Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting Rootkits In GNU/Linux

Posted by kdawson on from the watching-your-back dept.

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

2 of 142 comments (clear)

  1. Re:This is... by psycho8me · · Score: 5, Interesting

    That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.

  2. Read Only Drives by DigitalRaptor · · Score: 5, Interesting

    I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

    Many hard drives have jumpers that make them read only.

    I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

    The only time you would move the jumper to read-write would be when you were installing updates.

    Things like: /tmp /var/log
    etc

    Would have to always be on a read-write drive.

    But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

    What do you think? Feasible or impractical?

    --
    Lose Weight and Feel Great with Isagenix