Re: ?hack cause?

From: Reg Quinton (reggers@ist.uwaterloo.ca)
Date: 03/27/02


From: "Reg Quinton" <reggers@ist.uwaterloo.ca>
To: "Mike P" <mike@phasa.org>, <focus-sun@securityfocus.com>
Date: Wed, 27 Mar 2002 10:14:20 -0500


> I would search for root kits first. Try
> http://www.chkrootkit.org/. Hopefully, you run tripwire
> or something like it.

On Solaris the "pkgchk" command (vendor provided) will tell
you about vendor files that have changed. It's not as robust
as tripwire (as it uses very weak CRC checksums) but it is
better than nothing and often will catch root kits.

There's also a nice vendor tool documented at:

http://www.sun.com/blueprints/0501/Fingerprint.pdf

That you can use to check stronger checksums..

Neither are as fancy as tripwire, both will help.