/usr/lib/tiger/html/rootkit.html is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | <HR><PRE>
</PRE><HR>
<CENTER><H2> Documents for rootkit</H2></CENTER>
<A NAME="rootkit001f"><P><B>Code [rootkit001f]</B><P>
A test was run on the 'ls' command to determine if it 'sees'
certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
a temporary directory, creates files with known hacker program
names/directories, and attempts an 'ls'. If the 'ls' does not
recognize the file, a FAIL is issued
<PRE>
</PRE><HR>
<A NAME="rootkit002f"><P><B>Code [rootkit002f]</B><P>
A test was run on the 'find' command to determine if it 'sees'
certain pathnames (e.g., '...','bnc','war',etc). Tiger creates
a temporary directory, creates files with known hacker program
names/directories, and attempts an 'find'. If the 'find' does
not recognize the file, a FAIL is issued.
<PRE>
</PRE><HR>
<A NAME="rootkit003w"><P><B>Code [rootkit003w]</B><P>
The 'chkrootkit' program has detected a suspicious directory
which might be an indication of an intrusion.
A full analysis of the system is recommended to determine the
presence of further signs of intrusion since a rootkit might have
been installed.
<PRE>
</PRE><HR>
<A NAME="rootkit004w"><P><B>Code [rootkit004w]</B><P>
The 'chkrootkit' program has detected a possible rootkit installation
A full analysis of the system is recommended to determine the
presence of further signs of intrusion since a rootkit might have
been installed.
<PRE>
</PRE><HR>
<A NAME="rootkit005a"><P><B>Code [rootkit005a]</B><P>
The 'chkrootkit' program has detected a rootkit installation
A full analysis of the system is recommended to determine the
presence of further signs of intrusion and to determine if the
rootkit is indeed installed.
<PRE>
</PRE><HR>
<A NAME="rootkit006a"><P><B>Code [rootkit006a]</B><P>
A rootkit is installed by intruders in systems which have been
successfully compromised and in which they have obtained full
administrator privileges. The installation of a rootkit is
an indication of a major system compromise.
<P>
If the installation of a rootkit is confirmed you are encouraged
to power off the system and follow the steps outlined by
Steps for Recovering from a UNIX or NT System Compromise
(http://www.cert.org/tech_tips/root_compromise.html)
|