Re: chkrootkit - possible bad news`
Alohá!
Noah Meyerhans wrote:
> On Tue, Feb 24, 2004 at 09:14:05AM +0200, Sneferu wrote:
>
>> Looks like there are a lot of false positives on it.
>>
>
>
> It looks like there are a lot of false positives with chkrootkit in
> general. Seriously, has anybody here ever had chkrootkit detect an
> actual rootkit? [...]
Had about half a dozen public machines with old SuSe 6.4 default
installations half-way in my area of responsibility that were
'uprooted'. Diagnosing them with chkrootkit when they started creating
unusual network traffic let me make for a reinstall pretty quickly
A friends small dyndns-server was hacked within two weeks after
installation. Maybe chkrootkit is not that needed for 'big' server
installations with somebody keeping an eye full-time on security related
stuff and fs monitors reporting every change that might be suspicious to
well kept logs, but for lazy admins that weight the cost of keeping
things tight and secure higher than an occasional reinstallation (don't
count me in there) chkrootkit is a welcome diagnosis tool.
IMHO the biggest problem creating false positives are hidden processes
that are actually supposed to be there for whatever conceptual reasons.
best regards
Martin
Reply to: