File: rootkit.html

package info (click to toggle)
tiger 1%3A3.2.1-35
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 8,024 kB
  • ctags: 789
  • sloc: sh: 15,650; ansic: 1,925; perl: 695; makefile: 289
file content (109 lines) | stat: -rw-r--r-- 2,260 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
 
<HR><PRE>








</PRE><HR>
<CENTER><H2> Documents for rootkit</H2></CENTER>
<A NAME="rootkit001f"><P><B>Code [rootkit001f]</B><P>
A test was run on the 'ls' command to determine if it 'sees'
certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
a temporary directory, creates files with known hacker program
names/directories, and attempts an 'ls'. If the 'ls' does not
recognize the file, a FAIL is issued
<PRE>










</PRE><HR>
<A NAME="rootkit002f"><P><B>Code [rootkit002f]</B><P>
A test was run on the 'find' command to determine if it 'sees'
certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
a temporary directory, creates files with known hacker program
names/directories, and attempts an 'find'. If the 'find' does
not recognize the file, a FAIL is issued.
<PRE>










</PRE><HR>
<A NAME="rootkit003w"><P><B>Code [rootkit003w]</B><P>
The 'chkrootkit' program has detected a suspicious directory
which might be an indication of an intrusion.
A full analysis of the system is recommended to determine the
presence of further signs of intrusion since a rootkit might have
been installed.
<PRE>










</PRE><HR>
<A NAME="rootkit004w"><P><B>Code [rootkit004w]</B><P>
The 'chkrootkit' program has detected a possible rootkit installation
A full analysis of the system is recommended to determine the
presence of further signs of intrusion since a rootkit might have
been installed.
<PRE>










</PRE><HR>
<A NAME="rootkit005a"><P><B>Code [rootkit005a]</B><P>
The 'chkrootkit' program has detected a rootkit installation
A full analysis of the system is recommended to determine the
presence of further signs of intrusion and to determine if the
rootkit is indeed installed.
<PRE>










</PRE><HR>
<A NAME="rootkit006a"><P><B>Code [rootkit006a]</B><P>
A rootkit is installed by intruders in systems which have been
successfully compromised and in which they have obtained full
administrator privileges. The installation of a rootkit is
an indication of a major system compromise.
<P>
If the installation of a rootkit is confirmed you are encouraged
to power off the system and follow the steps outlined by
Steps for Recovering from a UNIX or NT System Compromise
(http://www.cert.org/tech_tips/root_compromise.html)