[SOLVED] Some tips on chrootkit, please

Thor_2.0 · 03-08-2011, 01:56 PM

Hi,

First off: wellness to all. It's been a while since I was here last, so it is a "comming home"...

Okay. The "it" is out there, and to keep it out THERE, some tools are needed. One of these is chrootkit.
Anyone with some experience here? Is it any good? I use Arch Linux behind a private router. There is a fire wall and yes, I have f-prot installed and let it loose on the drive from time to time.
But then there are the rootkits. Is Chrootkit any good in the fight against rootkits?

Thank you for some light inthe dark.

Thor

impert · 03-08-2011, 03:50 PM

It's actually chkrootkit with a 'k'. Your question prompted me to run it - haven't done so for a while. As usual, it found nothing, which is great.
Sounds as though you've got good security, but I can't see what harm it can do to run it from time to time; but as I say, it's never found anything on my box.

Thor_2.0 · 03-08-2011, 09:32 PM

Hey there impert!

Thanks for the reassuring reply...I may (indeed) have misspelled something, but I suspect you know what this is about.
My question stems from the changelog...

Snippet (look at the date of the last entry)

Quote:

Minor bug fixes.
09/30/2009 - Version 0.49 new tests: Mac OS X OSX.RSPlug.A. Enhanced
tests: suspicious sniffer logs, suspicious
PHP files, shell history file anomalies.
Bug fixes in chkdirs.c, chkproc.c and
chkutmp.c.

That seems as if development froze in time somewhere...or am I mistaken... :/

By the way, it's not in the Arch repo...dunnow about the others...

Thor

impert · 03-09-2011, 04:57 PM

I can't comment on the snippet you posted. Maybe there's not been a lot of activity on the part of the black hats, either.
There's also rkhunter if you're interested. Don't know if it's on the Arch repo.

Thor_2.0 · 03-09-2011, 09:25 PM

Hi impert,
None of these are in the repo, though I do recall chrootkit being in there...the fact it's not (anymore) makes me uneasy as to the future of chrootkit.
Maybe I'll have to look outside the repo, for this once...

Thanks!

Thor

Thor_2.0 · 03-11-2011, 01:33 AM

Tap me on the head (gently, my second most precious piece of anatomy is in there

) but I found..

chKrootkit

...I misspelled the name, found it in the repo, installed it and let it loose on my system, result: clean bill of health.

Thanks to all

Thor

repo · 03-12-2011, 05:05 AM

You could try rkhunter, the latest version is from 2010/11/17
The updates of the datafiles are still regular.
http://rkhunter.sourceforge.net/

Kind regards

Thor_2.0 · 03-12-2011, 05:27 AM

Tnx repo, it could not hurt (it seems) to have two of these on the system. I'll sniff it out!

Thor