« back to all changes in this revision
Viewing changes to .pc/Suckitfalse.patch/chkrootkit
- browse files at revision 20
- compare with another revision
- download diff
- download tarball
- view history from revision 20
- Committer: Package Import Robot
- Author(s): Giuseppe Iuculano, 9e1ed7f
- Date: 2015-03-23 10:08:37 UTC
- Revision ID: package-import@ubuntu.com-20150323100837-lt283v63mlormalf
Tags: 0.50-3
[9e1ed7f] Ignore Suckit false positive (Closes: #740898)
- files added:
- .pc/Suckitfalse.patch
- files modified:
- .pc/applied-patches
added
removed
.pc/Suckitfalse.patch/chkrootkit
1
#! /bin/sh
2
# -*- Shell-script -*-
3
4
# $Id: chkrootkit, v 0.50 2014/05/25
5
CHKROOTKIT_VERSION='0.50'
6
7
# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
8
# Klaus Steding-Jessen <jessen@cert.br>
9
#
10
# (c)1997-2014 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
11
# All rights reserved
12
13
### workaround for some Bourne shell implementations
14
unalias login > /dev/null 2>&1
15
unalias ls > /dev/null 2>&1
16
unalias netstat > /dev/null 2>&1
17
unalias ps > /dev/null 2>&1
18
unalias dirname > /dev/null 2>&1
19
20
cd /usr/lib/chkrootkit
21
22
# Workaround for recent GNU coreutils
23
_POSIX2_VERSION=199209
24
export _POSIX2_VERSION
25
26
KALLSYMS="/proc/kallsyms"
27
[ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS"
28
29
# Native commands
30
TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \
31
env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \
32
killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \
33
pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
34
tcpdump top telnetd timed traceroute vdir w write"
35
36
# Tools
37
TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
38
39
# Return Codes
40
INFECTED=0
41
NOT_INFECTED=1
42
NOT_TESTED=2
43
NOT_FOUND=3
44
INFECTED_BUT_DISABLED=4
45
46
# Many trojaned commands have this label
47
GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer"
48
49
######################################################################
50
# tools functions
51
52
#
53
# 55808.A Worm
54
#
55
w55808 (){
56
W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r"
57
STATUS=0
58
59
for i in ${W55808_FILES}; do
60
if [ -f ${i} ]; then
61
STATUS=1
62
fi
63
done
64
if [ ${STATUS} -eq 1 ] ;then
65
echo "Warning: Possible 55808 Worm installed"
66
else
67
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
68
return ${NOT_INFECTED}
69
fi
70
}
71
72
OSX_RSPLUG (){
73
SAVEIFS=$IFS
74
IFS=';'
75
STATUS=0
76
OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings'
77
#echo checking ${OSX_RSPLUG_FILES}
78
for i in ${OSX_RSPLUG_FILES} ; do
79
#echo searching for "${i}"
80
if [ -e "${i}" ] ; then
81
STATUS=1
82
fi
83
done
84
IFS=$SAVEIFS
85
86
if [ ${STATUS} -eq 1 ] ;then
87
echo "Warning: OSX.RSPlug.A Trojan Horse found"
88
return ${INFECTED}
89
else
90
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
91
return ${NOT_INFECTED}
92
fi
93
}
94
95
#
96
# SLAPPER.{A,B,C,D} and the multi-platform variant
97
#
98
slapper (){
99
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
100
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
101
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"
102
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
103
OPT=-an
104
STATUS=0
105
file_port=
106
107
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
108
then
109
STATUS=1
110
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
111
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :`
112
fi
113
for i in ${SLAPPER_FILES}; do
114
if [ -f ${i} ]; then
115
file_port="$file_port $i"
116
STATUS=1
117
fi
118
done
119
if [ ${STATUS} -eq 1 ] ;then
120
echo "Warning: Possible Slapper Worm installed ($file_port)"
121
else
122
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
123
return ${NOT_INFECTED}
124
fi
125
}
126
127
scalper (){
128
SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a"
129
SCALPER_PORT=2001
130
OPT=-an
131
STATUS=0
132
133
if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then
134
STATUS=1
135
fi
136
for i in ${SCALPER_FILES}; do
137
if [ -f ${i} ]; then
138
STATUS=1
139
fi
140
done
141
if [ ${STATUS} -eq 1 ] ;then
142
echo "Warning: Possible Scalper Worm installed"
143
else
144
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
145
return ${NOT_INFECTED}
146
fi
147
}
148
149
asp (){
150
ASP_LABEL="poop"
151
STATUS=${NOT_INFECTED}
152
CMD=`loc asp asp $pth`
153
154
if [ "${EXPERT}" = "t" ]; then
155
expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
156
expertmode_output "${strings} -a ${CMD}"
157
return 5
158
fi
159
160
if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then
161
echo "Warning: Possible Ramen Worm installed in inetd.conf"
162
STATUS=${INFECTED}
163
fi
164
if [ ${CMD} = "asp" -o ${CMD} = "${ROOTDIR}asp" ]; then
165
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
166
return ${NOT_INFECTED}
167
fi
168
if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then
169
echo "INFECTED"
170
STATUS=${INFECTED}
171
else
172
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
173
return ${NOT_INFECTED}
174
fi
175
return ${STATUS}
176
}
177
178
sniffer () {
179
if [ "${ROOTDIR}" != "/" ]; then
180
echo "not tested"
181
return ${NOT_TESTED}
182
fi
183
184
if [ "$SYSTEM" = "SunOS" ]; then
185
return ${NOT_TESTED}
186
fi
187
188
if [ "${EXPERT}" = "t" ]; then
189
expertmode_output "./ifpromisc" -v
190
return 5
191
fi
192
if [ ! -x ./ifpromisc ]; then
193
echo "not tested: can't exec ./ifpromisc"
194
return ${NOT_TESTED}
195
else
196
[ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
197
fi
198
}
199
200
chkutmp() {
201
if [ ! -x ./chkutmp ]; then
202
echo "not tested: can't exec ./chkutmp"
203
return ${NOT_TESTED}
204
fi
205
if ./chkutmp
206
then
207
if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi
208
fi
209
210
}
211
212
z2 () {
213
if [ ! -x ./chklastlog ]; then
214
echo "not tested: can't exec ./chklastlog"
215
return ${NOT_TESTED}
216
fi
217
218
WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
219
LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
220
221
if [ ! -f $WTMP -a ! -f $LASTLOG ]; then
222
echo "not tested: not found wtmp and/or lastlog file"
223
return ${NOT_TESTED}
224
fi
225
226
if [ "${EXPERT}" = "t" ]; then
227
expertmode_output "./chklastlog ${QUIET_ARG} -f ${WTMP} -l ${LASTLOG}"
228
return 5
229
fi
230
231
if ./chklastlog ${QUIET_ARG} -f ${WTMP} -l ${LASTLOG}
232
then
233
if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi
234
fi
235
}
236
237
wted () {
238
if [ ! -x ./chkwtmp ]; then
239
echo "not tested: can't exec ./chkwtmp"
240
return ${NOT_TESTED}
241
fi
242
243
if [ "$SYSTEM" = "SunOS" ]; then
244
if [ ! -x ./check_wtmpx ]; then
245
echo "not tested: can't exec ./check_wtmpx"
246
else
247
if [ "${EXPERT}" = "t" ]; then
248
expertmode_output "./check_wtmpx"
249
return 5
250
fi
251
if [ -f ${ROOTDIR}var/adm/wtmp ]; then
252
if ./check_wtmpx
253
then
254
if [ "${QUIET}" != "t" ]; then \
255
echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi
256
fi
257
fi
258
fi
259
else
260
WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
261
262
if [ "${EXPERT}" = "t" ]; then
263
expertmode_output "./chkwtmp -f ${WTMP}"
264
return 5
265
fi
266
267
if ./chkwtmp -f ${WTMP}
268
then
269
if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
270
fi
271
fi
272
}
273
bindshell () {
274
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
275
OPT="-an"
276
PI=""
277
if [ "${ROOTDIR}" != "/" ]; then
278
echo "not tested"
279
return ${NOT_TESTED}
280
fi
281
282
if [ "${EXPERT}" = "t" ]; then
283
expertmode_output "${netstat} ${OPT}"
284
return 5
285
fi
286
for P in `echo $PORT | ${sed} 's/|/ /g'`; do
287
if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \
288
"[.:]${P}[^0-9.:]" >/dev/null 2>&1
289
then
290
PI="${PI} ${P}"
291
fi
292
done
293
if [ "${PI}" != "" ]
294
then
295
echo "INFECTED (PORTS: $PI)"
296
else
297
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
298
fi
299
}
300
301
lkm ()
302
{
303
prog=""
304
if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
305
`echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
306
[ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc"
307
[ -x ./chkdirs ] && prog="$prog ./chkdirs"
308
if [ "$prog" = "" ]; then
309
echo "not tested: can't exec $prog"
310
return ${NOT_TESTED}
311
fi
312
313
if [ "${EXPERT}" = "t" ]; then
314
[ -r /proc/$KALLSYMS ] && ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null
315
[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null
316
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
317
[ "$PV" = "" ] && PV=2
318
[ "${SYSTEM}" = "SunOS" ] && PV=0
319
expertmode_output "./chkproc -v -v -p $PV"
320
return 5
321
fi
322
323
### adore LKM
324
[ -r /proc/$KALLSYMS ] && \
325
if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then
326
echo "Warning: Adore LKM installed"
327
fi
328
329
### sebek LKM (Adore based)
330
[ -r /proc/$KALLSYMS ] && \
