User Tools

Site Tools


handbook:handbook:recovery_virus:recover_from_a_virus

Recover from a virus

krd : kcore reader

presentation

Lets not have our box owned, but what happens if it is owned ? Reboot then redirected syscalls , hidden files users and processes, system unstable. Most of the admins will then just halt, reinstall, copy back backups : well its when krd is useless - some admins will want to know why their box is so unstable, because of what backdoor/virus/whatever : this is when krd is usefull.

krd is indeed a /proc/kcore reader, that checks for various attack/backdoor/virus signatures - stuff like file integrity checker are usefull before your box is owned, but then useless - krd is usefull only when your box is owned or at least to check that your box is not owned -yet- .

download krd

. krd-pre0.1 can be downloaded on the download section : download

code information

. general information on the structure and use of krd : general

. information on the use of the signature file : signatures

. information on the reader module of krd : reader

. information on the manual mode of krd : sniffing

usefull information on kcore and krd

. what google has to say about /proc/kcore ? here it can be found : google

. differents experiences with /proc/kcore can be found here : kcore

. differents test of use of krd can be found here : examples

. advantages and setbacks of krd can be found here : advsetbacks

handbook/handbook/recovery_virus/recover_from_a_virus.txt · Last modified: 2010/04/15 21:18 (external edit)