[nylug-talk] Take two... nmap and chkrootkit

J. Oquendo sil at infiltrated.net
Thu Jul 5 11:30:11 EDT 2007 

Wow... See what happens shooting off email while not
having enough coffee in your system does.

Anyhow, nmap is alright for determining a baseline
but I tend to prefer the lsof method. What I meant to
type about checkrootkit when I stated its limitations
is, checkrootkit solely detects what its programmed
to detect. For me a better method would be writing
your own combination of checks and balances based on
what your server's/machine's goals/purpose/functions
are.

E.g. if you know you're only running say http and ssh
a quick shell script to check that only those ports
are set to listen are much more valuable then hoping
someone updates a program which was described to do
this for you (e.g. checkrootkit). What are you going
to do when the developer stops updating.

I've got all sorts of funkiness going on with automating
checks and balances running from auto iptables blocks
for extremes found in snort, to a brutally modified
version of Deception Tool Kit, to honeyd and some
others. I've found throughout the years though its
best to understand your system and what its doing
and make your own fixes in conjuction with what is
publicly available...

Here is one reason why chkrootkit will fail:
http://www.infiltrated.net/dsphunxion.output

What is that?

wget -qO - www.infiltrated.net/scripts/dsphunxion.output|\
grep -v "-"|\
python -c "import sys; print sys.stdin.read().decode('base64')"

(worry little the above just decodes what that pseudo
cert is)

Its a proof in concept heuristic piece of nonsense.
I posted it for the purpose of making those *unaware*
aware that sometimes it's best to understand your
system instead of being dependent on other programs
or individuals. Get to know your machine, what it
does, why does it do it, etc. Well I'm speaking from
an administrator perspective.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
echo @infiltrated|sed 's/^/sil/g;s/$/.net/g'
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey

More information about the nylug-talk mailing list