rkdet rootkit detector

Andrew Daviel <andrew@vancouver-webpages.com>
February 2000
Revised March 2001

Tiny Abstract:
Install this program to detect hackers breaking into your system

Abstract:
This program is a daemon intended to catch someone installing a rootkit
or running a packet sniffer. It is designed to run continually
with a small footprint under an innocuous name. When triggered, it
sends email, appends to a logfile, and disables networking or
halts the system. It is designed to install with the minimum
of disruption to a normal multiuser system, and should not
require rebuilding with each kernel change or system upgrade.

License:
rkdet is freeware. rkdet incorporates code by David A. Curry
from "ifstatus", which is in the public domain.

Background:
Intruders may gain access to your system by a variety of
mechanisms - they may steal the password of an authorized user,
obtain a password by packet sniffing on a network, or exploit a
hole such as buffer-overrun on a system daemon. Once access has
been obtained, a hacker may be content to use CPU cycles to
run an IRC robot such as eggdrop, crack passwords obtained
elsewhere (or on your system if shadow passwords are not installed),
or simply to store files - hacking tools, or stolen data, for instance.
Often, however, a hacker will take some steps to cover their
traces  and to hide their activity from casual inspection. To do this,
they need to obtain root access, if they do not already have it.
A number of exploits are available to gain root from a regular account
using suid programs such as mount, cron, or game programs.
The hacker then typically disables system accounting and logging,
or tries to prevent their activities from being logged. A 
prebuilt package of programs to do this is known as a "rootkit".
In most cases, this kit replaces system commands such as "ps" and
"netstat" with versions that do not report the hackers programs or
ip address. If a watch is kept for changes to these programs,
an intrusion may be detected. 

Another common practice is to install a packet sniffer. This will
build a list of usernames and passwords for any telnet or ftp
logins taking place on the same network segment as the compromised
machine. In theory, other logins may be detected, such as IMAP, POP3
(email), windows networking etc. Again, if a watch is kept for
this activity (signalled by a change in status of a network
interface to promiscuous mode), an intrusion may be detected.
(However, it would be possible for a hacker to monitor logins
on the compromised machine ONLY without changing the interface status.)



Description:
The program regularly verifies the checksum of a small number of
system files that are typically modified by a rootkit. This list of files
is compiled into the program. The file list, together with the system commands
and messages, are obfuscated in the compiled code to prevent someone
from figuring out what the program is for by eyeballing the binary.
The obfuscation algorithm is trivial, but is compiled into the program
and does not rely on any external programs or libraries.

The program takes a single optional numeric argument. If odd (bit 0 set),
the interface "eth0" is checked for promiscuous operation (packet sniffing).
If bit 1 is clear, the program will delete the default route on the network
when triggered.
If bit 1 is set, the program will disable the eth0 interface.
Systems with multiple interfaces may require an alternate interface
specification in "xstrings.txt", or modification of the program to
disable multiple interfaces.
The command may be modified to "init 1" or "shutdown -h now"
if desired, or to run a script such as "panic.sh" (included).

Enhanced Security:
Security through obscurity is not real security, but it is better
than nothing. Without kernel modifications such as provided by LIDS,
it is difficult to hide a running process from inspection, but some
attempt may be made to hide rkdet from simple searching of the form
"ps ax|grep rkdet", "locate rkdet" or 
"find /proc -name exe -exec grep -l md5sum {} \;". 
You are urged to delete this documentation and install
kit from systems under protection, and to install the program
under an alternate name (the variable "ME" in the makefile may
be used for this, also "name" in the RPC .spec file).
You are encouraged to customise the list of files being monitored
and the warning messages and commands in xstrings.txt, also to
experiment with different values for XPAT in rkdet.c (and mkfil.pl) and
the patterns (the numbers) in xstrings.txt. This will generate
an executable  with a different length and checksum, frustrating attempts
to identify it by pattern matching.

Further security may be obtained by modifying this program to 
(re)arm a watchdog module, such as softdog.o, which will reboot
the system if intrusion is detected. If paranoid, the watchdog module
may be modified to accept only a cookie or crypto challenge, and the
module may be locked by a package such as LIDS. LIDS may also be used
to hide this program by removing it from the /proc/ filesystem.

Other Security Systems:
LIDS - Linux Intrsion Detection System - is a series
of kernel patches that enable module and mountpoint locking.
LIDS is available from www.soaring-bird.com.cn/oss_proj/lids/

Bastille Linux is a series of scripts which tighten up security
on stock Linux systems, by changing permissions and disabling features.
Taken to extreme, this will also prevent legitimate work and is
more suitable for hardening a dedicated loghost or fileserver than 
a development system.
Bastille is available from www.bastille-linux.org

PortSentry is a program which logs (and optionally blocks)
access to TCP and UDP services on the system. It will detect scans
for exploitable services (old versions of imap, ftp) and scans
for trojan horses (Back Orifice, Netbus etc.)
PortSentry is available from www.psionic.com


Caveat:
rkdet shoud be stopped before any monitored files are upgraded,
and restarted afterwards. In the case where there is some automated
update procedure, this may require special handling.

