Electronic Books

See Chapter 19 for more information on bootable security and rescue CDs.
Using INSERT to Check for rootkits
If an intruder gains access to your Linux system to try to take over control of that system (and use
it for more than just a hit-and-run), he or she might install what is called a rootkit. A rootkit is a
set of software that the intruder will use to:
 Carry out his or her intent (such as hosting false Web content from your server)
 Hide his or her activities from your view
Rootkits can employ different methods for hiding what they do. Often a rootkit will replace
common system commands with its own version of those commands. So, for example, you could
replace ls and ps to not list the content added to your machine or not show certain processes
running on your system, respectively.
The chkrootkit command is a good tool for checking for well-known rootkits, as well as for generally
checking system files to see if they have been infected. This tool will check for infections in
disk-checking tools (such as du, find, and ls), process table tools (ps and pstree), login-related
commands (login, rlogin, and slogin), and many other tools. Here??™s how to run chkrootkit
from INSERT:
1. Insert the CD that comes with this book into the CD drive and reboot.


Pages:
504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528