On 6/21/06, Ian mu mu.llamas@gmail.com wrote:
Used rkhunter which is fine apart from one app out of date which I've now updated, chkrootkit its clear but chkproc gives a couple of processes not in readdir output, but they correspond to apps we are running when I check in /proc/pid/cmdline so think that sides looking ok (still checking a couple of bits though).
Keep in mind that tools like this should be run from trusted media and not from the suspected machine. This ensures that there is no kernel-space nastiness intercepting calls and feeding you bad information, as well as the fact that you're working from known good binaries. The centos live cd would be good for this, as well as knoppix or others. It may be traitorous to say this, but there's a knoppix based distro out there for forensic/data-recovery use with rootkit hunting tools on it. I generally keep a copy of it lying around, although the name escapes me at present.