Hunting for Rootkits
Posted Mar 2, 2007 2:36 UTC (Fri) by smoogen
In reply to: Hunting for Rootkits
Parent article: Hunting for Rootkits
When keeping track of checksums, one needs to do the following:
One figure out if the system is using some sort of prelinking. If it is.. then your system will go through and change the checksums itself. make sure whatever tool you have can deal with prelinking by knowing how to check around the prelink area.
Two, use two different algorithms AND make sure you keep a copy of the sizes of the item. Differing algorithms would be like using whirlpool AND sha-2 as I am pretty sure they are not related closely enough for a similar attack to be useful.
to post comments)