[nycbug-talk] Searching for suspect PHP files...
akosela at andykosela.com
Wed Mar 11 04:01:29 EDT 2009
Matt Juszczak <matt at atopia.net> wrote:
> > Not really. mtree(8) by default takes into account mtime, so if you
> > rebuilt the system at any given time, you need to start from scratch
> > with the new fresh specification file.
> OK. Surely there's a way to check out a system where this procedur wasn't
> performed. I guess, potentially, using chkrootkit comparing sources
> compiled in /usr/src?
If you recompiled world it will now be definetly harder to ensure your
machine has not been compromised. Chrootkit does not compare anything,
but only checks for "known signatures" in system binaries, so it can
help, but not in a way you think.
Proper security policies must be implemented from scratch, involving
certain things even *before* you put the system online. But I would
just start from the point where you are now, i.e. make a fresh mtree(8)
specification and monitor any files that change and suspicious system
More information about the talk