Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!



Forensics On a Cracked Linux Server

mutterc Re:Does rtkhunter... (219 comments)

There's an interesting third approach, used by Sysinternals's (now part of MS) RootkitRevealer for Windows.

Basically, enumerate all the files on the system using the usual OS APIs. Then, scan the entire raw disk, and enumerate all the files on the system by manually interpreting the directory structures stored on-disk. Any files whose directory entries exist on-disk, but don't show up in the OS's API (with a few standard system exceptions) are being hidden from the OS API layer by a rootkit.

It's certainly theoretically possible to fool, by having your rootkit hook the APIs used to read the raw disk, and returning innocuous values, but that's a good bit harder to do than the other stuff rootkits usually do. Some rootkits fooled it by not hiding their files if the process trying to look them up was named RootkitRevealer.exe, so the tool took to making a randomly-named copy of itself and executing that.

more than 7 years ago


mutterc hasn't submitted any stories.


mutterc has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?