331
if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then
332
echo "Warning: Sebek LKM installed"
333
fi
334
335
### knark LKM
336
if [ -d /proc/knark ]; then
337
echo "Warning: Knark LKM installed"
338
fi
339
340
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
341
[ "$PV" = "" ] && PV=2
342
[ "${SYSTEM}" = "SunOS" ] && PV=0
343
if [ "${DEBUG}" = "t" ]; then
344
${echo} "*** PV=$PV ***"
345
fi
346
if ./chkproc -p ${PV}; then
347
if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
348
else
349
echo "chkproc: Warning: Possible LKM Trojan installed"
350
fi
351
dirs="/tmp"
352
for i in /usr/share /usr/bin /usr/sbin /lib; do
353
[ -d $i ] && dirs="$dirs $i"
354
done
355
if ./chkdirs $dirs; then
356
if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi
357
else
358
echo "chkdirs: Warning: Possible LKM Trojan installed"
359
fi
360
else
361
if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
362
fi
363
}
364
365
aliens () {
366
if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d "/root" ]; then
367
HOME="/root"
368
fi
369
if [ "${EXPERT}" = "t" ]; then
370
### suspicious files
371
FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
372
sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \
373
etc/ld.so.hash"
374
375
expertmode_output "${find} ${ROOTDIR}dev -type f"
376
expertmode_output "${find} ${ROOTDIR}var/run/.tmp"
377
expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib"
378
expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8"
379
expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'"
380
expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk"
381
expertmode_output "${find} ${ROOTDIR}usr/lib/dy0"
382
expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277"
383
expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/"
384
385
for i in ${FILES}; do
386
expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null"
387
done
388
[ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so"
389
[ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. "
390
[ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx
391
[ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd
392
[ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb
393
[ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
394
### sniffer's logs
395
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
396
${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
397
.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \
398
-wholename ${ROOTDIR}usr/lib/in.pop3d"
399
400
### t0rn
401
expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
402
${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \
403
ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn"
404
405
LIBS=
406
[ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib"
407
[ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
408
[ -d ${ROOTDIR}usr/local/lib ] && \
409
LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
410
411
expertmode_output "${find} ${LIBS} -name libproc.a"
412
413
## Lion Worm
414
expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh
415
2> /dev/null"
416
417
### ark
418
expertmode_output "${find} ${ROOTDIR}dev -name ptyxx"
419
expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '"
420
expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'"
421
422
### RK17
423
expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit"
424
expertmode_output "${find} ${ROOTDIR}sbin -name pback"
425
expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null"
426
expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null"
427
expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \
428
autod.o -o -name soundx.o 2> /dev/null"
429
expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \
430
-name ct -o -name snick -o -name kfl"
431
432
CGIDIR=""
433
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
434
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
435
home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
436
do
437
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}"
438
done
439
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
440
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
441
zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
442
for j in ${CGIDIR}; do
443
for i in ${BACKDOORS}; do
444
[ -f ${j}/${i} ] && echo ${j}/${i}
445
done
446
done
447
448
### rsha
449
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \
450
-o -name n3tstat -o -name chsh2"
451
expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha"
452
expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \
453
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/"
454
455
### ShitC Worm
456
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \
457
-o -name frgy -o -name sy"
458
expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir"
459
expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind"
460
461
### Omega Worm
462
expertmode_output "${find} ${ROOTDIR}dev -name chr"
463
464
### rh-sharpe
465
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \
466
-o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \
467
-o -name ldu -o -name lnetstat"
468
expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du"
469
470
### Adore Worm
471
expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \
472
-name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \
473
-o -name adore"
474
expertmode_output "${find} ${ROOTDIR}usr/lib/lib"
475
expertmode_output "${find} ${ROOTDIR}usr/lib/libt"
476
477
### suspicious files and dirs
478
suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk"
479
DIR=${ROOTDIR}usr/lib
480
[ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man"
481
[ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib"
482
[ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib"
483
expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'"
484
expertmode_output "${find} ${DIR} -type d -name '.*'"
485
expertmode_output "${find} ${DIR} -name '...*'"
486
expertmode_output "${ls} ${suspects}"
487
488
### Maniac RK
489
expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc"
490
491
### Ramen Worm
492
expertmode_output "${find} ${ROOTDIR}usr/src/.poop \
493
${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp"
494
495
### Sadmind/IIS Worm
496
expertmode_output "${find} ${ROOTDIR}dev/cuc"
497
498
### Monkit
499
expertmode_output "${find} ${ROOTDIR}lib/defs"
500
501
### Showtee
502
expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \
503
${ROOTDIR}usr/lib/.wormie \
504
${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \
505
${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \
506
${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \
507
${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h"
508
509
### Optickit
510
expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf"
511
512
### T.R.K
513
expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct"
514
### MithRa's Rootkit
515
expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot"
516
517
518
### OpenBSD rootkit v1
519
if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ]
520
then
521
expertmode_output "${find} ${ROOTDIR}usr/lib/security"
522
fi
523
524
### LOC rootkit
525
expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c"
526
527
### Romanian rootkit
528
expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \
529
${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \
530
${ROOTDIR}usr/include/syslogs.h"
531
532
## HKRK rootkit
533
${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null
534
535
## Suckit rootkit
536
expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
537
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
538
expertmode_output "cat ${ROOTDIR}dev/.golf"
539
540
## Volc rootkit
541
expertmode_output "${ls} ${ROOTDIR}usr/bin/volc"
542
expertmode_output "${find} ${ROOTDIR}usr/lib/volc"
543
544
## Gold2 rootkit
545
expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit"
546
547
## TC2 Worm
548
expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \
549
${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb"
550
551
## Anonoiyng rootkit
552
expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd"
553
554
## ZK rootkit
555
expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*"
556
557
## ShKit
558
expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash"
559
560
## AjaKit
561
expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh"
562
expertmode_output "${find} ${ROOTDIR}dev -name tux"
563
564
## zaRwT
565
expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout"
566
567
## Madalin rootkit
568
expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \
569
-name iceconf.h -o -name iceseed.h"
570
571
## Fu rootkit
572
expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \
573
${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h"
574
575
## Kenga3 Rookit
576
expertmode_output "${find} ${ROOTDIR}usr/include/. ."
577
578
## ESRK Rookit
579
expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3"
580
581
## rootedoor
582
for i in `$echo ${PATH}|tr -s ':' ' '`; do
583
expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor"
584
done
585
## ENYE-LKM
586
expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"
587
588
## SSJD Operation Windigo (Linux/Ebury)
589
expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow"
590
591
## Common SSH-SCANNERS
592
expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2"
593
594
### shell history file check
595
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
596
expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
597
-size 0"
598
expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
599
\( -links 2 -o -type l \)"
600
fi
601
602
return 5
603
### expert mode ends here
604
fi
605
606
###
607
### suspicious files and sniffer's logs
608
###
609
suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \
610
usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \
611
tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \
612
usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \
613
etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin"
614
dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \
615
var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so"
616
files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`
617
if [ "${files}" != "" ]; then
618
echo
619
echo ${files}
620
fi
621
for i in ${dir}; do
622
if [ -d ${ROOTDIR}${i} ]; then
623
echo
624
echo "Suspect directory ${i} FOUND! Looking for sniffer logs"
625
files=`${find} ${ROOTDIR}${i}`
626
echo
627
echo ${files}
628
fi
629
done
630
for i in ${suspects}; do
631
if [ -f ${ROOTDIR}${i} ]; then
632
echo "${ROOTDIR}${i} "
633
files="INFECTED"
634
fi
635
done
636
if [ "${files}" = "" ]; then
637
if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi
638
fi
639
if [ "${QUIET}" != "t" ]; then \
640
printn "Searching for sniffer's logs, it may take a while... "; fi
641
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
642
${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
643
2>/dev/null`
644
if [ "${files}" = "" ]
645
then
646
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
647
else
648
echo
649
echo ${files}
650
fi
651
652
lookfor_rootkit() {
653
rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
654
if [ "${QUIET}" != "t" ]; then \
655
printn "Searching for rootkit $rkname's default files... "; fi
656
657
bad="";
658
for f in $files ; do
659
if [ -r ${ROOTDIR}${f} ]; then
660
for exclude in $EXCLUDES; do
661
if [ /${f} = $exclude ]; then continue 2; fi
662
done
663
bad="$bad ${ROOTDIR}$f";
664
fi
665
done
666
for d in $dirs ; do
667
if [ -d ${ROOTDIR}${d} ]; then
668
for exclude in $EXCLUDES; do
669
if [ /${d} = $exclude ]; then continue 2; fi
670
done
671
bad="$bad ${ROOTDIR}$d";
672
fi
673
done
674
if [ "$bad" != "" ]; then
675
echo "Possible $rkname rootkit installed:"
676
echo "$bad"
677
else
678
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
679
fi
680
}
681
682
### HiDrootkit
683
684
lookfor_rootkit "HiDrootkit" "" "var/lib/games/.k"
685
686
### t0rn
687
lookfor_rootkit "t0rn" "etc/ttyhash sbin/xlogin lib/ldlib.tk" \
688
"usr/src/.puta usr/info/.t0rn"
689
690
### t0rn v8
691
if [ "${QUIET}" != "t" ]; then \
692
printn "Searching for t0rn's v8 defaults... "; fi
693
[ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib
694
[ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
695
[ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
696
if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \
697
"$SYSTEM" != "FreeBSD" ]
698
then
699
echo "Possible t0rn v8 (or variation) rootkit installed"
700
else
701
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
702
fi
703
704
### Lion Worm
705
lookfor_rootkit "Lion" "bin/in.telnetd bin/mjy" "usr/info/.torn dev/.lib"
706
707
### RSHA rootkit
708
lookfor_rootkit "RSHA" "bin/kr4p usr/bin/n3tstat usr/bin/chsh2 \
709
usr/bin/slice2 usr/src/linux/arch/alpha/lib/.lib/.1proc \
710
etc/rc.d/arch/alpha/lib/.lib/.1addr" "etc/rc.d/rsha \
711
etc/rc.d/arch/alpha/lib/.lib"
712
713
### RH-Sharpe rootkit
714
lookfor_rootkit "RH-Sharpe" "bin/lps usr/bin/lpstree \
715
usr/bin/ltop usr/bin/lkillall usr/bin/ldu \
716
usr/bin/lnetstat usr/bin/wp usr/bin/shad \
717
usr/bin/vadim usr/bin/slice usr/bin/cleaner \
718
usr/include/rpcsvc/du" ""
719
720
### ark rootkit
721
if [ "${QUIET}" != "t" ]; then printn \
722
"Searching for Ambient's rootkit (ark) default files and dirs... "; fi
723
724
if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \
725
-d ${ROOTDIR}usr/doc/"... " ]; then
726
echo "Possible Ambient's rootkit (ark) installed"
727
else
728
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
729
fi
730
731
### suspicious files and dirs
732
DIR="${ROOTDIR}usr/lib"
733
[ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man"
734
[ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib"
735
736
if [ "${QUIET}" != "t" ]; then printn \
737
"Searching for suspicious files and dirs, it may take a while... "; fi
738
739
files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"`
740
dirs=`${find} ${DIR} -type d -name ".*"`
741
if [ "${files}" = "" -a "${dirs}" = "" ]
742
then
743
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
744
else
745
if [ "${QUIET}" != "t" ]; then
746
printn "The following suspicious files and directories were found:"
747
fi
748
echo
749
750
if [ -n "${EXCLUDES}" ]; then
751
for name in $files; do
752
for exclude in $EXCLUDES; do
753
if [ $name = $exclude ]; then continue 2; fi
754
done
755
echo $name
756
done
757
for name in $dirs; do
758
for exclude in $EXCLUDES; do
759
if [ $name = $exclude ]; then continue 2; fi
760
done
761
echo $name
762
done
763
else
764
echo ${files}
765
echo ${dirs}
766
fi
767
fi
768
769
### LPD Worm
770
if [ "${QUIET}" != "t" ]; then \
771
printn "Searching for LPD Worm files and dirs... "; fi
772
773
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
774
${egrep} '^[[:space:]]*666[[:space:]]' ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
775
then
776
echo "Possible LPD worm installed"
777
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
778
-f ${ROOTDIR}bin/.login ]; then
779
echo "Possible LPD worm installed"
780
else
781
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
782
fi
783
784
### Ramem Worm
785
if [ "${QUIET}" != "t" ]; then \
786
printn "Searching for Ramen Worm files and dirs... "; fi
787
788
if [ -d ${ROOTDIR}usr/src/.poop -o -f \
789
${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ]
790
then
791
echo "Possible Ramen worm installed"
792
else
793
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
794
795
fi
796
797
### Maniac rootkit
798
if [ "${QUIET}" != "t" ]; then \
799
printn "Searching for Maniac files and dirs... "; fi
800
801
files=`${find} ${ROOTDIR}usr/bin -name mailrc`
802
if [ "${files}" = "" ]; then
803
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
804
else
805
echo "${files}"
806
fi
807
808
### RK17 rookit
809
if [ "${QUIET}" != "t" ]; then \
810
printn "Searching for RK17 files and dirs... "; fi
811
812
CGIDIR=""
813
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
814
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
815
home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
816
do
817
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
818
done
819
files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \
820
${find} ${ROOTDIR}sbin -name pback && \
821
${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \
822
${find} ${ROOTDIR}proc -name kset 2> /dev/null && \
823
${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \
824
2> /dev/null && \
825
${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null`
826
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
827
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
828
zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
829
files=""
830
for j in ${CGIDIR}; do
831
for i in ${BACKDOORS}; do
832
[ -f ${j}/${i} ] && files="${files} ${j}/${i}"
833
done
834
done
835
if [ "${files}" = "" ]; then
836
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
837
else
838
echo "${files}"
839
fi
840
841
### Ducoci rootkit
842
if [ "${QUIET}" != "t" ]; then \
843
printn "Searching for Ducoci rootkit... "; fi
844
845
files=`${find} ${CGIDIR} -name last.cgi`
846
if [ "${files}" = "" ]; then
847
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
848
else
849
echo "${files}"
850
fi
851
852
### Adore Worm
853
if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi
854
855
files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \
856
-name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore`
857
if [ "${files}" = "" ]; then
858
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
859
else
860
echo "${files}"
861
files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null`
862
[ "${files}" != "" ] && echo ${files}
863
fi
864
865
### ShitC Worm
866
if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi
867
868
files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \
869
${find} ${ROOTDIR}usr/bin -type d -name dir || \
870
${find} ${ROOTDIR}usr/sbin -name in.slogind`
871
if [ "${files}" = "" ]; then
872
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
873
else
874
echo "${files}"
875
fi
876
877
### Omega Worm
878
if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi
879
880
files=`${find} ${ROOTDIR}dev -name chr`
881
if [ "${files}" = "" ]; then
882
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
883
else
884
echo "${files}"
885
fi
886
887
### China Worm (Sadmind/IIS Worm)
888
if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi
889
files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null`
890
if [ "${files}" = "" ]; then
891
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
892
else
893
echo "${files}"
894
fi
895
896
### MonKit
897
if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi
898
files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \
899
2> /dev/null`
900
if [ "${files}" = "" ]; then
901
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
902
else
903
echo "${files}"
904
fi
905
906
### Showtee
907
if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi
908
if [ -d ${ROOTDIR}usr/lib/.egcs ] || \
909
[ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \
910
[ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \
911
[ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \
912
[ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \
913
[ -f ${ROOTDIR}usr/include/chk.h ]; then
914
echo "Warning: Possible Showtee Rootkit installed"
915
else
916
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
917
fi
918
919
###
920
### OpticKit
921
###
922
if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi
923
files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \
924
2> /dev/null`
925
if [ "${files}" = "" ]; then
926
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
927
else
928
echo "${files}"
929
fi
930
931
### T.R.K
932
files=""
933
if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi
934
files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`
935
if [ "${files}" = "" ]; then
936
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
937
else
938
echo "${files}"
939
fi
940
941
### Mithra's Rootkit
942
files=""
943
if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi
944
files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null`
945
if [ "${files}" = "" ]; then
946
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
947
else
948
echo "${files}"
949
fi
950
951
### OpenBSD rootkit v1
952
if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
953
files=""
954
if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi
955
files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`
956
if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
957
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
958
else
959
echo "${files}"
960
fi
961
fi
962
963
### LOC rootkit
964
files=""
965
if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi
966
files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null`
967
if [ "${files}" = "" ]; then
968
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
969
else
970
echo "${files}"
971
loc epic epic $pth
972
fi
973
974
### Romanian rootkit
975
files=""
976
if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi
977
for i in file.h proc.h addr.h syslogs.h; do
978
if [ -f ${ROOTDIR}usr/include/${i} ]; then
979
files="$files ${ROOTDIR}usr/include/$i"
980
fi
981
done
982
if [ "${files}" = "" ]; then
983
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
984
else
985
echo "${files}"
986
fi
987
988
### HKRK
989
if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then
990
if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi
991
if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then
992
echo "Warning: /etc/rc.d/init.d/network INFECTED"
993
else
994
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
995
fi
996
fi
997
998
### Suckit
999
if [ -f ${ROOTDIR}sbin/init ]; then
1000
if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
1001
if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \
1002
cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
1003
then
1004
echo "Warning: ${ROOTDIR}sbin/init INFECTED"
1005
else
1006
if [ -d ${ROOTDIR}/dev/.golf ]; then
1007
echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
1008
else
1009
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1010
fi
1011
fi
1012
fi
1013
1014
### Volc
1015
if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi
1016
if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then
1017
echo "Warning: Possible Volc rootkit installed"
1018
else
1019
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1020
fi
1021
1022
### Gold2
1023
if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi
1024
if [ -f ${ROOTDIR}usr/bin/ishit ] ; then
1025
echo "Warning: Possible Gold2 rootkit installed"
1026
else
1027
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1028
fi
1029
1030
### TC2 Worm
1031
if [ "${QUIET}" != "t" ]; then \
1032
printn "Searching for TC2 Worm default files and dirs... "; fi
1033
if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \
1034
-f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ]
1035
then
1036
echo "Possible TC2 Worm installed"
1037
else
1038
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1039
fi
1040
1041
### ANONOYING Rootkit
1042
if [ "${QUIET}" != "t" ]; then \
1043
printn "Searching for Anonoying rootkit default files and dirs... "; fi
1044
if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then
1045
echo "Possible anonoying rootkit installed"
1046
else
1047
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1048
fi
1049
1050
### ZK Rootkit
1051
if [ "${QUIET}" != "t" ]; then \
1052
printn "Searching for ZK rootkit default files and dirs... "; fi
1053
if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then
1054
echo "Possible ZK rootkit installed"
1055
else
1056
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1057
fi
1058
### ShKit
1059
if [ "${QUIET}" != "t" ]; then
1060
printn "Searching for ShKit rootkit default files and dirs... "; fi
1061
if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then
1062
echo "Possible ShKit rootkit installed"
1063
else
1064
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1065
fi
1066
1067
### AjaKit
1068
if [ "${QUIET}" != "t" ]; then
1069
printn "Searching for AjaKit rootkit default files and dirs... "; fi
1070
if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then
1071
echo "Possible AjaKit rootkit installed"
1072
else
1073
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1074
fi
1075
1076
### zaRwT
1077
if [ "${QUIET}" != "t" ]; then
1078
printn "Searching for zaRwT rootkit default files and dirs... "; fi
1079
if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then
1080
echo "Possible zaRwT rootkit installed"
1081
else
1082
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1083
fi
1084
1085
### Madalin rootkit
1086
if [ "${QUIET}" != "t" ]; then
1087
printn "Searching for Madalin rootkit default files... "; fi
1088
D=${ROOTDIR}usr/include
1089
if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then
1090
echo "Possible Madalin rootkit installed"
1091
else
1092
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1093
fi
1094
1095
### Fu rootkit
1096
if [ "${QUIET}" != "t" ]; then
1097
printn "Searching for Fu rootkit default files... "; fi
1098
if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \
1099
-f ${ROOTDIR}usr/include/ivtype.h ]; then
1100
echo "Possible Fu rootkit installed"
1101
else
1102
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1103
fi
1104
1105
### ESRK
1106
if [ "${QUIET}" != "t" ]; then
1107
printn "Searching for ESRK rootkit default files... "; fi
1108
if [ -d "${ROOTDIR}/usr/lib/tcl5.3" ]; then
1109
echo "Possible ESRK rootkit installed"
1110
else
1111
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1112
fi
1113
1114
## rootedoor
1115
if [ "${QUIET}" != "t" ]; then
1116
printn "Searching for rootedoor... "; fi
1117
found=0
1118
for i in `$echo $PATH|tr -s ':' ' '`; do
1119
if [ -f "${ROOTDIR}${i}/rootedoor" ]; then
1120
echo "Possible rootedoor installed in ${ROOTDIR}${i}"
1121
found=1
1122
fi
1123
done
1124
[ "${found}" = "0" ] &&\
1125
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1126
1127
### ENYELKM
1128
if [ "${QUIET}" != "t" ]; then
1129
printn "Searching for ENYELKM rootkit default files... "; fi
1130
if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then
1131
echo "Possible ENYELKM rootkit installed"
1132
else
1133
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1134
fi
1135
1136
## Common SSH-SCANNERS
1137
if [ "${QUIET}" != "t" ]; then
1138
printn "Searching for common ssh-scanners default files... "; fi
1139
files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`"
1140
if [ "${files}" = "" ]; then
1141
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1142
else
1143
echo "${files}"
1144
fi
1145
1146
## SSJD Operation Windigo (Linux/Ebury)
1147
if [ "${QUIET}" != "t" ]; then
1148
printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi
1149
if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then
1150
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1151
else
1152
echo "Possible Linux/Ebury - Operation Windigo installetd"
1153
fi
1154
1155
## Linux Rootkit 64 bits
1156
if [ "${QUIET}" != "t" ]; then
1157
printn "Searching for 64-bit Linux Rootkit ... "; fi
1158
if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \
1159
${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then
1160
echo "Possible 64-bit Linux Rootkit"
1161
else
1162
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1163
fi
1164
1165
if [ "${QUIET}" != "t" ]; then
1166
printn "Searching for 64-bit Linux Rootkit modules... "; fi
1167
files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`"
1168
if [ "${files}" = "" ]; then
1169
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1170
else
1171
echo "${files}"
1172
fi
1173
1174
1175
1176
###
1177
### Suspect PHP files
1178
###
1179
if [ "${QUIET}" != "t" ]; then
1180
printn "Searching for suspect PHP files... "; fi
1181
files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
1182
if [ `echo abc | head -n 1` = "abc" ]; then
1183
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -n 1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`"
1184
else
1185
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`"
1186
fi
1187
if [ "${files}" = "" -a "${fileshead}" = "" ]; then
1188
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1189
else
1190
echo
1191
echo "${files}"
1192
echo "${fileshead}"
1193
fi
1194
1195
###
1196
### shell history anomalies
1197
###
1198
if [ "${QUIET}" != "t" ]; then \
1199
printn "Searching for anomalies in shell history files... "; fi
1200
files=""
1201
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
1202
files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' -size 0`
1203
[ ! -z "${files}" ] && \
1204
echo "Warning: \`${files}' file size is zero"
1205
files1=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' \( -links 2 -o -type l \)`
1206
[ ! -z "${files1}" ] && \
1207
echo "Warning: \`${files1}' is linked to another file"
1208
fi
1209
if [ -z "${files}" -a -z "${files1}" ]; then
1210
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1211
fi
1212
}
1213
1214
######################################################################
1215
# util functions
1216
1217
# our which(1)
1218
loc () {
1219
### usage: loc filename filename_to_return_if_nothing_was_found path
1220
thing=$1
1221
shift
1222
dflt=$1
1223
shift
1224
for dir in $*; do
1225
case "$thing" in
1226
.)
