On Thu, 07 Feb 2008 at 11:01:06AM +0000, Jon Fautley wrote:
> On Thu, 7 Feb 2008 08:55:43 +0000
> Dr Adam J Trickett <adam.trickett@???> wrote:
> 
> > Somepeople build an AIDE database then burn it to a read-only 
> > medium, and run off that. I use a combination of aide, 
> > check root kit, rootkit hunter, and tiger all available in Debian 
> > Etch.
> 
> All excellent tools, but you should never install them from your
> distributions repositories. If your system has been "rooted" then just
> doing an "apt-get install chkrootkit" could mean your system is
> grabbing a compromised package from another location. Additionally, a
> "dpkg -i chkrootkit-blah.dpkg" could trigger the rootkit/malware to
> replace critical parts of the package before they hit the filesystem.
> Unlikely, but not impossible.
Obviously you need to install them before you deploy your system,
it is utterly pointless to install them after you think you system
has been compromised!
There is also some logic in having a dedicated live CD to inspect 
suspect systems, but as you need to do a reboot they are not 
practical for routine scanning. 
> I know that chkrootkit is designed to be "standalone" - i.e. download
> and run, no messing around with compilation/installation for exactly
> this reason.
> 
> For the same reasons, never use an "already installed/downloaded" copy
> of these tools if you suspect you've been 0wn3d.
Some people I know would quarantine a suspect box, deploy a 
replacement from a known good source. They would only be interested 
with the suspect system if there was data on it that wasn't backed 
up. If it held no data, then they'd just wipe the suspect box and 
re-deploy.
The next question is, "You do have backups?" followed by, "Have
your backups have been compromised...?"
-- 
Adam Trickett
Overton, HANTS, UK
Stupidity maintained long enough is a form of malice.
    -- Richard Bos's corollary