[arch-dev-public] Packages with files in /opt

Jan de Groot jan at jgc.homeip.net
Thu Nov 22 16:53:43 EST 2007

On Thu, 2007-11-22 at 13:48 -0500, Eric Belanger wrote:
> I am not a security expert but isn't the reason that chkrootkit is
> not 
> being installed in a directory in the PATH a security reason so that 
> malware can't find the executables to modify/delete them? Maybe
> keeping 
> it out of /usr  would accomplish this better.

There's no reason to install it in a different prefix, if people have
root to your machine they can even hide it for chkrootkit if they want
by changing vital binaries or installing a kernel module that hides
processes. I made a mix of Knark and Adore LKM and succeeded to bypass
these check tools a few years ago. If you have root, you can do anything
to a system, including the disabling of cronjobs that run chkrootkit.

Another thing: whenever you suspect you have a rootkit, you make a fresh
install of chkrootkit and don't rely on a single tool, there's also
rkhunter for example.

More information about the arch-dev-public mailing list