rootkit question.

hi, is it possible to hide the presents of a rootkit from a file integrity checker in this situation, where two computers are being used (computer A and computer B) -

1, computer A runs the file integrity checker against computer B and the database is stored on a separate media

2, a rootkit is installed on computer B

3, computer A re-runs the file integrity checker with the database it made during the first scan.

should the rootkit be picked up by the file integrity checker, or are there RKs that can hide its files from the file integrity checker?[SIZE=-1]
[/SIZE]

 

Hello,

The answer is: maybe.

If the B computer OS is running, then the files might be hidden.
The best way for such an inspection is:

- With OS running
- With OS turned off - from boot CD / alternative OS

Be aware that you WILL find a difference; some files might be hidden from the user during the normal operation of the OS - hence not all files that show up as the delta would / could belong to the rootkit.

Mrk

 

Is it possible for Linux to get a rootkit?? That is Linux you have right?

 

Hello,
Rootkit is not a bad word.
Everything is possible on every OS. Almost everything. You can install software that you think is legit and turns out to be not. It could also use system calls to disguise itself. Possible, doable. All in the hands of a user.
Mrk

 

ok, thanks. i might try it out and see how it goes if i have the time and right software.

cheater, you've heard of root while using linux/unix haven't you? well rootkits were first used on unix based OSes, that's how they got their name - software kits that gain root privileges and hide themselves in various ways from the OS they are on.