Examples of RootKit ptyp and ptyq files

/dev/ptyp


0 12                Strip processes running under "games" account.
3 SCREEN            Don't show processes containing the string "SCREEN",
3 screen               "screen",    (cross-session tty manager)
3 pepsi                "pepsi",     (UDP flooder)
3 ief                  "ief",       (the sniffer?)
2 smurf             ...or with the name "smurf" (Windows broadcast attack tool)

/dev/ptyq


4 6660              Hide processes numbered...6660 (etc.)
4 6661
4 6662
4 6663
4 6664
4 6665
4 6666
4 6667
4 6668
4 6669
4 31337
0 12                Hide connections by "games" account
2 207.166           Hide connections to/from one of a couple dozen Class B subnets,
1 207.166
2 207.100           Apparel American, Blowing Rock, NC (lexus.firstgear.com)
1 207.100           (or any other .gil.net host, like ns2.gil.net)
1 38.26             PSINet Japan Inc., or
2 38.26
1 142.194           Unitel Communications Inc., Toronto, Ontario
2 142.194


Dave Dittrich <dittrich@cac.washington.edu>
Last modified: Thu Mar 12 18:14:04 1998