checkps-support Mailing List for Linux rootkit detector
Status: Beta
Brought to you by:
dps
You can subscribe to this list here.
2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
---|
From: Duncan S. <dp...@io...> - 2000-10-10 23:48:45
|
So, you think a script kiddie might have installed a root kit. IF so then checkps could eb for you... If ps fails to list a process then it will tell you all about it and it's relatively. This dgoes far enough to give you a service that was probably cracked and IP source numbers (for currently connected boxen). In a few ticks it should also dtect rootkit bersions of netstat on linux. Much of the code could be used to good effect on other systems. Any helpers willing to do the rest? The latest version is 1.3-pre1 and a major update to version 1.2 and minor update to the version with a bug removed announced on bugtraq a long time ago. You can run it in the background and get it to check every 5 mibutes, under any name other than checkps, with any fake argumnet list. You know what will blend into the abckgorund on your system (the default is httpd with no argumnets_/ The current version with kill scnaning enbaled should detect all current linux root kits, even the module one I am aware of. Pure software root kits show up like sure thumbs as far as the program is concerned. You can collect copies from sourceforge (the checkps project) or, by http only, from http://checkps.alcom.co.uk. Minor releases will be reported on the checkps-support list only. P.S. If anyone knows of any "competition" then please tell me. tripwire, logcheck, etc are complementry and checkps is not a replacement or substitute for them. -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems." |