User Tools

Site Tools


krd

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

krd [2010/11/21 18:39]
krd [2010/11/21 18:39] (current)
Line 1: Line 1:
 +**krd: kcore reader**
  
 +
 +**Quick Introduction**
 +
 +krd is a rootkit detection utility which scan /proc/kcore for interesting data. Suspicious programs (sk, adore, etc.), worms/​backdoors/​viruses are detected even if running silently in your kernel. For instance, the ASCII string OSF indicates the ELF infector GMON.A is present.
 +
 +
 +**Briefing**
 +
 +
 +We don't want our boxes //owned//, so we try our best to keep them secure in the first place. But what happens when our machines are compromised anyway? Many admins will notice their OS has become unstable, as the rootkit hides files, users, and processes - and simply halt and reinstall backups. But why not learn the source of the problem? This is where krd comes in.
 +
 +krd is a /proc/kcore reader which checks for various attack signatures. File integrity checkers are useful to install before your servers are compromised,​ but quickly become useless after the fact. This is where krd becomes important.
 +
 +
 +**Download krd**
 +
 +* krd-pre0.1 can be downloaded here : http://​krd.linux.edu/​krd.tgz
 +
 +**Code Information**
 +
 +
 +* General information on the structure and use of krd: [[krd:​general]]
 +
 +
 +* Information on the use of the signature file: [[krd:​signatures]]
 +
 +
 +* Information on signature generation: [[krd:​siggen]]
 +
 +
 +* Information on krd's module: [[krd:​reader]]
 +
 +
 +**Known Issues**
 +
 +Currently, the main problem with krd stems from the fact that /proc/kcore can be a huge file:
 +
 +-r-------- ​ 1 root root 393M 2005-10-14 11:35 /proc/kcore
 +
 +As such, it takes a very long time to scan. This issue has not yet been solved, but in the future we will attempt to optimize the reading and signature engine. Threading krd to scan different parts of /proc/kcore at the same time will also help.
 +
 +An experiment of scanning speed with krd 0.1 can be found here: [[speed test for krd 0.1]]
 +
 +The next goal is to generate a large signature database to detect malicious programs. Currently, the prototype version of krd only has a few random signatures and one for the suckit backdoor. We are actively working to increase the size of this database. Please check our [[krd:​signatures]] page for more information,​ and send in your signatures.
 +
 +**Contact**
 +
 +Do not hesitate to contact krd's main coder if you have comments: guill [at] ism-o [dot] com
 +
 +Or, you can email here for questions and signature information:​ jameskrd [at] keystrike [dot] net
 +
 +** Links **
 +
 +Want to be part of the linux.edu community? Contact memor [at] linux [dot] edu
 +
 +pasmal is a packet authentication sniffer: a so called port knocking daemon, you can find it here:
 +http://​sourceforge.net/​projects/​pasmal/​
 +
 +sec6.net provides free hosting and all the usual things: http://​www.sec6.net (Yes, krd and pasmal are coded under this label...)
 +
 +Miami Programmer Guild: http://​groups.google.com/​group/​Miami-programmer-Guild/​
krd.txt ยท Last modified: 2010/11/21 18:39 (external edit)