Rootkit

/** rkscan.c (C) 2000 by Stephane Aubert
 ** <Stephane.Aubert@hsc.fr>
 **
 ** Rootkit Scanner for:
 **   . KNARK version 0.59
 **     (kernel-based rootkit)
 **     knarf was written by Creed <creed@sekure.net>
 **     and can be found on packetstrom.securify.com
 **
 **   . ADORE version : 0.14, 0.24 and 2.0b
 **     (kernel-based rootkit)
 **     Adore was written by Stealth
 **     and can be found on http://spider.scorpions.net/~stealth/
 **/

#include <sys/types.h>
#include <values.h>
#include <unistd.h>
#include <stdio.h>
#include <time.h>

// Use MAXINT for a fullscan
#define UPSCAN 65535

int knark_scan( void ) {
    int command;
    printf("  Scanning for KNARK version 0.59 ...\n");
    for( command=UPSCAN; command>=0; command-- ) {
      if(settimeofday((struct timeval *)command,
                      (struct timezone *)NULL) == 0) {
          printf("  #KNARK rootkit is running (settimeofday command=%d) !\n\n",
                 command );
              return 1;
      }
    }
    printf("  KNARK rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int adore_scan( void ) {
    int version;
    uid_t uid;
    printf("  Scanning for ADORE version 0.14, 0.24 and 2.0b ...\n");
    // for all possible UIDs
    for( uid=UPSCAN; uid>=2; uid-- ) {
      if( getpwuid(uid) == NULL ) { // if UID is not in /etc/passwd
        if(  (version=setuid( uid )) >0 ) {
          printf("  #ADORE rootkit is running with ELITE_CMD=%d !\n\n", uid-2 );
          return 1;
        }
      }
    }
    printf("  ADORE rootkit NOT DETECTED on this system.\n\n");
    return 0;
}

int main( int argc, char *argv[] ) {
    int retval=0;
    printf("-=-      Rootkit Scanner      -=-\n"
           "-=- by Stephane.Aubert@hsc.fr -=-\n\n");

    if( getuid()==0 ) {
      printf("  *** Don't run this scanner as root ! ***\n\n");
      exit( 0 );
    }

    retval += adore_scan();
    retval += knark_scan();

    printf("Done.\n");   
    exit( retval );
}




 



mot clé : par feu rkscan detecteur kernel-based parfeu tcpip vpn detection knark scan adore voip rkscan 1.0 ipv4 firewall rootkits detected ip ipv6

Copyright © 2011-2015 FrameIP TcpIP. Tous droits réservés. Les marques et marques commerciales mentionnées appartiennent à leurs propriétaires respectifs. L'utilisation de ce site Web TcpIP implique l'acceptation des conditions d'utilisation et du règlement sur le respect de la vie privée.
Sécurité entreprise Téléphonie entreprise Expert de votre Infrastructure Test ADSL Serinya Operateur Telecom