|
|
|
|
|
|
by csense
4951 days ago
|
|
|
Disclaimer: I don't have a copy of the rootkit to experiment with; all of this is pure speculation. My guess is you could detect the rootkit by booting to a known-clean system -- for example a distro install CD -- and checking the contents of rc.local by mounting the questionable system's fs. This examination could probably be performed without downtime by taking an LVM snapshot and downloading it to a known-clean machine. The rootkit could fake the contents of the LVM snapshot as well, but it seems like this would be much harder for the rootkit authors and they probably didn't bother. You might also be able to disable it by modifying your startup scripts to ignore rc.local (perhaps you could put a replacement in a non-standard location if you need the functionality). |
|
|