Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting Rootkits In GNU/Linux

Posted by kdawson on from the watching-your-back dept.

An anonymous reader sends note of a blog post on rootkit detection in GNU/Linux. The article mentions only two utilities for ferreting out rootkits — the first comment to the blog post lists three additional ones — but it could be useful for those who haven't thought about the problem much. From the article: "A rootkit... is a collection of tools that a cracker installs on a victim's computer after gaining initial access. It generally consists of log cleaning scripts and trojaned replacements of core system utilities such as ps, top, ifconfig and so on."

5 of 142 comments (clear)

  1. Pish Posh by eno2001 · · Score: 5, Funny

    It's GNU/Linux. Any hacker worth his salt doesn't want to bother with archaic OSes based on Unix. He wants the 1337 stylings of Windows Vista. No sense in rootkitting a *nix box. You can't do anything with a *nix box. But an army of zombie Vista PCs, now THAT is ULTIMATE POWER!

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
  2. Re:This is... by Rosco+P.+Coltrane · · Score: 5, Informative

    It's rather difficult to load kernel obfuscation modules (like hiding processes and files) without header files and no compiler.

    I'll tell you a little secret: if you know the kernel version number and target architecture, you can build a module on another, totally different machine. Wow! 2007 technology man!

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
  3. Re:This is... by psycho8me · · Score: 5, Interesting

    That may have been true 30 years ago when a compiler license cost thousands. If a person has write access to your system, they can just copy a compiler binary over.

  4. Yes, but... by Darlantan · · Score: 5, Funny

    You have your l33t ninja with his army of zombie Windows boxes... ...but how do they stack up to the *nix pirates, and their FTPs on the seven seas of the intarwebs? It's the classic clashes, modernized. Who has the REAL Ultimate Power?

    --
    Fill in your four or five-letter word of wisdom here _ _ _ _ _.
  5. Read Only Drives by DigitalRaptor · · Score: 5, Interesting

    I run Gentoo Linux servers for hosting email and websites, and have wanted a way to really secure the boxes.

    Many hard drives have jumpers that make them read only.

    I thought it would be great to have all of the rarely changed portions of the operating system on a separate drive set to read only.

    The only time you would move the jumper to read-write would be when you were installing updates.

    Things like: /tmp /var/log
    etc

    Would have to always be on a read-write drive.

    But having things like /usr/bin on a read-only drive seems like an effective way to protect against many, many different root-kits, worms, etc.

    What do you think? Feasible or impractical?

    --
    Lose Weight and Feel Great with Isagenix