Hi,
this is not exactly a reply to your question, just a general pointer:
whatever you do, don't rely solely on chkrootkit. One woody-box I know
of just recently got cracked, and had the viceroy rootkit installed. It
was a very poorly done rootkit to boot (ls, ps, netstat etc were all
dynamically linked to libc.so.5, which didn't exist on the machine,
/sbin, /bin and /usr/sbin had tons of ext2-attrs attached, /var/log was
wiped and syslogd killed etc).
Turns out, the latest debian chkrootkit (0.40?) didn't find a thing and
declared the box as clean.
After seeing that I recommend tripwire over chkrootkit to anyone that
asks, even if tripwire is higher in maintanance.
Regs,
Sven
--
Sven Riedel [EMAIL PROTECTED]
Osteroeder Str. 6 / App. 13 [EMAIL PROTECTED]
38678 Clausthal "Python is merely Perl for those who
prefer Pascal to C" (anon)
