[lug] R00tKIT!! Raah!
Bear Giles
bgiles at coyotesong.com
Thu Jun 16 09:00:51 MDT 2005
Nate Duehr wrote:
> Grabbing a statically-linked shell like sash for this type of event
> after booting from something like a live-CD to keep from using ANYTHING
> on the compromised system, and not running anything until all it's
> dependencies are met with known NEW libraries, etc... is usually a good
> step.
I've pre-recompiled the core tools to use static libraries. You
don't need many packages for good coverage - under the old debian
stable I had
bash
binutils
chkrootkit
fileutils
gawk
grep
net-tools
procps
sed
shellutils
tar
tcsh
textutils
and you're right it's a good idea to add dpkg and apt, especially
since the former is where md5sum hides. 'lsof' is another good
package to put on this list.
Bear
More information about the LUG
mailing list