Jim Perrin spake the following on 6/21/2006 6:00 AM: > On 6/21/06, Ian mu <mu.llamas at gmail.com> > wrote: >> Used rkhunter which is fine apart from one app out of date which I've now >> updated, chkrootkit its clear but chkproc gives a couple of processes >> not in >> readdir output, but they correspond to apps we are running when I >> check in >> /proc/pid/cmdline so think that sides looking ok (still checking a >> couple of >> bits though). >> > > > Keep in mind that tools like this should be run from trusted media and > not from the suspected machine. This ensures that there is no > kernel-space nastiness intercepting calls and feeding you bad > information, as well as the fact that you're working from known good > binaries. The centos live cd would be good for this, as well as > knoppix or others. It may be traitorous to say this, but there's a > knoppix based distro out there for forensic/data-recovery use with > rootkit hunting tools on it. I generally keep a copy of it lying > around, although the name escapes me at present. > Is it knoppix-std? -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!