[nycbug-talk] Searching for suspect PHP files...

George Rosamond george at ceetonetechnology.com
Wed Mar 4 11:28:39 EST 2009

Matt Juszczak wrote:
>> Tripwire became a bloated beast nowadays.  I'm using mtree(8) for
>> checking files integrity and it is a very good tool for such job.
>> --Andy
> So say I wanted to check if an existing system of mine has been 
> compromised.  I already know that chkrootkit is returning nothing, but 
> that's returning nothing with no source to compare to, so obviously 
> there's the potential there for error.
> Should I compile world in /usr/src and use chkrootkit with a basedir of 
> the compiled binaries?  Or should I use mtree, and if so, suggestions on 
> best ways?

IMHO, it depends on the context.

mtree is great if you're looking at a set of static files. . . clearly a 
dynamically generated www site will have files that can't be simply mtree'd.

If you're looking at a static site, mtree can be fine for the files in 
questions, then use chkrootkit for a *clean* base system.

If your starting point is with a questionable base system, start over.




More information about the talk mailing list