|
-
June 20th, 2002, 03:25 PM
#1
Junior Member
how to check for a root kit
Hello,
I have been tasked with checking some Solaris servers to see if root kits had been installed. I am told there are utilites to that. Has anyone heard of such a thing and know where I can find it?
-
June 20th, 2002, 03:46 PM
#2
damn.....
ok, lets try again...
http://www.google.com/search?hl=en&l...=Google+Search
First 5 of 4660 resluts...
chkrootkit
rootkit detector
anti-rootkit
check rootkit
rootkit-check
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
June 20th, 2002, 03:52 PM
#3
Interesting point, if you dont know what a root kit is, why are you being tasked to check for it? and why do you want to find one?
I can understand if you want to learn how one works.... just wondering. no offense, but it sounds a little strange that you get tasked to "find them on some solaris servers", dont know what they are, and in the same breath want to find one....*shrug*
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
June 20th, 2002, 04:05 PM
#4
Junior Member
I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.
That is why I posted in the Newbie section.
Thanks for your help.
-
June 20th, 2002, 04:53 PM
#5
The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....
A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
\"Ignorance is bliss....
but only for your enemy\"
-- souleman
-
June 20th, 2002, 05:08 PM
#6
Originally posted here by souleman
The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....
A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
BEST thing is to start with known clean box then install Tripwire to check for altered files  .
-
June 20th, 2002, 05:14 PM
#7
Junior Member
Great idea going forward and once I rebuild these boxes I will do that. However, right now I need to verify if any of these servers have been compromised so I know what info may be compromised.
Thanks for everyone's help
-
June 20th, 2002, 07:32 PM
#8
tripwire, huh? I have to start playin with *nix.
it sounds so much better than windows.
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
June 20th, 2002, 09:20 PM
#9
Originally posted here by bxrluvr
I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.
That is why I posted in the Newbie section.
Thanks for your help.
It would have been much better to explain this earlier, in words, rather than just coming out and tersely asking for a way to check for rootkits. More information up front tends to get more useful information later, here.
Unfortunately, I must echo what others have already said... a known-good machine (ie. fresh install FREE from any networks) coupled with a Tripwire instance is your best bet.
\"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"
-
June 20th, 2002, 09:40 PM
#10
tripwire, huh? I have to start playin with *nix.
it sounds so much better than windows.
Oh my, avenger_jcc. You mean you've never tried *nix?
Not even once?
*shudder* I'm sorry...I had no idea. Please accept my deepest condolences, and a gift for your suffering:
http://www.linuxiso.org/ 
All your friends are doing it.
/* You are not expected to understand this. */
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
