One thing to be wary of is the number of false-positives coming from chkrootkit. It seems to alert for just about every .* directory it can find on the system, including bits of JDK, volatile tmpfs, and is subject to race-conditions falsely complaining about “hidden” processes when all that’s happened is a few have died since it compared lists. Processes in detached screen sessions seem to show up based on their ttys not being found in utmp. It seems to think my init is `INFECTED’ which is complete hokum. All this because it’s a kludged-up load of shell-scripts relying on grep for ill-defined regexp-matches.
So. I’m with rkhunter - it’s far more intelligent in operation, doing things like checking for changes in passwd and root-equivalent users between runs, for example. I can and do run both on all dozen-or-more debian boxes, but I take rkhunter far more seriously and only look for *changes* in output from chkrootkit.
Group items matching
in title, tags, annotations or url
2More
Debian Package of the Day » Blog Archive » rkhunter & chkrootkit: wise cracke... - 0 views
‹ Previous
21 - 29 of 29
Showing 20▼ items per page