Active Topics
-
Camera phone competition March 2023 "Endless" (35)
to General by Maemish - 5 hrs, 22 mins ago -
TLS 1.2 for N9 is ready (28)
to MeeGo / Harmattan by smartblu9 - 6 hrs, 36 mins ago -
Maemo repository (3)
to Community by torsen - 22 hrs, 5 mins ago -
Error after installing Leste on sdcard (11)
to Maemo 7 / Leste by Maemish - 1 day, 19 hrs ago -
Introducing ubiboot N9 (multiboot OS loader) (1,393)
to Alternatives by smatkovi - 3 days, 2 hrs ago - more...
| The Following User Says Thank You to cpm For This Useful Post: | ||
|
2010-09-05
, 14:05
|
|
Posts: 992 |
Thanked: 738 times |
Joined on Jun 2010
@ Low Earth Orbit
|
#22
|
A more user friendly way of examining running processes is htop (available in one of the repositories). You can scroll through the list of processes and kill the ones you don't like the look of (be careful!)
| The Following User Says Thank You to kureyon For This Useful Post: | ||
|
|
2010-09-05
, 14:14
|
|
Posts: 275 |
Thanked: 46 times |
Joined on Feb 2010
|
#23
|
Originally Posted by cpm
As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?
Although a rootkit will probably hide itself so you wouldn't see it by using these commands anyway.
| The Following User Says Thank You to Patroclo For This Useful Post: | ||
|
|
2010-09-05
, 19:39
|
|
Posts: 51 |
Thanked: 17 times |
Joined on Jun 2009
|
#24
|
Originally Posted by Patroclo
There are rootkit detection and related packages for Linux (e.g. chkrootkit, tripwire etc), but I've not seen any of them ported to the N900.
As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?
| The Following User Says Thank You to cpm For This Useful Post: | ||
 |
|
2010-09-06
, 18:24
|
|
Posts: 168 |
Thanked: 58 times |
Joined on Aug 2010
@ Vienna
|
#25
|
Originally Posted by cpm
The last time I was looking for tripwire I did not find a newer
There are rootkit detection and related packages for Linux (e.g. chkrootkit, tripwire etc), but I've not seen any of them ported to the N900.
and free release.
Found AIDE
http://www.cs.tut.fi/~rammer/aide.html
instead.
Now I see that there is
http://sourceforge.net/projects/tripwire/
with "Release Date: 2010-03-11"
Did anybody check this on a Linux system (not necessarily N900)?
|
|
2010-09-07
, 09:01
|
|
Posts: 540 |
Thanked: 288 times |
Joined on Sep 2009
|
#26
|
Originally Posted by Patroclo
Doing a "clean boot" is kinda hard without reflashing the whole firmware. tripwire requires a known-good configuration to check against and I'm fairly sure a proper rootkit can fool it pretty easily (it's been a while but AFAIRecall tripwire only checks against file hashes and proper rootkit can hide all modifications [see below]).
As far as I understood, there is no way at all to discover a rootkit on n900, isn't it?
As for windows not having root user, it does have admin user and privilege separation etc so getting stuck with what the superuser happens to be called is kinda pointless.
Besides rootkit these days refers to a program that hides it's presence in the system (by patching itself to filter things like process list and disk access and simply serving "clean" versions to any other process that asks). Rhus a clean boot (from known-good CD for example) is needed so that the unpatched view of system can be gained, this can then be compared to what the normally booted system looks like (explanation simplified, see "lies to children").
F-Secure (I used to work for them about 9yrs ago) has a tool called Blacklight for detecting rootkits, read the white papers if you want to know more.
__________________
- Live near Helsinki, Finland & interested in electronics ? Check this out.
- Want anti-virus/firewall ? Read this (and follow the links, also: use the search, there are way too many threads asking the same questions over and over and over again).
- I'm experimenting with BitCoins, if you want to tip me send some to: 1CAEy7PYptSasN67TiMYM74ELDVGZS6cCB
And to list ip connections and listening processes, as root: lsof -i
Although a rootkit will probably hide itself so you wouldn't see it by using these commands anyway.