Difference between revisions of "Software projects/OS/Slackware/Advanced usage/Rootkit scanners"

From Pandora Wiki
Jump to: navigation, search
m
m (Something to know)
 
Line 7: Line 7:
  
 
= Something to know =
 
= Something to know =
* It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, security tools may also have been hacked.
+
* It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, embedded security tools may also have been hacked.
 
* The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only.
 
* The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only.
  

Latest revision as of 11:23, 8 November 2012

What is a rootkit ?

  • Check the Wikipedia definition here.

How to scan them ?

  • I ship two tools for this purpose: chkrootkit and rkhunter.
  • Their utilization is pretty simple, and i'll let you read their man pages.

Something to know

  • It's a pretty bad idea to run a self-test on a machine, because if it's already compromised, embedded security tools may also have been hacked.
  • The best option is to check the target drive (the suspicious one) on a clean machine. This target drive SHOULD be mounted as read-only.

The Pandora way

  • So to check a SD card, or a USB drive, don't use Xfce, as it will automount as read-write the target drive.

Note

  • During a scan, you will likely encounter false positives (false warnings). This can be harmless. Don't blindly stress, keep cool, and analyze the results.