Rootkit

[Dave Burns]

> Even when I run chkrootkit I don't feel safe cause if you're system has been
> owned, are you sure you can trust the results the anti rootkit is reporting
> you?

Well... you can certainly trust them if they're telling you that you
are totally screwed. It's if they're telling you that there is no
problem that you will experience some ambiguity. So it might tell you
when you need to start thinking about a re-install. There are probably
better ways, but this one is pretty easy, good for lazy ignorant types
like me.

You can trust the results if you reboot your system from a CD, with
the caveat that there might be some new exploit that rkhunter and
chkrootkit do not know about.  Or a bot that runs only in memory and
so went away (for now) when you rebooted (only to return later
probably).

Even without rebooting, it gives your intruders one more thing to
think about and bungle. If you attribute them with god-like powers of
foresight and concentration, there's no point in trying to avoid
intrusions - this god-like being will certainly know some unpublicized
exploit and predict every countermeasure you take and set up some
kernel hack that tells you everything is fine when it is not. On the
other hand, if they are merely human, it will be worth the trouble.
The lock on my front door can be picked, but I still lock it when I
leave the house.

> >From my point of view, if you got a rootkit the best thing you can do it,
> firstly, figure out how you got hacked and then just re-install the system,
> otherwise, the system is not going to be truly reliable anymore.

Well, yeah. But how do you know you've got a rootkit and how do you
figure out how you've been hacked? rkhunter or chkrootkit can tell you
a lot about that, though it's true that they may tell you nothing.
They're a couple of tools in the kit.

You are also assuming that it is practical to take the system offline.
I'd say you definitely should have enough slack in your plans that you
could take any particular machine offline and re-install it, but
sometimes people find themselves facing unanticipated trade-offs and
would like to have the option of doing something quicker though
perhaps more risky. Well, let's hope we never go there.

There's also the case where things are less clear cut - maybe there's
something wrong,  but you don't yet know. I guess monitoring your
network traffic may be less ambiguous, but hey, who's to say the
hacker can't fool you there too? Whatever the intruder does, it is
possible to try to camouflage it, given time and ingenuity. Just
because there are stealth bombers doesn't mean you turn off your
radar.

Of course, all this makes me want to move "learn about snort" higher
on my list of things I need to do.

What method do you use to watch out for intrusion attempts?

buena suerta,
Dave