Educause Security Discussion mailing list archives
Re: Rootkit discovery tools
From: David Taylor <ltr () ISC UPENN EDU>
Date: Tue, 27 Jun 2006 09:22:47 -0400
I don¹t know which tool would be the best at detecting most of the rootkits but there are also some manual ways to check for them if you are interested.. I use these techniques for Windows systems. Since rootkits often hide files, registry settings and network ports from the system you can often check these externally to see if something shows up from the outside that doesn¹t show up on the inside. These methods may or may not be helpful to your current situation but thought I would forward to the list in the event someone does find it useful. Do a netstat nao on the local machine and then do a remote port scan with a tool such as nmap. If something shows up in the nmap scan that doesn¹t show as listening on the netstat there is likely a rootkit. Also, connecting the the remote system with computer manager will let you see hidden services. Open the services on the local machine and compare to the remote listing. This goes for the registry as well
Current thread:
- Rootkit discovery tools John Tooley (Jun 26)
- <Possible follow-ups>
- Re: Rootkit discovery tools Wes Young (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Caroline Couture (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools David Boyer (Jun 27)
- Re: Rootkit discovery tools James H Moore (Jun 27)
- Re: Rootkit discovery tools David Taylor (Jun 27)
- Re: Rootkit discovery tools Mike Wiseman (Jun 27)
- Re: Rootkit discovery tools Graham Toal (Jun 27)
- Re: Rootkit discovery tools Wyman Miles (Jun 27)
- Re: Rootkit discovery tools Valdis Kletnieks (Jun 28)
(Thread continues...)