how to check for a root kit
Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: how to check for a root kit

  1. #1
    Junior Member
    Join Date
    Jun 2002
    Posts
    5

    how to check for a root kit

    Hello,
    I have been tasked with checking some Solaris servers to see if root kits had been installed. I am told there are utilites to that. Has anyone heard of such a thing and know where I can find it?

  2. #2
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    damn.....

    ok, lets try again...

    http://www.google.com/search?hl=en&l...=Google+Search

    First 5 of 4660 resluts...
    chkrootkit
    rootkit detector
    anti-rootkit
    check rootkit
    rootkit-check
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    Interesting point, if you dont know what a root kit is, why are you being tasked to check for it? and why do you want to find one?
    I can understand if you want to learn how one works.... just wondering. no offense, but it sounds a little strange that you get tasked to "find them on some solaris servers", dont know what they are, and in the same breath want to find one....*shrug*
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  4. #4
    Junior Member
    Join Date
    Jun 2002
    Posts
    5
    I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.

    That is why I posted in the Newbie section.

    Thanks for your help.

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....

    A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  6. #6
    Originally posted here by souleman
    The best one? No idea. I use tripwire to make sure that nothing gets a rootkit installed. If one does get installed, I know about it immediately, and take down the server....

    A root kit installs a back door on your system, and modifies some of the programs, so that when you log in on the backdoor, you are completely undected (who doesn't work, no logs, etc etc.) To install one, someone has to take over root.
    BEST thing is to start with known clean box then install Tripwire to check for altered files .

  7. #7
    Junior Member
    Join Date
    Jun 2002
    Posts
    5
    Great idea going forward and once I rebuild these boxes I will do that. However, right now I need to verify if any of these servers have been compromised so I know what info may be compromised.

    Thanks for everyone's help

  8. #8
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    tripwire, huh? I have to start playin with *nix.
    it sounds so much better than windows.
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    712
    Originally posted here by bxrluvr
    I should have explained myself a little better. I am looking for your opinions as to the best one. I had searched google and found many, but to save time and get this accomplished quickly I wanted the best one. I am new to sys admin duties and it was suggested that one or all of our servers could possibly be owned and being used to attack others. I just learned the term "root kit" the other day. So yes, i do want to find out how they work, how someone could have got one installed on our servers, if at all and how detect and clean them from my systems. I am unix literate to a small degree but still learning all I can.

    That is why I posted in the Newbie section.

    Thanks for your help.
    It would have been much better to explain this earlier, in words, rather than just coming out and tersely asking for a way to check for rootkits. More information up front tends to get more useful information later, here.

    Unfortunately, I must echo what others have already said... a known-good machine (ie. fresh install FREE from any networks) coupled with a Tripwire instance is your best bet.
    \"Windows has detected that a gnat has farted in the general vicinity. You must reboot for changes to take affect. Reboot now?\"

  10. #10
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    tripwire, huh? I have to start playin with *nix.
    it sounds so much better than windows.
    Oh my, avenger_jcc. You mean you've never tried *nix?
    Not even once?

    *shudder* I'm sorry...I had no idea. Please accept my deepest condolences, and a gift for your suffering:

    http://www.linuxiso.org/

    All your friends are doing it.
    /* You are not expected to understand this. */

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •