http://lions.teledyn.com/node/565 Comments for "Rootkit Detection with gdb" en http://lions.teledyn.com/node/565 <p>Simple and effective tools strung together as needed, this one of the strongest attractors luring technical people into unix-like operating systems and keeping them there. For example, consider the real-world example, "<i>generate a list of all files below this directory where any of the specified XML tag attributes are null or only numeric, and sort the list by filename paths, grouped by the specific attribute error</i>" ... the concept of global actions across potentially thousands of files is completely alien in some operating system philosophies -- in unix it's a short shell script binding a handfull of text and file utilities, easily prototyped at the command line, ready for production use within the hour.</p> <p>Mariusz Burdach gives us yet another example of small tools for direct solutions in a excellent tutorial on using the lowly GNU debugger to verify the integrity of your O/S, check for system-call exploits and some tips on ways to automate the audit.</p> <p><cite class="blog-source">we will make use of just one tool, gdb, the GNU debugger, to detect whether a Linux operating system has been compromised. The package that includes this tool can be found in almost every Linux distribution by default.</cite></p> <p>His paper also surveys the methods these intruders use to patch the kernel and how to relate this knowledge into appropriate detection tests.</p> <p><i class="blog-source">[ via <a href="http://www.securityfocus.com/infocus/1811">SecurityFocus HOME Infocus: Detecting Rootkits And Kernel-level Compromises I</a> ]</i></p> http://lions.teledyn.com/node/565#comments GNU Tech Sat, 04 Dec 2004 10:17:20 -0500 garym 565 at http://lions.teledyn.com