Bugtraq mailing list archives
Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00)
From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Sat, 4 Nov 2000 01:30:27 -0800
This can also possibly be used to detect LKM trojanss and the like. It might give a false alarm though, as some kernel patches designed to hide other user's processes might give the same result. But together with the other tell-tale signs of ManTrap it gives a very good fingerprint.
It doesn't seem to work against TESO's Adore LKM, while Stephane Aubert's "rkscan" (published on the INCIDENTS list on 25 Oct 2000) currently does: $ id uid=500(notroot) gid=500(notroot) groups=500(notroot),236(office) $ ./mantrap -a ManTrap detection/testing program by wilson () f8labs org - www.f8labs.org proc-vs-kill() test: Normal: No mismatches found. dotdot test: Normal: /proc/.. found in directory listing. cwdwalk test: Normal: getwd() succeeded after chdir to /proc/self/cwd. Finished. $ ./rkscan -=- Rootkit Scanner -=- -=- by Stephane.Aubert () hsc fr -=- Scanning for ADORE version 0.14, 0.24 and 2.0b ... #ADORE rootkit is running with ELITE_CMD=31337 ! Scanning for KNARK version 0.59 ... KNARK rootkit NOT DETECTED on this system. Done. I haven't tried it yet against knark or other Linux LKMs... (nor do I have mantrap to test rkscan against it.) -- Dave Dittrich Computing & Communications dittrich () cac washington edu Client Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Current thread:
- Re: Mantrap By Recourse Technologies - Fate Advisory (11-01-00) Dave Dittrich (Jan 19)