On 6/21/06, Ian mu <mu.llamas at gmail.com> wrote: > Used rkhunter which is fine apart from one app out of date which I've now > updated, chkrootkit its clear but chkproc gives a couple of processes not in > readdir output, but they correspond to apps we are running when I check in > /proc/pid/cmdline so think that sides looking ok (still checking a couple of > bits though). > Keep in mind that tools like this should be run from trusted media and not from the suspected machine. This ensures that there is no kernel-space nastiness intercepting calls and feeding you bad information, as well as the fact that you're working from known good binaries. The centos live cd would be good for this, as well as knoppix or others. It may be traitorous to say this, but there's a knoppix based distro out there for forensic/data-recovery use with rootkit hunting tools on it. I generally keep a copy of it lying around, although the name escapes me at present. -- This message has been double ROT13 encoded for security. Anyone other than the intended recipient attempting to decode this message will be in violation of the DMCA