Information about the Knark Rootkit

Knark is a kernel-based rootkit for Linux 2.2/2.4. It hide ports, files and processes from the administrator. This rootkit is very powerful and had been used by “crackers” in a lot of compromised machines.

More Information

  • A complete analysis, done by Toby Miller, can be found here: analysis-knack
  • Knark README can be found readme-knark

Files

  • /dev/.pizda
  • /dev/.pula
  • /proc/knark
  • */taskhack
  • */rootme
  • */nethide
  • */hidef
  • */ered

Note

All files with an “*” need to be search in all system

Table Of Contents