Rootkit

/** rkscan.c (C) 2000 by Stephane Aubert
 ** <Stephane.Aubert@hsc.fr>
 **
 ** Rootkit Scanner for:
 **   . KNARK version 0.59
 **     (kernel-based rootkit)
 **     knarf was written by Creed <creed@sekure.net>
 **     and can be found on packetstrom.securify.com
 **
 **   . ADORE version : 0.14, 0.24 and 2.0b
 **     (kernel-based rootkit)
 **     Adore was written by Stealth
 **     and can be found on http://spider.scorpions.net/~stealth/
 **/

#include <sys/types.h>
#include <values.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>

// Use MAXINT for a fullscan
#define UPSCAN 65535

int knark_scan( void ) {
    int command;
    printf("  Scanning for KNARK version 0.59 ...\n");
    for( command=UPSCAN; command>=0; command-- ) {
      if(settimeofday((struct timeval *)command,
                      (struct timezone *)NULL) == 0) {
          printf("  #KNARK rootkit is running (settimeofday command=%d) !\n\n",
                 command );
              return 1;
      }
    }
    printf("  KNARK rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int adore_scan( void ) {
    int version;
    uid_t uid;
    printf("  Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n");
    // for all possible UIDs
    for( uid=UPSCAN; uid>=2; uid-- ) {
      if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd
        if(  (version=setuid( uid )) >0 ) {
          printf("  #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 );
          return 1;
        }
      }
    }
    printf("  ADORE rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int main( int argc, char *argv[] ) {
    int retval=0;
    printf("-=-      Rootkit Scanner      -=-\n"
           "-=- by Stephane.Aubert@hsc.fr -=-\n\n");

    if( getuid()==0 ) {
      printf("  *** Don't run this scanner as root ! ***\n\n");
      exit( 0 );
    }

    retval += adore_scan();
    retval += knark_scan();

    printf("Done.\n");   
    exit( retval );
}