Rootkit Hunter Wiki
Brought to you by:
dogsbody,
dogsbodymark
Menu
▾
▴
skdet
skdet -- What is it?
Tests for SucKIT, Adore, Adore-NG, UNFshit, UNFkmem and frontkey.
Install
Unpack bz2
" $ tar jxvf skdet-1.0.tar.bz2
Now move skdet-fix-includes.diff into the top level of the unpack, but do not enter the unpack until after the hash check
sha1sums check
" sha1sum -c *.sha1
skdet-1.0/src/scanner.c: OK
skdet-1.0/src/version.c: OK
skdet-1.0/src/det-rootkit.c: OK
skdet-1.0/src/usage.c: OK
skdet-1.0/src/skdet.c: OK
skdet-1.0/src/pid-info.c: OK
skdet-1.0/AUTHORS: OK
skdet-1.0/Makefile: OK
skdet-1.0/include/skdet.h: OK
skdet-1.0/skdet: OK
skdet-1.0/CREDITS: OK
skdet-1.0/ChangeLog: OK
skdet-1.0/tests/adore-ng.test: OK
skdet-1.0/tests/SucKIT.test: OK
skdet-1.0/tests/frontkey.test: OK
skdet-1.0/tests/adore.test: OK
skdet-1.0/CONTRIBUTIONS: OK
skdet-1.0/README: OK
sha1sum: WARNING: 1 line is improperly formatted
Research one line, verdict is good!
" cd skdet-1.0/
sha1sum *.diff
59bfb29bc1f7601027629453a39dc81508dd9df5 skdet-fix-includes.diff
Open text file called *.diff is a match. Maybe a timestamp issue?
** Delete unpatched executable**
" $ rm -rf skdet
Apply the patch
" $ patch -p1 < *.diff
patching file src/skdet.c
patching file src/usage.c
Compile more recent version of skdet
" $ make
gcc -O2 -pipe -c src/det-rootkit.c -o det-rootkit.o
gcc -O2 -pipe -c src/pid-info.c -o pid-info.o
gcc -O2 -pipe -c src/scanner.c -o scanner.o
gcc -O2 -pipe -c src/skdet.c -o skdet.o
gcc -O2 -pipe -c src/usage.c -o usage.o
gcc -O2 -pipe -c src/version.c -o version.o
gcc -O2 -pipe det-rootkit.o pid-info.o scanner.o skdet.o usage.o version.o -o skdet
Copy our compiled skdet executable into /usr/local/bin with root powers.
I suggest you leave this folder on your USB if you used an USB.
Note the README is from the original maintainer who is un-contactable.
skdet has an independent Test that is is correctly installed
" # skdet -c
1 init
2 kthreadd
3 ksoftirqd/0
(list of results culled)
3145 bash
3153 su
3154 bash
3159 skdet
skdet can perform other independent to RKH tests
rkhunter.conf edit to enable tests
Suggested line becomes
DISABLE_TESTS=suspscan deleted_files packet_cap_apps
Jump back to first config Page
RKH Log snippet when both RKH and skdet installed correctly
17:52:57] Info: Starting test name 'additional_rkts'
17:52:57] Performing additional rootkit checks
17:52:57]
17:52:57] Performing Suckit Rookit additional checks
17:52:57] Checking hard link count on '/sbin/init' ( OK ]
17:52:57] Checking for hidden file extensions ( None found ]
17:52:57] Info: Found the 'skdet' command: /usr/local/bin/skdet
17:52:57] Running skdet command ( OK ]
17:52:57] Suckit Rookit additional checks ( OK ]
Log without skdet installed correctly
17:15:18] Running skdet command ( Skipped )
17:15:18] Info: Unable to find the 'skdet' command
Recommend
Install skdet before installing RKH. After running RKH first scan and without network, you can then run the propupd command which will embed skdet in the RKH properties database.
You can now jump to unhide C version
or unhide Ruby version
Home Page
