SBDavid
Jan 18th, 2010
Jan 18th, 2010
Can chkrootkit detect modified rootkit versions
Can chkrootkit detect modified (or new) rootkit versions?
If chkrootkit can’t find a known signature inside a file, it can’t automatically determine if it has been trojaned. Try to run chkrootkit in expert mode (-x option) — in this mode the user can examine suspicious strings in the binary programs that may indicate a trojan.
For example, lots of data can be seen with:
# ./chkrootkit -x | more
Pathnames inside system commands:
# ./chkrootkit -x | egrep ‘^/’
