[arch-dev-public] Packages with files in /opt
Jan de Groot
jan at jgc.homeip.net
Thu Nov 22 16:53:43 EST 2007
On Thu, 2007-11-22 at 13:48 -0500, Eric Belanger wrote:
> I am not a security expert but isn't the reason that chkrootkit is
> being installed in a directory in the PATH a security reason so that
> malware can't find the executables to modify/delete them? Maybe
> it out of /usr would accomplish this better.
There's no reason to install it in a different prefix, if people have
root to your machine they can even hide it for chkrootkit if they want
by changing vital binaries or installing a kernel module that hides
processes. I made a mix of Knark and Adore LKM and succeeded to bypass
these check tools a few years ago. If you have root, you can do anything
to a system, including the disabling of cronjobs that run chkrootkit.
Another thing: whenever you suspect you have a rootkit, you make a fresh
install of chkrootkit and don't rely on a single tool, there's also
rkhunter for example.
More information about the arch-dev-public