1227
if test -d $dir/$thing; then
1228
echo $dir
1229
exit 0
1230
fi
1231
;;
1232
*)
1233
for thisthing in $dir/$thing; do
1234
:
1235
done
1236
if test -f $thisthing; then
1237
echo $thisthing
1238
exit 0
1239
fi
1240
;;
1241
esac
1242
done
1243
if [ "${ROOTDIR}" = "/" ]; then
1244
echo ${dflt}
1245
else
1246
echo "${ROOTDIR}${dflt}"
1247
fi
1248
exit 1
1249
}
1250
1251
getCMD() {
1252
1253
RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \
1254
${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \
1255
${awk} '{ print $5 }'`
1256
1257
if [ -n "${RUNNING}" ]; then
1258
for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
1259
do
1260
CMD="${i}"
1261
if [ -r "${i}" ]
1262
then
1263
return 0
1264
fi
1265
done
1266
fi
1267
return 1
1268
}
1269
1270
expertmode_output() {
1271
echo "###"
1272
echo "### Output of: $1"
1273
echo "###"
1274
eval $1 2>&1
1275
# cat <<EOF
1276
#`$1 2>&1`
1277
#EOF
1278
return 0
1279
}
1280
1281
tnfs ()
1282
{
1283
## Check if -fstype nfs works
1284
findargs=""
1285
if find /etc -maxdepth 0 >/dev/null 2>&1; then
1286
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
1287
findargs=" -fstype nfs -prune -o "
1288
elif find /etc -prune > /dev/null 2>&1; then
1289
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
1290
findargs=" -fstype nfs -prune -o "
1291
fi
1292
}
1293
1294
######################################################################
1295
# trojan functions
1296
1297
chk_chfn () {
1298
STATUS=${NOT_INFECTED}
1299
CMD=`loc chfn chfn $pth`
1300
[ ${?} -ne 0 ] && return ${NOT_FOUND}
1301
1302
if [ "${EXPERT}" = "t" ]; then
1303
expertmode_output "${strings} -a ${CMD}"
1304
return 5
1305
fi
1306
1307
case "${SYSTEM}" in
1308
Linux)
1309
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1310
>/dev/null 2>&1
1311
then
1312
STATUS=${INFECTED}
1313
fi;;
1314
FreeBSD)
1315
[ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2
1316
if [ `${strings} -a ${CMD} | \
1317
${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1318
then
1319
STATUS=${INFECTED}
1320
fi;;
1321
esac
1322
return ${STATUS}
1323
}
1324
1325
chk_chsh () {
1326
STATUS=${NOT_INFECTED}
1327
CMD=`loc chsh chsh $pth`
1328
[ ${?} -ne 0 ] && return ${NOT_FOUND}
1329
1330
REDHAT_PAM_LABEL="*NOT*"
1331
1332
if [ "${EXPERT}" = "t" ]; then
1333
expertmode_output "${strings} -a ${CMD}"
1334
return 5
1335
fi
1336
1337
case "${SYSTEM}" in
1338
Linux)
1339
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1340
>/dev/null 2>&1
1341
then
1342
if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \
1343
>/dev/null 2>&1
1344
then
1345
:
1346
else
1347
STATUS=${INFECTED}
1348
fi
1349
fi;;
1350
FreeBSD)
1351
[ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2
1352
if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1353
then
1354
STATUS=${INFECTED}
1355
fi;;
1356
esac
1357
return ${STATUS}
1358
}
1359
1360
chk_login () {
1361
STATUS=${NOT_INFECTED}
1362
CMD=`loc login login $pth`
1363
if [ "${?}" -ne 0 ]
1364
then
1365
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1366
return ${NOT_FOUND}
1367
fi
1368
1369
if [ "${EXPERT}" = "t" ]; then
1370
expertmode_output "${strings} -a ${CMD}"
1371
return 5
1372
fi
1373
1374
if [ "$SYSTEM" = "SunOS" ]; then
1375
TROJED_L_L="porcao|/bin/xstat"
1376
if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then
1377
return ${INFECTED}
1378
else
1379
return ${NOT_TESTED}
1380
fi
1381
fi
1382
GENERAL="^root$"
1383
TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola"
1384
ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
1385
if [ ${ret} -gt 0 ]; then
1386
case ${ret} in
1387
1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 ||
1388
$1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \
1389
STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1390
2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \
1391
"OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1392
6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1393
*) STATUS=${INFECTED};;
1394
esac
1395
fi
1396
if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null
1397
then
1398
STATUS=${INFECTED}
1399
fi
1400
return ${STATUS}
1401
}
1402
1403
chk_passwd () {
1404
STATUS=${NOT_INFECTED}
1405
CMD=`loc passwd passwd $pth`
1406
1407
if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then
1408
CMD="${ROOTDIR}usr/bin/passwd"
1409
fi
1410
if [ ! -r "${CMD}" ]
1411
then
1412
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1413
return ${NOT_FOUND}
1414
fi
1415
1416
if [ "${EXPERT}" = "t" ]; then
1417
expertmode_output "${strings} -a ${CMD}"
1418
fi
1419
1420
if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \
1421
= "HP-UX" ]
1422
then
1423
return ${NOT_TESTED}
1424
fi
1425
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \
1426
>/dev/null 2>&1
1427
then
1428
STATUS=${INFECTED}
1429
fi
1430
return ${STATUS}
1431
}
1432
1433
chk_inetd () {
1434
STATUS=${NOT_INFECTED}
1435
getCMD 'inetd'
1436
1437
if [ ! -r ${CMD} -o ${CMD} = '/' ]
1438
then
1439
return ${NOT_TESTED}
1440
fi
1441
1442
if [ "${EXPERT}" = "t" ]; then
1443
expertmode_output "${strings} -a ${CMD}"
1444
return 5
1445
fi
1446
1447
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1448
>/dev/null 2>&1
1449
then
1450
STATUS=${INFECTED}
1451
fi
1452
return ${STATUS}
1453
}
1454
1455
chk_syslogd () {
1456
STATUS=${NOT_INFECTED}
1457
SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h"
1458
CMD=`loc syslogd syslogd $pth`
1459
1460
if [ ! -r ${CMD} ]
1461
then
1462
return ${NOT_TESTED}
1463
fi
1464
1465
if [ "${EXPERT}" = "t" ]; then
1466
expertmode_output "${strings} -a ${CMD}"
1467
return 5
1468
fi
1469
1470
if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1
1471
then
1472
STATUS=${INFECTED}
1473
fi
1474
return ${STATUS}
1475
}
1476
1477
chk_hdparm () {
1478
STATUS=${NOT_INFECTED}
1479
HDPARM_INFECTED_LABEL="/dev/ida"
1480
CMD=`loc hdparm hdparm $pth`
1481
if [ ! -r ${CMD} ]
1482
then
1483
return ${NOT_FOUND}
1484
fi
1485
1486
if [ "${EXPERT}" = "t" ]; then
1487
expertmode_output "${strings} -a ${CMD}"
1488
return 5
1489
fi
1490
1491
if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \
1492
>/dev/null 2>&1
1493
then
1494
STATUS=${INFECTED}
1495
fi
1496
return ${STATUS}
1497
}
1498
1499
chk_gpm () {
1500
STATUS=${NOT_INFECTED}
1501
GPM_INFECTED_LABEL="mingetty"
1502
CMD=`loc gpm gpm $pth`
1503
if [ ! -r ${CMD} ]
1504
then
1505
return ${NOT_FOUND}
1506
fi
1507
1508
if [ "${EXPERT}" = "t" ]; then
1509
expertmode_output "${strings} -a ${CMD}"
1510
return 5
1511
fi
1512
1513
if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \
1514
>/dev/null 2>&1
1515
then
1516
STATUS=${INFECTED}
1517
fi
1518
return ${STATUS}
1519
}
1520
1521
chk_mingetty () {
1522
STATUS=${NOT_INFECTED}
1523
MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto"
1524
CMD=`loc mingetty mingetty $pth`
1525
if [ ! -r ${CMD} ]
1526
then
1527
return ${NOT_FOUND}
1528
fi
1529
1530
if [ "${EXPERT}" = "t" ]; then
1531
expertmode_output "${strings} -a ${CMD}"
1532
return 5
1533
fi
1534
1535
if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \
1536
>/dev/null 2>&1
1537
then
1538
STATUS=${INFECTED}
1539
fi
1540
return ${STATUS}
1541
}
1542
1543
chk_sendmail () {
1544
STATUS=${NOT_INFECTED}
1545
SENDMAIL_INFECTED_LABEL="fuck"
1546
CMD=`loc sendmail sendmail $pth`
1547
if [ ! -r ${CMD} ]
1548
then
1549
return ${NOT_FOUND}
1550
fi
1551
1552
if [ "${EXPERT}" = "t" ]; then
1553
expertmode_output "${strings} -a ${CMD}"
1554
return 5
1555
fi
1556
1557
if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \
1558
>/dev/null 2>&1
1559
then
1560
STATUS=${INFECTED}
1561
fi
1562
