[CentOS] Re: Tracking down whats causing a high load?

Wed Jun 21 19:01:47 UTC 2006
Scott Silva <ssilva at sgvwater.com>

Jim Perrin spake the following on 6/21/2006 6:00 AM:
> On 6/21/06, Ian mu <mu.llamas at gmail.com>
> wrote:
>> Used rkhunter which is fine apart from one app out of date which I've now
>> updated, chkrootkit its clear but chkproc gives a couple of processes
>> not in
>> readdir output, but they correspond to apps we are running when I
>> check in
>> /proc/pid/cmdline so think that sides looking ok (still checking a
>> couple of
>> bits though).
>>
> 
> 
> Keep in mind that tools like this should be run from trusted media and
> not from the suspected machine. This ensures that there is no
> kernel-space nastiness intercepting calls and feeding you bad
> information, as well as the fact that you're working from known good
> binaries. The centos live cd would be good for this, as well as
> knoppix or others. It may be traitorous to say this, but there's a
> knoppix based distro out there for forensic/data-recovery use with
> rootkit hunting tools on it. I generally keep a copy of it lying
> around, although the name escapes me at present.
> 
Is it knoppix-std?


-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!