Security Incidents mailing list archives

Re: R00t Kits

From: Dave Dittrich <dittrich () cac washington edu>
Date: Wed, 6 Jun 2001 14:24:23 -0700 (PDT)

On Wed, 6 Jun 2001, Davis, Scott wrote:

I am in the process of writing a perl script that will look for known root
kits on a *nix systems.
      A) Does anyone know if this script already exists ? (Don't want to
invent the wheel a second time)


There are a couple.  "chkrootkit" is specific to various rootkits, and
"ramenfind" is geared more towards Linux worm detection/cleanup.

      B)  Does anyone know a site that has all of the know r00t kits
listed and what files to look for ?


I don't know of one that claims to have *all known* rootkits
(especially not trivial variants).  I just updated some links
in the following paper, which should help you:

        http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Current thread:

R00t Kits Davis, Scott (Jun 06)
- Re: R00t Kits jamie rishaw (Jun 06)
- Re: R00t Kits Dave Dittrich (Jun 06)