return ${STATUS}
1563
}
1564
1565
chk_ls () {
1566
STATUS=${NOT_INFECTED}
1567
LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h"
1568
CMD=`loc ls ls $pth`
1569
if [ "${?}" -ne 0 ]
1570
then
1571
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1572
return ${NOT_FOUND}
1573
fi
1574
1575
if [ "${EXPERT}" = "t" ]; then
1576
expertmode_output "${strings} -a ${CMD}"
1577
return 5
1578
fi
1579
1580
if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1
1581
then
1582
STATUS=${INFECTED}
1583
fi
1584
return ${STATUS}
1585
}
1586
1587
chk_du () {
1588
STATUS=${NOT_INFECTED}
1589
DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h"
1590
CMD=`loc du du $pth`
1591
if [ "${?}" -ne 0 ]
1592
then
1593
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1594
return ${NOT_FOUND}
1595
fi
1596
1597
if [ "${EXPERT}" = "t" ]; then
1598
expertmode_output "${strings} -a ${CMD}"
1599
return 5
1600
fi
1601
1602
if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1
1603
then
1604
STATUS=${INFECTED}
1605
fi
1606
return ${STATUS}
1607
}
1608
1609
chk_named () {
1610
STATUS=${NOT_INFECTED}
1611
NAMED_I_L="blah|bye"
1612
CMD=`loc named named $pth`
1613
1614
if [ ! -r "${CMD}" ]; then
1615
CMD=`loc in.named in.named $pth`
1616
if [ ! -r "${CMD}" ]; then
1617
return ${NOT_FOUND}
1618
fi
1619
fi
1620
1621
if [ "${EXPERT}" = "t" ]; then
1622
expertmode_output "${strings} -a ${CMD}"
1623
return 5
1624
fi
1625
1626
if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \
1627
>/dev/null 2>&1
1628
then
1629
STATUS=${INFECTED}
1630
fi
1631
return ${STATUS}
1632
}
1633
1634
chk_netstat () {
1635
STATUS=${NOT_INFECTED}
1636
NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero"
1637
CMD=`loc netstat netstat $pth`
1638
if [ "${?}" -ne 0 ]
1639
then
1640
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1641
return ${NOT_FOUND}
1642
fi
1643
1644
if [ "${EXPERT}" = "t" ]; then
1645
expertmode_output "${strings} -a ${CMD}"
1646
return 5
1647
fi
1648
1649
if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \
1650
>/dev/null 2>&1
1651
then
1652
STATUS=${INFECTED}
1653
fi
1654
return ${STATUS}
1655
}
1656
1657
chk_ps () {
1658
STATUS=${NOT_INFECTED}
1659
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
1660
/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so"
1661
CMD=`loc ps ps $pth`
1662
if [ "${?}" -ne 0 ]
1663
then
1664
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1665
return ${NOT_FOUND}
1666
fi
1667
1668
if [ "${EXPERT}" = "t" ]; then
1669
expertmode_output "${strings} -a ${CMD}"
1670
return 5
1671
fi
1672
1673
if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1
1674
then
1675
STATUS=${INFECTED}
1676
fi
1677
return ${STATUS}
1678
}
1679
1680
chk_pstree () {
1681
STATUS=${NOT_INFECTED}
1682
PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h"
1683
1684
CMD=`loc pstree pstree $pth`
1685
if [ ! -r "${CMD}" ]
1686
then
1687
return ${NOT_FOUND}
1688
fi
1689
1690
if [ "${EXPERT}" = "t" ]; then
1691
expertmode_output "${strings} -a ${CMD}"
1692
return 5
1693
fi
1694
1695
if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1
1696
then
1697
STATUS=${INFECTED}
1698
fi
1699
return ${STATUS}
1700
}
1701
1702
chk_crontab () {
1703
STATUS=${NOT_INFECTED}
1704
CRONTAB_I_L="crontab.*666"
1705
1706
CMD=`loc crontab crontab $pth`
1707
1708
if [ ! -r ${CMD} ]
1709
then
1710
return ${NOT_FOUND}
1711
fi
1712
1713
if [ "${EXPERT}" = "t" ]; then
1714
expertmode_output "${CMD} -l -u nobody"
1715
return 5
1716
fi
1717
# slackware's crontab have a bug
1718
if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then
1719
${echo} "Warning: crontab for nobody found, possible Lupper.Worm... "
1720
if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
1721
then
1722
STATUS=${INFECTED}
1723
fi
1724
fi
1725
return ${STATUS}
1726
}
1727
1728
chk_top () {
1729
STATUS=${NOT_INFECTED}
1730
TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit"
1731
1732
CMD=`loc top top $pth`
1733
1734
if [ ! -r ${CMD} ]
1735
then
1736
return ${NOT_FOUND}
1737
fi
1738
1739
if [ "${EXPERT}" = "t" ]; then
1740
expertmode_output "${strings} -a ${CMD}"
1741
return 5
1742
fi
1743
1744
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1745
then
1746
STATUS=${INFECTED}
1747
fi
1748
return ${STATUS}
1749
}
1750
1751
chk_pidof () {
1752
STATUS=${NOT_INFECTED}
1753
TOP_INFECTED_LABEL="/dev/pty[pqrs]"
1754
CMD=`loc pidof pidof $pth`
1755
1756
if [ "${?}" -ne 0 ]
1757
then
1758
return ${NOT_FOUND}
1759
fi
1760
1761
if [ "${EXPERT}" = "t" ]; then
1762
expertmode_output "${strings} -a ${CMD}"
1763
return 5
1764
fi
1765
1766
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1767
then
1768
STATUS=${INFECTED}
1769
fi
1770
return ${STATUS}
1771
}
1772
1773
chk_killall () {
1774
STATUS=${NOT_INFECTED}
1775
TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h"
1776
CMD=`loc killall killall $pth`
1777
1778
if [ "${?}" -ne 0 ]
1779
then
1780
return ${NOT_FOUND}
1781
fi
1782
1783
if [ "${EXPERT}" = "t" ]; then
1784
expertmode_output "${strings} -a ${CMD}"
1785
return 5
1786
fi
1787
1788
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1789
then
1790
STATUS=${INFECTED}
1791
fi
1792
return ${STATUS}
1793
}
1794
1795
chk_ldsopreload() {
1796
STATUS=${NOT_INFECTED}
1797
CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a"
1798
1799
if [ "${SYSTEM}" = "Linux" ]
1800
then
1801
if [ ! -x ./strings-static ]; then
1802
printn "can't exec ./strings-static, "
1803
return ${NOT_TESTED}
1804
fi
1805
1806
if [ "${EXPERT}" = "t" ]; then
1807
expertmode_output "./strings-static -a ${CMD}"
1808
return 5
1809
fi
1810
1811
### strings must be a statically linked binary.
1812
if ./strings-static -a ${CMD} > /dev/null 2>&1
1813
then
1814
STATUS=${INFECTED}
1815
fi
1816
else
1817
STATUS=${NOT_TESTED}
1818
fi
1819
return ${STATUS}
1820
}
1821
1822
chk_basename () {
1823
STATUS=${NOT_INFECTED}
1824
CMD=`loc basename basename $pth`
1825
if [ "${?}" -ne 0 ]
1826
then
1827
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1828
return ${NOT_FOUND}
1829
fi
1830
1831
if [ "${EXPERT}" = "t" ]; then
1832
expertmode_output "${strings} -a ${CMD}"
1833
expertmode_output "${ls} -l ${CMD}"
1834
return 5
1835
fi
1836
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1837
then
1838
STATUS=${INFECTED}
1839
fi
1840
1841
[ "$SYSTEM" != "OSF1" ] &&
1842
{
1843
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1844
then
1845
STATUS=${INFECTED}
1846
fi
1847
}
1848
return ${STATUS}
1849
}
1850
1851
chk_dirname () {
1852
STATUS=${NOT_INFECTED}
1853
CMD=`loc dirname dirname $pth`
1854
if [ "${?}" -ne 0 ]
1855
then
1856
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1857
return ${NOT_FOUND}
1858
fi
1859
1860
if [ "${EXPERT}" = "t" ]; then
1861
expertmode_output "${strings} -a ${CMD}"
1862
expertmode_output "${ls} -l ${CMD}"
1863
return 5
1864
fi
1865
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1866
then
1867
STATUS=${INFECTED}
1868
fi
1869
if ${ls} -l ${MD} | ${egrep} "^...s" > /dev/null 2>&1
1870
then
1871
STATUS=${INFECTED}
1872
fi
1873
return ${STATUS}
1874
}
1875
1876
chk_traceroute () {
1877
STATUS=${NOT_INFECTED}
1878
CMD=`loc traceroute traceroute $pth`
1879
1880
if [ ! -r "${CMD}" ]
1881
then
1882
return ${NOT_FOUND}
1883
fi
1884
1885
if [ "${EXPERT}" = "t" ]; then
1886
expertmode_output "${strings} -a ${CMD}"
1887
return 5
1888
fi
1889
1890
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1891
then
1892
STATUS=${INFECTED}
1893
fi
1894
return ${STATUS}
1895
}
1896
1897
chk_rpcinfo () {
1898
STATUS=${NOT_INFECTED}
1899
CMD=`loc rpcinfo rpcinfo $pth`
1900
1901
if [ ! -r "${CMD}" ]
1902
then
