Hi,
I'm refering that on a dead filesystem witch is the best tool to check
if there is any rootkit.
I do not want to check listening ports because it would check the wrong
machine.
Jordi
Rick Stevens wrote:
On Tue, 2007-10-23 at 23:16 +0200, Jordi Prats wrote:
But it does check for some listening ports. There is not a better tool
for that?
The best tool for that is nmap (or for the GUI users, nmap-fe).
Maybe a combination of chkrootkit -d with some AV? Any recomendation?
Thanks,
Jordi
Dave Burns wrote:
On 10/22/07, Jordi Prats <jprats@xxxxxxxx> wrote:
About this discussion, chkrootkit are for live systems, isn't it?
There's any tool to do rootkit analysis on a "dead" system?
I'm thinking of check for rootkits on snapshots of the file system of a
virtual machine to determine if the running virtual machine is compromised.
Use -r switch? As long as you can mount the dead system as a (possbily
ro) filesystem, I don't see why not.
Dave
chkrootkit --help
Usage: /usr/lib/chkrootkit-0.47/chkrootkit [options] [test ...]
Options:
-h show this help and exit
-V show version information and exit
-l show available tests and exit
-d debug
-q quiet mode
-x expert mode
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens@xxxxxxxxxxxx -
- CDN Systems, Internap, Inc. http://www.internap.com -
- -
- When in doubt, mumble. -
----------------------------------------------------------------------
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list