[DavidU (Dave)]

Now thats cool Dave

Quote:

Originally Posted by dpastern

[now becoming a bit off topic]

Linux rootkits are becoming more common sadly. Most of the people running Linux as servers, with connectivity to the big bad wide world, do not lock their systems down properly. Blackhats just love 'em! Cracking a system isn't about the hollywood BS that you see, it's about knowing the operating system, knowing the vulnerable pieces of software on it, and knowing how to exploit them. It's more like detective work than glamour work. Windows XP pre SP 2 could be p0wned in under a minute if you knew how. At least XP SP 2 is much, much better.

Personally, on a work system, I prefe to have each major directory on its own mountable partition (/root, /boot, /etc, /var, /opt, /bin, /sbin and so on and so forth) - it makes it far easier when dealing with intrusions. I personally like tripwire installed on any production system, with the results burnt to a non re-writeable CD. When you get a problem, remove drive from system, boot off a non infected system and mount said drive, then compare the hashes from the CD to the drive in question to see which binaries and files have been modified. In most cases, it's not worth the effort - far better to blow the system away on a low level format with multiple passes imho.

Dave