1903
return ${NOT_FOUND}
1904
fi
1905
1906
if [ "${EXPERT}" = "t" ]; then
1907
expertmode_output "${strings} -a ${CMD}"
1908
expertmode_output "${ls} -l ${CMD}"
1909
return 5
1910
fi
1911
1912
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1913
then
1914
STATUS=${INFECTED}
1915
fi
1916
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1917
then
1918
STATUS=${INFECTED}
1919
fi
1920
return ${STATUS}
1921
}
1922
1923
chk_date () {
1924
STATUS=${NOT_INFECTED}
1925
S_L="/bin/.*sh"
1926
CMD=`loc date date $pth`
1927
if [ "${?}" -ne 0 ]
1928
then
1929
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1930
return ${NOT_FOUND}
1931
fi
1932
1933
if [ "${EXPERT}" = "t" ]; then
1934
expertmode_output "${strings} -a ${CMD}"
1935
expertmode_output "${ls} -l ${CMD}"
1936
return 5
1937
fi
1938
[ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] &&
1939
{
1940
N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
1941
${egrep} -c "$S_L"`
1942
if [ ${N} -ne 2 -a ${N} -ne 0 ]; then
1943
STATUS=${INFECTED}
1944
fi
1945
} ||
1946
{
1947
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1
1948
then
1949
STATUS=${INFECTED}
1950
fi
1951
}
1952
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1953
then
1954
STATUS=${INFECTED}
1955
fi
1956
return ${STATUS}
1957
}
1958
1959
chk_echo () {
1960
STATUS=${NOT_INFECTED}
1961
CMD=`loc echo echo $pth`
1962
if [ "${?}" -ne 0 ]
1963
then
1964
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1965
return ${NOT_FOUND}
1966
fi
1967
1968
if [ "${EXPERT}" = "t" ]; then
1969
expertmode_output "${strings} -a ${CMD}"
1970
expertmode_output "${ls} -l ${CMD}"
1971
return 5
1972
fi
1973
1974
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1975
then
1976
STATUS=${INFECTED}
1977
fi
1978
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1979
then
1980
STATUS=${INFECTED}
1981
fi
1982
return ${STATUS}
1983
}
1984
1985
chk_env () {
1986
STATUS=${NOT_INFECTED}
1987
CMD=`loc env env $pth`
1988
if [ "${?}" -ne 0 ]
1989
then
1990
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1991
return ${NOT_FOUND}
1992
fi
1993
1994
if [ "${EXPERT}" = "t" ]; then
1995
expertmode_output "${strings} -a ${CMD}"
1996
expertmode_output "${ls} -l ${CMD}"
1997
return 5
1998
fi
1999
2000
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2001
then
2002
STATUS=${INFECTED}
2003
fi
2004
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2005
then
2006
STATUS=${INFECTED}
2007
fi
2008
2009
return ${STATUS}
2010
}
2011
2012
chk_timed () {
2013
STATUS=${NOT_INFECTED}
2014
CMD=`loc timed timed $pth`
2015
if [ ${?} -ne 0 ]; then
2016
CMD=`loc in.timed in.timed $pth`
2017
if [ ${?} -ne 0 ]; then
2018
return ${NOT_FOUND}
2019
fi
2020
fi
2021
if [ "${EXPERT}" = "t" ]; then
2022
expertmode_output "${strings} -a ${CMD}"
2023
return 5
2024
fi
2025
2026
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2027
then
2028
STATUS=${INFECTED}
2029
fi
2030
return ${STATUS}
2031
}
2032
2033
chk_identd () {
2034
STATUS=${NOT_INFECTED}
2035
CMD=`loc in.identd in.identd $pth`
2036
if [ ${?} -ne 0 ]; then
2037
return ${NOT_FOUND}
2038
fi
2039
if [ "${EXPERT}" = "t" ]; then
2040
expertmode_output "${strings} -a ${CMD}"
2041
return 5
2042
fi
2043
2044
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2045
then
2046
STATUS=${INFECTED}
2047
fi
2048
return ${STATUS}
2049
}
2050
2051
chk_init () {
2052
STATUS=${NOT_INFECTED}
2053
INIT_INFECTED_LABEL="UPX"
2054
CMD=`loc init init $pth`
2055
if [ ${?} -ne 0 ]; then
2056
return ${NOT_FOUND}
2057
fi
2058
if [ "${EXPERT}" = "t" ]; then
2059
expertmode_output "${strings} -a ${CMD}"
2060
return 5
2061
fi
2062
2063
if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1
2064
then
2065
STATUS=${INFECTED}
2066
fi
2067
return ${STATUS}
2068
}
2069
2070
chk_pop2 () {
2071
STATUS=${NOT_INFECTED}
2072
CMD=`loc in.pop2d in.pop2d $pth`
2073
if [ ${?} -ne 0 ]; then
2074
return ${NOT_FOUND}
2075
fi
2076
if [ "${EXPERT}" = "t" ]; then
2077
expertmode_output "${strings} -a ${CMD}"
2078
return 5
2079
fi
2080
2081
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2082
then
2083
STATUS=${INFECTED}
2084
fi
2085
return ${STATUS}
2086
}
2087
2088
chk_pop3 () {
2089
STATUS=${NOT_INFECTED}
2090
CMD=`loc in.pop3d in.pop3d $pth`
2091
if [ ${?} -ne 0 ]; then
2092
return ${NOT_FOUND}
2093
fi
2094
if [ "${EXPERT}" = "t" ]; then
2095
expertmode_output "${strings} -a ${CMD}"
2096
return 5
2097
fi
2098
2099
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2100
then
2101
STATUS=${INFECTED}
2102
fi
2103
return ${STATUS}
2104
}
2105
2106
chk_write () {
2107
STATUS=${NOT_INFECTED}
2108
CMD=`loc write write $pth`
2109
if [ "${?}" -ne 0 ]
2110
then
2111
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2112
return ${NOT_FOUND}
2113
fi
2114
WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"
2115
if [ "${EXPERT}" = "t" ]; then
2116
expertmode_output "${strings} -a ${CMD}"
2117
expertmode_output "${ls} -l ${CMD}"
2118
return 5
2119
fi
2120
2121
if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1
2122
then
2123
STATUS=${INFECTED}
2124
fi
2125
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2126
then
2127
STATUS=${INFECTED}
2128
fi
2129
return ${STATUS}
2130
}
2131
2132
chk_w () {
2133
STATUS=${NOT_INFECTED}
2134
CMD=`loc w w $pth`
2135
if [ "${?}" -ne 0 ]
2136
then
2137
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2138
return ${NOT_FOUND}
2139
fi
2140
W_INFECTED_LABEL="uname -a"
2141
2142
if [ "${EXPERT}" = "t" ]; then
2143
expertmode_output "${strings} -a ${CMD}"
2144
expertmode_output "${ls} -l ${CMD}"
2145
return 5
2146
fi
2147
if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1
2148
then
2149
STATUS=${INFECTED}
2150
fi
2151
return ${STATUS}
2152
}
2153
2154
chk_vdir () {
2155
STATUS=${NOT_INFECTED}
2156
CMD=`loc vdir vdir $pth`
2157
VDIR_INFECTED_LABEL="/lib/volc"
2158
if [ ! -r ${CMD} ]; then
2159
return ${NOT_FOUND}
2160
fi
2161
2162
if [ "${EXPERT}" = "t" ]; then
2163
expertmode_output "${strings} -a ${CMD}"
2164
expertmode_output "${ls} -l ${CMD}"
2165
return 5
2166
fi
2167
if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1
2168
then
2169
STATUS=${INFECTED}
2170
fi
2171
return ${STATUS}
2172
}
2173
2174
chk_tar () {
2175
STATUS=${NOT_INFECTED}
2176
CMD=`loc tar tar $pth`
2177
if [ "${?}" -ne 0 ]
2178
then
2179
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2180
return ${NOT_FOUND}
2181
fi
2182
2183
if [ "${EXPERT}" = "t" ]; then
2184
expertmode_output "${ls} -l ${CMD}"
2185
return 5
2186
fi
2187
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2188
then
2189
STATUS=${INFECTED}
2190
fi
2191
return ${STATUS}
2192
}
2193
2194
rexedcs () {
2195
STATUS=${NOT_INFECTED}
2196
CMD=`loc in.rexedcs in.rexedcs $pth`
2197
if [ "${?}" -ne 0 ]
2198
then
2199
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2200
return ${NOT_FOUND}
2201
fi
2202
2203
if [ "${EXPERT}" = "t" ]; then
2204
expertmode_output "${strings} -a ${CMD}"
2205
return 5
2206
fi
2207
STATUS=${INFECTED}
2208
return ${STATUS}
2209
}
2210
2211
chk_mail () {
2212
STATUS=${NOT_INFECTED}
2213
CMD=`loc mail mail $pth`
2214
if [ "${?}" -ne 0 ]
2215
then
2216
return ${NOT_FOUND}
2217
fi
2218
2219
[ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED
2220
2221
MAIL_INFECTED_LABEL="sh -i"
2222
2223
if [ "${EXPERT}" = "t" ]; then
2224
expertmode_output "${strings} -a ${CMD}"
2225
expertmode_output "${ls} -l ${CMD}"
2226
return 5
2227
fi
2228
2229
if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1
2230
then
2231
STATUS=${INFECTED}
2232
fi
2233
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2234
then
2235
STATUS=${INFECTED}
2236
