[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    Re: [crt-users] Post-processing scripts & a question
From:       Aj Effin Reznor <aj () reznor ! com>
Date:       2003-05-05 18:34:16
[Download RAW message or body]

"Vladimir G. Ivanovic was known to say....."

> A question: Why does chkrootkit check all those perl files? What is it
> that makes those particular files more susceptible to being rooted? 

Some rootkits hide files by simply using a .name for the files they want
to make less obvious.  Perl packages use a lot of .name files (.packlist 
IIRC) and chkrootkit finds them all, which is good.

Some asked recently "why not just skip those perl files?".  Since they
aren't used really by the system for anything, they can be removed or
modified.  A rootkit author would be inclined to hide his files in a mock
.packlist knowing that a tool such as chkrootkit wouldn't look there.

If you don't want to see the perl files, do something with the perl files
themselves and not with chkrootkit, as doing the latter would compromise
the integrity of the tool.


-aj.


[prev in list] [next in list] [prev in thread] [next in thread]