Difference between revisions of "Software projects/OS/Slackware/Advanced usage/Rootkit scanners"
From Pandora Wiki
Linux-SWAT (talk | contribs) (Created page with "= What is a rootkit ? = * Check the Wikipedia definition [http://en.wikipedia.org/wiki/Rootkit here]. = How to scan them ? = * I ship two tools for this purpose: chkrootkit a...") |
Linux-SWAT (talk | contribs) m (→Something to know) |
||
(One intermediate revision by the same user not shown) | |||
Line 7: | Line 7: | ||
= Something to know = | = Something to know = | ||
− | * It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, security tools may also have been hacked. | + | * It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, embedded security tools may also have been hacked. |
* The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only. | * The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only. | ||
= The Pandora way = | = The Pandora way = | ||
* So to check a SD card, or a USB drive, don't use Xfce, as it will automount as read-write the target drive. | * So to check a SD card, or a USB drive, don't use Xfce, as it will automount as read-write the target drive. | ||
+ | |||
+ | = Note = | ||
+ | * During a scan, you will likely encounter false positives (false warnings). This can be harmless. Don't blindly stress, keep cool, and analyze the results. |
Latest revision as of 11:23, 8 November 2012
What is a rootkit ?
- Check the Wikipedia definition here.
How to scan them ?
- I ship two tools for this purpose: chkrootkit and rkhunter.
- Their utilization is pretty simple, and i'll let you read their man pages.
Something to know
- It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, embedded security tools may also have been hacked.
- The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only.
The Pandora way
- So to check a SD card, or a USB drive, don't use Xfce, as it will automount as read-write the target drive.
Note
- During a scan, you will likely encounter false positives (false warnings). This can be harmless. Don't blindly stress, keep cool, and analyze the results.