 | | | Red Hat Updates and SuckIT Rootkit Hits | Red Hat Updates and SuckIT Rootkit Hits 2005-10-09 - By Tim Edwards
Back
Josh Bressers wrote:
> I just tried this on x86, x86_64 and ia64 with no positive hit. Here is
> what chkrootkit 0.45 is looking for:
>
> ## Suckit rootkit
> expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
> expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
>
> Tim,
>
> What architecture are you using, and what is the output of the above
> tests when run by hand?
x86
app:~$ sudo strings /sbin/init | grep HOME
app:~$ sudo cat /proc/1/maps | grep init.
app:~$
> Additionally what version of chkrootkit are you running?
chkrootkit-0 (See http://kit-0.ora-code.com).45-2.1.el3.rf
The funny thing is that now its stopped - chkrootkit doesn't complain
about /sbin/init being infected anymore?
--
Tim Edwards
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
|