LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Hunting for Rootkits

Hunting for Rootkits

Posted Mar 2, 2007 2:36 UTC (Fri) by smoogen (subscriber, #97)
In reply to: Hunting for Rootkits by NAR
Parent article: Hunting for Rootkits

When keeping track of checksums, one needs to do the following:

One figure out if the system is using some sort of prelinking. If it is.. then your system will go through and change the checksums itself. make sure whatever tool you have can deal with prelinking by knowing how to check around the prelink area.

Two, use two different algorithms AND make sure you keep a copy of the sizes of the item. Differing algorithms would be like using whirlpool AND sha-2 as I am pretty sure they are not related closely enough for a similar attack to be useful.

(Log in to post comments)

Hunting for Rootkits

Posted Mar 2, 2007 10:39 UTC (Fri) by drag (subscriber, #31333) [Link]

Also Checksumming is only usefully ran from a different system then the one your testing. (example: Knoppix using Tripwire to test a webserver)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds