IDS mailing list archives
Re: Release of Rootkit Hunter 1.0.0
From: Mike Parkhurst <myname17 () bellsouth net>
Date: Wed, 24 Mar 2004 20:03:29 -0500
I wish you were right, but there are things that get through that Norton doesn't get. For example, one of my users has some type of back door on his laptop. Norton does not pick it up, but when someone sends virii through it, Norton alarms. Sometimes dozens of times at once. Needless to say, my user is annoyed.
Another user wasn't thinking and opened one of the virii that went around last week or so. Norton did pick up on it and claimed to clean the PC. Unfortunately, it did not clean the back door (he had symptoms similar to the above user). Since this user is local, and I knew where the back door came from, I was able to manually edit the registry to kill the back door portion of the virus. This is not an automatic process, I used the directions on Norton's website. There is also the spyware problem. Some spyware is pretty much impossible to kill. Ad Aware and the like will not do it. To me both of these are rootkits. Out of 25 users, I have two that have managed to get something that I can not clean without fdisking the systems. The installed Norton will not clean them. Note: I am not claiming that Norton does a bad job, it's just that there are some things it can not or will not fix. Mike Chris Moody wrote:
The names McAffee and Norton seem to ring a bell to me. ~Chris On Mon, 22 Mar 2004, Mike Parkhurst wrote:That's a cool project. Does anyone know if there is a similar project for Windows systems? Thanks, Mike M. Boelen wrote:Hi, After three RC's (release candidates), a lot of bug hunting and a lot of 'Big thanks' I'm proud to present you a new release of Rootkit Hunter. This release incorporates extra support for a operating systems like AIX, improved support for rootkits, new 3rd party support, extra program parameters, better logging support and code cleanups. Of course I want to thank all of you who tested previous releases, send comments or helped me by giving extra (code) tips to improve this release! Project page: http://www.rootkit.nl/projects/rootkit_hunter.html Download location: http://downloads.rootkit.nl/rkhunter-1.00.tar.gz Project description: Scanner for detection of known and unknown rootkits, backdoors and sniffers. See features below for more information. System requirements: UNIX (clone), BASH shell, Perl (optional) Audience: System administrators, IT security experts Extended information: ----------------------- Some features: - 'Known good' hash compare - Default file location scan - Hidden files scan - OpenSSH configuration check - Colored layout - Support for cronjobs Rootkit Hunter has been tested (and/or confirmed to work) on Red Hat (normal and Advanced Server), Slackware, Fedora, SuSE, Gentoo, Debian, Mandrake, FreeBSD (4.x and 5.x), AIX, OpenBSD and others. Support for NetBSD and Solaris is in development stage. Known issues: - Not all Fedora core 1 hashes are updated (but will be happen soon) - manpage not yet available (although it's already finished) - Installation uses preconfigured (static) file paths ----------------------- Want to get notified when new releases are available? Subscribe to the Freshmeat Project page (http://freshmeat.net/projects/rkhunter) Have some questions (or comments)? Fill in the contact form at http://www.rootkit.nl. Best regards, Michael Rootkit.nl p.s. this message is cross posted to several (security ) related mailinglists. If you get this message a few times, you have been subscribed to the same mailinglists as I am. In this case, sorry for the multiple messages. No spamming was intended =) --------------------------------------------------------------------------- Test your IDS Is your IDS deployed correctly? Find out by easily testing it with real-world attacks from CORE IMPACT. Visit: www.coresecurity.com/promos/sf_eids1 to learn more. ------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Release of Rootkit Hunter 1.0.0 M. Boelen (Mar 21)
- Re: Release of Rootkit Hunter 1.0.0 Mike Parkhurst (Mar 23)
- Re: Release of Rootkit Hunter 1.0.0 Chris Moody (Mar 25)
- Re: Release of Rootkit Hunter 1.0.0 Mike Parkhurst (Mar 27)
- RE: Release of Rootkit Hunter 1.0.0 [BacK] (Mar 27)
- Re: Release of Rootkit Hunter 1.0.0 Oscar Gallego SendÃn (Mar 29)
- Re: Release of Rootkit Hunter 1.0.0 Chris Moody (Mar 25)
- Re: Release of Rootkit Hunter 1.0.0 Mike Parkhurst (Mar 23)