|
|
|
|
|
|
by aeontech
4951 days ago
|
|
|
Did you read the post on crowdstrike in detail? I suggest you do, your script will not work because - rootkit re-adds itself to the /etc/rc.local - it patches the filesystem functions to hide itself when you read the file, so I am not convined grep will pick it up anyway - you do not unload the actual kernel module if it is running, nor destroy the rootkit kernel module - did you test it by installing the rootkit in a vm, and confirm that your code will detect and remove it? if not, i do not think you should publish such code just to give people a false sense of security when they run it and says "rootkit not present" http://blog.crowdstrike.com/2012/11/http-iframe-injecting-li... |
|
|