Rkdet 0.54 review
DownloadThis program is a daemon intended to catch someone installing a rootkit or running a packet sniffer
|
|
This program is a daemon intended to catch someone installing a rootkit or running a packet sniffer. It is designed to run continually with a small footprint under an innocuous name. When triggered, it sends email, appends to a logfile, and disables networking or halts the system. it is designed to install with the minimum of disruption to a normal multiuser system, and should not require rebuilding with each kernel change or system upgrade.http://vancouver-webpages.com/rkdet/rkdet-0.54-2.i386.rpm
The program regularly verifies the checksum of a small number of system files that are typically modified by a rootkit. This list of files is compiled into the program. The file list, together with the system commands and messages, are obfuscated in the compiled code to prevent someone from figuring out what the program is for by eyeballing the binary.
The obfuscation algorithm is simple, but is compiled into the program and does not depend on external programs or other libraries.
The program takes a single optional numeric argument. If odd (bit 0 set), the interface "eth0" is checked for promiscuous operation (packet sniffing). If bit 1 is clear, the program will delete the default route on the network when triggered. Of bit 1 is set, the program will disable the eth0 interface. Systems with multiple interfaces may require an alternate interface specification in "xstrings.txt", or modification of the program to disable multiple interfaces. If bit 2 is set, the program will only log events and not disconnect the network.
The command may be modified to "init 1" or "shutdown -h now" if desired, or to run a script such as "panic.sh" (included).
What's New in This Release:
Added configure script.
Do not trap if checksum program fails (due to load, etc.)
Rkdet 0.54 keywords