so which anti rootkit program would show least such false positives?
I tested Rootkit Revealer and it showed 406xxx that is fourhundredsixthousand things that it did not like.
Too much to go through to know if there is something to look deeper into.
what about Gmer is that only a remover and not teller of what it wants to remove before it do it?
Maybe the easiest thing for a newbie is to look for activity on the port 55 or something. Not that I know how to do this but that program is built into puppy from scratch I guess so easy to use of somebody tells how to get it going.
chkrootkit says Stardust /sbin/init INFECTED with Suckit
- Pizzasgood
- Posts: 6183
- Joined: Wed 04 May 2005, 20:28
- Location: Knoxville, TN, USA
If you trust Puppy as provided by Barry to be initially free from malware, you could create md5sums of all the files, store them on a read-only medium, and then verify them from time to time to make sure nothing changed. That would help you notice if any files changed.
It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.
If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
It won't help you notice if new things are added without changing existing stuff. For example, scripts placed into /etc/init.d/, /etc/profile.d/, and /root/Startup will be run automatically as Puppy boots (and also whenever you open a terminal, in the case of profile.d). Also, files in /etc/udev/rules.d/ can execute commands when hardware is detected or removed.
If you don't add files to Puppy very often, you could do a remaster after it's set up and start from a fresh pup_save.2fs file. Then you could look at the contents of the pup_save.2fs file from time to time to see if there's anything suspicious in it. (If you frequently install or modify things this won't work because it will quickly fill up with a bunch of stuff that's legit.)
[size=75]Between depriving a man of one hour from his life and depriving him of his life there exists only a difference of degree. --Muad'Dib[/size]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
[img]http://www.browserloadofcoolness.com/sig.png[/img]
I found this interesting text today searching for puppy and rootkits detection.
http://www.prevx.com/blog/139/Tdss-root ... e-net.html
one of the commentators wrote
http://www.prevx.com/blog/139/Tdss-root ... e-net.html
one of the commentators wrote
Can one use pfind to look for known rootkit names or are the encrypted and don't show up?# Randy on Dec 2 1:22, 2009
I wonder if one could just boot to a Linux boot CD like Puppy and remove the infected dll files.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
dll files are Windows ones and the key word here is infected.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.
Randomly going through windows and deleting DLL files that are supposedly infected may kill windows.
If one is concerned, do a backup of things you want to keep and reinstall windows.
The only dll files you would find in Puppy would be from an installation of wine.