chkrootkir is the best I've found. www.chkrootkit.org Detects quite a few and is updated monthly/bi-monthly. Includes lkm detection and sniffer log finding ability. - zenoat_private > > Henti, > > here is a link for a scanner for Adore, although you seem to have a newer version than what's mentioned > below. > > Stuart > > ------- Forwarded message follows ------- > Date sent: Wed, 25 Oct 2000 09:30:09 +0200 > Send reply to: Stephane.Aubertat_private > From: Stephane Aubert <Stephane.Aubertat_private> > Organization: Herve Schauer Consultants > Subject: Announce: rkscan, a kernel-based rootkit scanner. > To: INCIDENTSat_private > > ======================================================== > > Rootkit Scanner for loadable kernel-module rootkits > > (Analysis and detection tool for KNARK and ADORE) > > ======================================================== > > Stephane Aubert <Stephane.Aubertat_private> > Hervé Schauer Consultants (http://www.hsc.fr) > > rkscan is a kernel-based module rootkit scanner for Linux, > it detects Adore (v0.14, v0.2b and v0.24) and knark (v0.59). > > rkscan.c is available at the end of this mail. > > > Introduction > ============ > > When running on a computer, rootkits allows an unprivileged user > to hide files, hide process, run commands as root ... > that's why they are called rootkits ! > > krk (Kernel-based RootKits) are still rootkits but now they don't > need to change the ls, ps or find binaries because they are > intercepting system calls. > > krk seem to be very difficult to detect while running on > a rooted computer. > > rkscan is a small scanner to help sysadmins to detect infected > computers by: > > . KNARK version 0.59 > knarf is written by Creed <creedat_private> > and can be found on packetstrom.securify.com > > . ADORE versions 0.14, 0.2b and 0.24 > Adore is written by Stealth > and can be found on http://spider.scorpions.net/~stealth/ > > > rkscan.c is given at the end of the mail and will be available on > <URL: http://www.hsc.fr/ressources/outils/> > > ( Only in a few days ... I am at SANS NS2000 in Monterey :) > I have written this first version during Dave Dittrich's course > on DDOS, thanx Dave for this course !) > > Don't forget : > There are differents technics to protect yourself against krk, > the best one is certainly to disable the kernel-module support. > > > Usage > ===== > > Just run : ./rkscan > > Example: > > !! Don't run the following command unless you know what you are doing. > # insmod adore.o > # exit > > % ./rkscan > -=- Rootkit Scanner -=- > -=- by Stephane.Aubertat_private -=- > > Scanning for ADORE version 0.14, 0.2b and 0.24 ... > #ADORE rootkit is running with ELITE_CMD=50666 ! > > Scanning for KNARK version 0.59 ... > KNARK rootkit NOT DETECTED on this system. > > Done. > % ./ava U U > Checking for adore 0.12 or higher ... > Adore 0.14 installed. Good luck. > Adore 0.14 de-installed. > > > How it works > ============ > > Adore v0.14 uses a setuid call to detect if its module is loaded: > > #define ELITE_CMD 31337 > int adore_installed() { > return setuid(ELITE_CMD+2); > } > ... > printf("Checking for adore 0.12 or higher ...\n"); > if ((version = adore_installed()) <= 0) { > printf("Adore NOT installed. Exiting.\n"); > exit(1); > } > > Adore v0.24 uses a setuid call to detect if its module is loaded: > (ELITE_CMD is fixed in the Makefile to 61855) > > adore_t *adore_init() > { > adore_t *ret = calloc(1, sizeof(adore_t)); > ret->version = setuid(ELITE_CMD+2); > return ret; > } > > Knark uses a settimeofday call to detect if its module is loaded: > > #define KNARK_GIMME_ROOT 9000 > ... > if(settimeofday((struct timeval *)KNARK_GIMME_ROOT, > (struct timezone *)NULL) == -1) { > perror("settimeofday"); > fprintf(stderr, "Have you really loaded knark.o?!\n"); > exit(-1); > } > > So the main problem is to find the ELITE_CMD or KNARK_GIMME_ROOT values > that can have been changed. > > That why we need a scanner to test each possible values. > > > Bad news > ======== > > Future version of these rootkits will certainly use crypto or just > something like the following lines in oder to hide themself more and more. > > #define ELITE_CMD 31337 > #define KEY_1 42843 > #define KEY_2 89843 > #define KEY_3 11343 > #define KEY_4 17323 > #define KEY_5 64543 > /* may be more */ > > int ItIsMe() { > setuid(KEY_1); /* put a global var to the first state (state=1;) */ > setuid(KEY_2); /* action: state=(state==1?2:0); */ > setuid(KEY_3); /* and so on ... */ > setuid(KEY_4); /* and so on ... */ > setuid(KEY_5); /* and so on ... */ > } > int adore_installed() { > ItIsMe(); > return setuid(ELITE_CMD+2); /* ok if state==5 and ELITE_CMD is good */ > } > > And it will be more and more difficult to scan these krk :( > > It's time to rebuild you kernel and disable module support ! > > > The scanner > =========== > > /** rkscan.c (C) 2000 by Stephane Aubert > ** <Stephane.Aubertat_private> > ** > ** Rootkit Scanner for: > ** . KNARK version 0.59 > ** (kernel-based rootkit) > ** knarf was written by Creed <creedat_private> > ** and can be found on packetstrom.securify.com > ** > ** . ADORE version : 0.14, 0.24 and 2.0b > ** (kernel-based rootkit) > ** Adore was written by Stealth > ** and can be found on http://spider.scorpions.net/~stealth/ > **/ > > #include <sys/types.h> > #include <values.h> > #include <unistd.h> > #include <stdio.h> > #include <time.h> > > // Use MAXINT for a fullscan > #define UPSCAN 65535 > > int knark_scan( void ) { > int command; > printf(" Scanning for KNARK version 0.59 ...\n"); > for( command=UPSCAN; command>=0; command-- ) { > if(settimeofday((struct timeval *)command, > (struct timezone *)NULL) == 0) { > printf(" #KNARK rootkit is running (settimeofday command=%d) !\n\n", > command ); > return 1; > } > } > printf(" KNARK rootkit NOT DETECTED on this system.\n\n"); > return 0; > } > > int adore_scan( void ) { > int version; > uid_t uid; > printf(" Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n"); > // for all possible UIDs > for( uid=UPSCAN; uid>=2; uid-- ) { > if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd > if( (version=setuid( uid )) >0 ) { > printf(" #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 ); > return 1; > } > } > } > printf(" ADORE rootkit NOT DETECTED on this system.\n\n"); > return 0; > } > > int main( int argc, char *argv[] ) { > int retval=0; > printf("-=- Rootkit Scanner -=-\n" > "-=- by Stephane.Aubertat_private -=-\n\n"); > > if( getuid()==0 ) { > printf(" *** Don't run this scanner as root ! ***\n\n"); > exit( 0 ); > } > > retval += adore_scan(); > retval += knark_scan(); > > printf("Done.\n"); > exit( retval ); > } > > ==EOF=================================================== > > > ------- End of forwarded message ------- > -- > Stuart Udall > stuartat_private - http://www.cyberdelix.net/ > ..revolution through evolution > > want to make some cash? check out http://cyberdelix.net/affiliates.htm > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 10:14:22 PDT