[nycbug-talk] Searching for suspect PHP files...
George Rosamond
george at ceetonetechnology.com
Wed Mar 4 11:28:39 EST 2009
Matt Juszczak wrote:
>> Tripwire became a bloated beast nowadays. I'm using mtree(8) for
>> checking files integrity and it is a very good tool for such job.
>>
>> --Andy
>
> So say I wanted to check if an existing system of mine has been
> compromised. I already know that chkrootkit is returning nothing, but
> that's returning nothing with no source to compare to, so obviously
> there's the potential there for error.
>
> Should I compile world in /usr/src and use chkrootkit with a basedir of
> the compiled binaries? Or should I use mtree, and if so, suggestions on
> best ways?
>
IMHO, it depends on the context.
mtree is great if you're looking at a set of static files. . . clearly a
dynamically generated www site will have files that can't be simply mtree'd.
If you're looking at a static site, mtree can be fine for the files in
questions, then use chkrootkit for a *clean* base system.
If your starting point is with a questionable base system, start over.
:)
HTH
George
More information about the talk
mailing list