[Techtalk] Re: Different usage betweed df and du

Wim De Smet kromagg at gmail.com
Thu Jul 14 17:01:35 EST 2005

On 7/13/05, Teri Solow <tsolow at terisolow.com> wrote:
> Wim De Smet imparted (2005-07-13 @ 17:58:47 +0200):
> > chkrootkit usually does the trick. Monitoring the network traffic for
> > a while might be a good idea too, just in case. Seems more likely it's
> > a corrupt filesystem or something like that though.
> IME, chkrootkit is /really/ good at scaring you with false positives
> (e.g., the number of processes in ps differs from those in /var because
> *gasp* a new process started or ended between checks).

It is. :-) It also consistently reports dhcpclient as a network
sniffer. (which it kinda is) But in any case, most crackers are
neither sofisticated nor smart, so most of the time they'll install
something really obvious that rootkit checkers can recognize
immediately. I'd only start worrying about chkrootkit output if it
says "you have trojan xyz installed".


More information about the Techtalk mailing list