Re: [linux-security] Re: Re: Re: Bind Overrun Bug and Linux

[Nelson Murilo <nelson pangeia com br>]

True,  many 'script kids' use rootkit's default configurations.
Usually admins don't have time for examine many types of rootkits 
and variations, for this case one year ago I write one script
for detect rootkits in linux and freebsd. 
Actualy this tools detect 4 types of rootkits in linux, 2
in freebsd and have fast updating.

The official url is:
ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
One variation for Demonkit (by daemon9|route)
ftp://ftp.pangeia.com.br/pub/seg/pac/chkdemonkit.tar.gz


Regards,

-- 
N e l s o n  M u r i l o
Pangeia Informatica - Provedor de solucoes Internet.
http://www.pangeia.com.br

}On Sat, 23 May 1998, Shaun wrote:
}}This is all LRK actually contains, from it's readme:
}}chfn: local backdoor
}}chsh: local backdoor
}}inetd: remote backdoor
}}login: remote backdoor
}}ls/du: hide files
}}ifconfig: hide sniffing
}}netstat: hide connections
}}ps/top: hide processes
}}passwd: localhost backdoor
}}rshd: remote backdoor
}}syslogd: hide log strings
}}tcpd: avoid denials
}}It also includes linsniff, and a few other log cleaner programs.
}[...]
}}Don't be scared of 'configure rootkit ; make install'  kiddies, these are
}}the people like 'The Analyzer' that get caught up on becoming well known
}}in the hacker community, but have no real skills.
}}
}}Be scared of the people that you do not see on your system, or find
}}evidence of them being their, but you just know they are.
}
}
}
}
}