What is RootkID?

The CyberAbuse Rootkit ID project is made of a software and a database which allows a unix user to detect rootkit files on his machine.

The technology used is not new, the software compares SHA1 checksum of the files on the unix machine with the checksum present in our database. If the checksum matches, then an ALERT is reported to the user.

----------------

Requirements

This software should run on the UNIX-like OS running one of the following kernels: AIX, Darwin, FreeBSD, Irix, Linux, NetBSD, OpenBSD, SunOS.

It has been successfully tested on a lot of systems, however if you have any compatibility issues, drop me a mail.

You need the following tools on your system to get this software to work : echo, exrp, grep, sh, sed, uname and gcc (to compile it).

This software will needs to be run as root.

Always download the latest database before using the tool if you work offline. If you work online the script will catch the latest database automatically when you will launch it.

----------------

Software manual

First you need to download and compile the software :
# wget http://rk.cyberabuse.org/rootkid.tgz
# tar -zxvf rootkid.tgz
# cd rootkid
# make
# rootkid

... then follow the instructions.

----------------

The Database

The database is made of rootkit files checksum reported to us via the Contribute page.

Only IRT/CERT members and known security experts are accepted as contributors.

If you want more details check the Contribute page.

If you want more details about the database, download it and open it, it's a plain text file.

----------------

Reporting bugs and database issues

All your reports should be addressed to me via e-mail : philippe_at_cyberabuse.org.

----------------

License stuff

This software is released under the GPLv2 license.

I cannot be held responsible for any damage this software could cause (however it should not cause any).