[Cialug] Rootkit?

[Nathan Stien]

On Jan 31, 2008 8:27 PM, Josh More <morej at alliancetechnologies.net> wrote:
> Boot Knoppix or RescueCD and run chkrootkit and rkhunter again.  Run
> clamAV.

Hmm, it seems to me that running rkhunter & friends from Knoppix would
check the cdrom's binaries and /etc files rather than those on my
drive.   Is there some boot disc out there that is set up to scan your
hard drive with those tools?

> Run Nessus and nmap against your server from a trusted machine.

nmap is my go-to tool for stuff like this.  But I must admit my
ignorance -- I've never used nessus before; what does it do that nmap
doesn't?

> Boot into different init levels and see if the same behavior occurs.

Interesting idea, I'll try that one.

> Check your router/firewall for outbound packets for which you cannot
> account.  (You may have to sniff for up to two weeks to actually see
> them, if they batch them (ports 80, 25, and 666* are common, but there
> are others)).

Hmm, I go to all manner of sites all the time.  It would be impossible
to check outgoing port 80 stuff.  Other ports might be easier to
check, though.

Thanks for the suggestions, Josh!

- Nathan