In Novemeber of 1996, Sys Admin magazine published an article by David
O'Brien regarding the subject of "rootkits." For the uninitiated,
rootkits are groups of tools designed to let an intruder keep root
access on a UNIX host after s/he has obtained it. (The term "rootkit"
has also been applied to similar groups of tools in the Windows NT and
2k realm. I ignore such kits with this project.) In a fever, i sat
down and started writing a tool to detect rootkits, as they were
described in Mr. O'Brien's article. I later went hunting for Rootkit
packages and examined them for more signatures, which i added to RKD.
I've continued to add signatures as time has passed.

RKD is written in Perl for a couple of reasons. First, Perl does
regular expressions nicely. Second, Perl let me do socket stuff more
easily than, say C. Third, Perl scripts are pretty easy to eyeball, as
opposed to binaries, at least. And fourth, i didn't want to count on
having a compiler on the machine. Writing as a shell script would have
been the most portable, but i would then have had to provide support C
programs to do the socket stuff.

RKD should work on FreeBSD, IRIX, and Solaris. It might run under
UNICOS, and possibly under Linux. The key to added an OS is the
rkd_lib_OSTYPE.pl file, the matching perlinc_OSTYPE file, and the OS
determination right at the top of rkd.pl.

rkd_conf.pl contains the default passwords, users, files that control
the trojans, bindshell ports, and trojans. As the code notes, most of
this stuff will be changed by any bright Berferd.


