
                            chkrootkit V. 0.15
                  By Nelson Murilo, nelson@pangeia.com.br 

    This program is intended to check if one site have RootKit 

                No illegal activities are encouraged!                        
      Anyway, I'm not responsible for anything you do with it.               
                                                                             
          This product includes software developed by the
          DFN-CERT, Univ. of Hamburg (chklastlog and chkwtmp),
          and little part of ifconfig developed by 
          Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org>.
      
1. Installation:
----------------

Chkrootkit need only compiling 3 programs chklastlog.c, 
chkwtmp.c and ifconfig.c. You can simple execute the command 'make sense' 
and after type './chkrootkit'.
This package has been compilled and tested for me in Linux 2.0.x, 2.2.x
and FreeBSD 2.2.x, 3.x and 4.0 


2. Use of the program:
----------------------

# ./chkrootkit (only, test all command)

Usage: chkrootkit [options] [command ...]
Options:
 -h                show this help and exit
 -d                debug

Commands has been trojaned:
chfn chsh cron sshd2 du find su ifconfig inetd killall login ls		
netstat	passwd pidof ps rshd syslogd tcpd top
       
Hack tools: 
bindshell fix z2 wted sniffer and aliens 


3. About tools:
---------------

Chkwtmp and chklastlog *try* check if have delections in files 
wtmp and lastlog, but this identification is *not* warranted.
Aliens look for default sniffer logs and rootkit config files,
same warning, *nothing* warranted.


4. I have a trojan command, what's doing now?
---------------------------------------------

Change for one *idoneous* copy this command
REMEMBER: 
You more important problem is the your site has been invaded and
this bad guy have root account.


5. Reports and questions
------------------------

If you have any questions about this package, 
please report to nelson@pangeia.com.br

Information about RootKit and other security roles in portuguese: 
http://www.pangeia.com.br/faq.html

6. Acknowledgments
------------------

Agustin Navarro anavarro@vip.eniac.com (help debug)
Alberto Courrege Gomide, gomide@gomide.com (help debug)
Andre Gustavo de Carvalho Albuquerque, gustavo@visualnet.com.br (help debug)
Bruno Lopes, bruno@openline.com.br (help debug)
Daniel Lafraia, lafraia@iron.com.br (source code addition )
Klaus Jessen, klaus@dcc.unicamp.br (help debug and lots of the good suggestions)
Paulo C. Marques F., paul@u-netsys.com.br (help debug)
Pedro Vazquez, vazquez@iqm.unicamp.br (lots of the good suggestions)

7. Changes
----------

02/20/97 - Inicial release
02/25/97 - 0.4 Version, formal testing. 
03/30/97 - 0.5 Version, suspect files routine add.
06/11/97 - 0.6 Version, minor fixes and debian compatibity.
06/24/97 - 0.7 Version, FreeBSD compatibity fixed
08/07/97 - 0.8 Version, yet FreeBSD compatibity and RedHat PAM fixed 
04/02/98 - 0.9 Version, add new checks for new version of r00tkit 
07/03/98 - 0.10 Version, add new checks for anothers types of r00tkit
10/15/98 - 0.11 Version, fix litte bug found by Alberto Courrege Gomide 
11/30/98 - 0.12 Version, add new checks for version 4 of r00tkit
12/26/98 - 0.13 Version, minor fixes for Red Hat and Glibc users
06/14/99 - 0.14 Version, add Sun/Solaris initial support
29/04/00 - 0.15 Version, add lrk5 features and minor fixes
-------------- Thx for using chkrootkit ----------------


