Re: rootkit and trojan hunting

[Jeff D <fixedored () gmail com>]

"Zow" Terry Brugger wrote:
> >      i am developing a small host integrity scanner / checker, to hunt
> >  rootkits and trojans. offcourse, i need to add more methods /
> >  techniques to detect. I am currently hashing out important files like
> >  kernel, /boot dir and System.map files. Is there any other possible
> >  way to code it better and anyother suggestion would be really helpful
> >  in my coding.
>
> Don't reinvent the wheel -- just use Tripwire.
> http://sourceforge.net/projects/tripwire/ for the open source version,
> or http://www.tripwire.com/products/ for the commercial version if you
> need something beefier. Based on what you've said in your message, it
> sounds like the open source version will work just fine.
>
> Cheers,
> Terry

Also worth mentioning are aide http://sourceforge.net/projects/aide , 
which does file integrity checking ,  and rkhunter and lynis 
http://www.rootkit.nl/ , rkunter checks the system for rootkits and 
trojans and lynis checks for some configuration issues.

hth,
jeff

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------