tools icluded in standard
rootkits.
might be one neat addition to tripwire et al.

If you do lsmod once from disk and once from cd-rom, you could even
detect module rootkits, right?
(Unless they patched the kernel, but we can fix that too, da?)

Stefan Osterlitz