[Gllug] rooting?
pauln at truemesh.com
pauln at truemesh.com
Thu Feb 14 12:03:22 UTC 2002
On Thu, Feb 14, 2002 at 11:40:29AM -0000, Allen Wayne wrote:
> Hi All,
>
> can anyone point me in the best drection to check if a machine has been
> rooted ... possibly by the tuxkit? I have been asked to look at a PC running
> any pointers please????
1) unplug from network
2) Check out the papers here: http://project.honeynet.org/papers/
Some quick checks which may work (depends on the kit)
rpm -Va (will complain about changed things - md5sums, etc)
Get a cd/rescue floppy with clean, static ls,find,strings,md5sum
Check common binaries for oddness. If you know the rootkit and where it
installs look for the files.
lsof
Paul
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list