[olug] lkm problems
Dave Hull
dphull at insipid.com
Wed Oct 6 16:58:11 UTC 2004
Quoting Daniel Linder <dan at linder.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> <quote who="Dave Hull">
> > I have no idea how chkrootkit works, but you can use a command line like
> > this to
> > compare was ps shows to what is in /proc:
> >
> > ls -d /proc/* | grep [0-9] | wc -l; ps ax | wc -l
>
> A system I had the pleasure *cough* to clean up after a root kit hack had
> installed its own copies of ps, ls, and find. When it saw me doing a ls
> of different directories, it automatically removed the ones it was using
> to hide its files.
Good point. Soon after I sent that last night, I realized that this would
require the use of some "trusted" binaries that are likely to have been
replaced on the cracked system.
--
Dave Hull
http://insipid.com
More information about the OLUG
mailing list