Mailing List Archive

Miguel Filipe wrote:
> Hi there,
>
> what tools are there do detect linux kernel rootkits?
> I only know rkhunter..
>
> Are there tools to prevent its injection, besides removing modules
> funcionality from kernel and denying writes to /dev/kmem and
> /dev/kcore?
>
> TIA
>

Hi,

another one is chkrootkit. I use rkhunter and chkrootkit, think/hope
thats enough ;)

bye, peek

--
gentoo-security@gentoo.org mailing list

I've now tried both rkhunter and chkrootkit on a known to be infected system.
It seems that a linux kernel rootkit isn't detected by any of those tools.

Are there any IDSs or tools that perform routine checks on system call
table addresses, and other funcion pointer addresses for changes..?

Looking for _known_ rootkits isn't good enough sometimes...

TIA

--
Miguel Sousa Filipe


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

On Fri, Feb 04, 2005 at 07:59:34PM +0000, Miguel Filipe wrote:
> I've now tried both rkhunter and chkrootkit on a known to be infected system.
> It seems that a linux kernel rootkit isn't detected by any of those tools.
>
> Are there any IDSs or tools that perform routine checks on system call
> table addresses, and other funcion pointer addresses for changes..?
>
> Looking for _known_ rootkits isn't good enough sometimes...
>
> TIA
>
> --
> Miguel Sousa Filipe
>

Haven't tried this aspect of it myself, but Samhain can be configured to
check for rootkits, including syscall modifications.

http://la-samhna.de/samhain/manual/kerneldef.html


--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miguel Filipe wrote:
| I've now tried both rkhunter and chkrootkit on a known to be infected system.
| It seems that a linux kernel rootkit isn't detected by any of those tools.

I think the reason why some rootkits may not be detected is because rootkit
checking tools rely on fingerprint databases that have to be constantly updated.

If you change some rootkit a bit just enough to change it's fingerprint or if
you "use" a different rootkit, not present in the database, than those tools
won't detect it.

Of course, rootkits that re-route/change system calls or do noisy undisguised
changes can generally be detected.

regards,
pedro venda.
- --

Pedro João Lopes Venda
email: pjlv@mega.ist.utl.pt
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCA+yleRy7HWZxjWERAhOZAKD3euRmD5YuPcsxlX9f1fg/M+fu0QCg9Bp5
7gyXRm2XHSif0SSpJ+jXf2c=
=sYvX
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

Thanks for the info,
samhain is just what I want.

Samhain should have more publicity, it looks that its "the thing"!


On Fri, 4 Feb 2005 20:22:24 +0000, Barry Dunn <lists@soylent.org.uk> wrote:
> On Fri, Feb 04, 2005 at 07:59:34PM +0000, Miguel Filipe wrote:
> > I've now tried both rkhunter and chkrootkit on a known to be infected system.
> > It seems that a linux kernel rootkit isn't detected by any of those tools.
> >
> > Are there any IDSs or tools that perform routine checks on system call
> > table addresses, and other funcion pointer addresses for changes..?
> >
> > Looking for _known_ rootkits isn't good enough sometimes...
> >
> > TIA
> >
> > --
> > Miguel Sousa Filipe
> >
>
> Haven't tried this aspect of it myself, but Samhain can be configured to
> check for rootkits, including syscall modifications.
>
> http://la-samhna.de/samhain/manual/kerneldef.html
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list