fi
2237
return ${STATUS}
2238
}
2239
2240
chk_biff () {
2241
STATUS=${NOT_INFECTED}
2242
CMD=`loc biff biff $pth`
2243
if [ "${?}" -ne 0 ]
2244
then
2245
return ${NOT_FOUND}
2246
fi
2247
2248
if [ "${EXPERT}" = "t" ]; then
2249
expertmode_output "${strings} -a ${CMD}"
2250
expertmode_output "${ls} -l ${CMD}"
2251
return 5
2252
fi
2253
2254
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2255
then
2256
STATUS=${INFECTED}
2257
fi
2258
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2259
then
2260
STATUS=${INFECTED}
2261
fi
2262
return ${STATUS}
2263
}
2264
2265
chk_egrep () {
2266
STATUS=${NOT_INFECTED}
2267
EGREP_INFECTED_LABEL="blah"
2268
CMD=`loc egrep egrep $pth`
2269
if [ "${?}" -ne 0 ]
2270
then
2271
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2272
return ${NOT_FOUND}
2273
fi
2274
2275
if [ "${EXPERT}" = "t" ]; then
2276
expertmode_output "${strings} -a ${CMD}"
2277
expertmode_output "${ls} -l ${CMD}"
2278
return 5
2279
fi
2280
if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1
2281
then
2282
STATUS=${INFECTED}
2283
fi
2284
return ${STATUS}
2285
}
2286
2287
chk_grep () {
2288
STATUS=${NOT_INFECTED}
2289
GREP_INFECTED_LABEL="givemer"
2290
CMD=`loc grep grep $pth`
2291
if [ "${?}" -ne 0 ]
2292
then
2293
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2294
return ${NOT_FOUND}
2295
fi
2296
2297
if [ "${EXPERT}" = "t" ]; then
2298
expertmode_output "${strings} -a ${CMD}"
2299
expertmode_output "${ls} -l ${CMD}"
2300
return 5
2301
fi
2302
2303
if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1
2304
then
2305
STATUS=${INFECTED}
2306
fi
2307
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2308
then
2309
STATUS=${INFECTED}
2310
fi
2311
return ${STATUS}
2312
}
2313
2314
chk_find () {
2315
STATUS=${NOT_INFECTED}
2316
FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h"
2317
CMD=`loc find find $pth`
2318
2319
if [ "${?}" -ne 0 ]
2320
then
2321
return ${NOT_FOUND}
2322
fi
2323
2324
if [ "${EXPERT}" = "t" ]; then
2325
expertmode_output "${strings} -a ${CMD}"
2326
return 5
2327
fi
2328
2329
if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1
2330
then
2331
STATUS=${INFECTED}
2332
fi
2333
return ${STATUS}
2334
}
2335
2336
chk_rlogind () {
2337
STATUS=${NOT_INFECTED}
2338
RLOGIN_INFECTED_LABEL="p1r0c4|r00t"
2339
CMD=`loc in.rlogind in.rlogind $pth`
2340
if [ ! -x "${CMD}" ]; then
2341
CMD=`loc rlogind rlogind $pth`
2342
if [ ! -x "${CMD}" ]; then
2343
return ${NOT_FOUND}
2344
fi
2345
fi
2346
if [ "${EXPERT}" = "t" ]; then
2347
expertmode_output "${strings} -a ${CMD}"
2348
return 5
2349
fi
2350
if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
2351
then
2352
STATUS=${INFECTED}
2353
fi
2354
return ${STATUS}
2355
}
2356
2357
chk_lsof () {
2358
STATUS=${NOT_INFECTED}
2359
LSOF_INFECTED_LABEL="^/prof"
2360
CMD=`loc lsof lsof $pth`
2361
if [ ! -x "${CMD}" ]; then
2362
return ${NOT_FOUND}
2363
fi
2364
if [ "${EXPERT}" = "t" ]; then
2365
expertmode_output "${strings} -a ${CMD}"
2366
return 5
2367
fi
2368
if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1
2369
then
2370
STATUS=${INFECTED}
2371
fi
2372
return ${STATUS}
2373
}
2374
2375
chk_amd () {
2376
STATUS=${NOT_INFECTED}
2377
AMD_INFECTED_LABEL="blah"
2378
CMD=`loc amd amd $pth`
2379
if [ ! -x "${CMD}" ]; then
2380
return ${NOT_FOUND}
2381
fi
2382
if [ "${EXPERT}" = "t" ]; then
2383
expertmode_output "${strings} -a ${CMD}"
2384
return 5
2385
fi
2386
if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1
2387
then
2388
STATUS=${INFECTED}
2389
fi
2390
return ${STATUS}
2391
}
2392
2393
chk_slogin () {
2394
STATUS=${NOT_INFECTED}
2395
SLOGIN_INFECTED_LABEL="homo"
2396
CMD=`loc slogin slogin $pth`
2397
if [ ! -x "${CMD}" ]; then
2398
return ${NOT_FOUND}
2399
fi
2400
if [ "${EXPERT}" = "t" ]; then
2401
expertmode_output "${strings} -a ${CMD}"
2402
return 5
2403
fi
2404
if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
2405
then
2406
STATUS=${INFECTED}
2407
fi
2408
return ${STATUS}
2409
}
2410
2411
chk_cron () {
2412
STATUS=${NOT_INFECTED}
2413
CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0"
2414
CMD=`loc cron cron $pth`
2415
if [ "${?}" -ne 0 ]; then
2416
CMD=`loc crond crond $pth`
2417
fi
2418
if [ "${?}" -ne 0 ]
2419
then
2420
return ${NOT_FOUND}
2421
fi
2422
if [ "${EXPERT}" = "t" ]; then
2423
expertmode_output "${strings} -a ${CMD}"
2424
return 5
2425
fi
2426
if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1
2427
then
2428
STATUS=${INFECTED}
2429
fi
2430
return ${STATUS}
2431
}
2432
2433
chk_ifconfig () {
2434
STATUS=${INFECTED}
2435
CMD=`loc ifconfig ifconfig $pth`
2436
if [ "${?}" -ne 0 ]; then
2437
return ${NOT_FOUND}
2438
fi
2439
2440
if [ "${EXPERT}" = "t" ]; then
2441
expertmode_output "${strings} -a ${CMD}"
2442
return 5
2443
fi
2444
2445
IFCONFIG_NOT_INFECTED_LABEL="PROMISC"
2446
IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"
2447
if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \
2448
>/dev/null 2>&1
2449
then
2450
STATUS=${NOT_INFECTED}
2451
fi
2452
if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \
2453
>/dev/null 2>&1
2454
then
2455
STATUS=${INFECTED}
2456
fi
2457
return ${STATUS}
2458
}
2459
2460
chk_rshd () {
2461
STATUS=${NOT_INFECTED}
2462
case "${SYSTEM}" in
2463
Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";;
2464
FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";;
2465
*) CMD=`loc rshd rshd $pth`;;
2466
esac
2467
2468
if [ ! -x ${CMD} ] ;then
2469
return ${NOT_FOUND}
2470
fi
2471
if [ "${EXPERT}" = "t" ]; then
2472
expertmode_output "${strings} -a ${CMD}"
2473
return 5
2474
fi
2475
2476
RSHD_INFECTED_LABEL="HISTFILE"
2477
if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1
2478
then
2479
STATUS=${INFECTED}
2480
if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \
2481
${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then
2482
STATUS=${INFECTED_BUT_DISABLED}
2483
fi
2484
fi
2485
return ${STATUS}
2486
}
2487
2488
chk_tcpdump () {
2489
STATUS=${NOT_INFECTED}
2490
TCPDUMP_I_L="212.146.0.34:1963";
2491
OPT=-an
2492
if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then
2493
STATUS=${INFECTED}
2494
fi
2495
return ${STATUS}
2496
}
2497
2498
chk_tcpd () {
2499
STATUS=${NOT_INFECTED}
2500
TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"
2501
2502
[ -r ${ROOTDIR}etc/inetd.conf ] &&
2503
CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \
2504
${awk} '{ print $6 }'`
2505
if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1; then
2506
CMD=`loc tcpd tcpd $pth`
2507
fi
2508
[ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth`
2509
2510
[ "tcpd" = "${CMD}" -o ! -f "${CMD}" ] && return ${NOT_FOUND};
2511
2512
if [ "${EXPERT}" = "t" ]; then
2513
expertmode_output "${strings} -a ${CMD}"
2514
return 5
2515
fi
2516
2517
if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1
2518
then
2519
STATUS=${INFECTED}
2520
fi
2521
return ${STATUS}
2522
}
2523
2524
chk_sshd () {
2525
STATUS=${NOT_INFECTED}
2526
SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk"
2527
getCMD 'sshd'
2528
2529
if [ ${?} -ne 0 ]; then
2530
return ${NOT_FOUND}
2531
fi
2532
2533
if [ "${EXPERT}" = "t" ]; then
2534
expertmode_output "${strings} -a ${CMD}"
2535
return 5
2536
fi
2537
2538
if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \
2539
> /dev/null 2>&1
2540
then
2541
STATUS=${INFECTED}
2542
if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then
2543
STATUS=${INFECTED_BUT_DISABLED}
2544
fi
2545
fi
2546
return ${STATUS}
2547
}
2548
2549
chk_su () {
2550
STATUS=${NOT_INFECTED}
2551
SU_INFECTED_LABEL="satori|vejeta|conf\.inv"
2552
CMD=`loc su su $pth`
2553
if [ "${?}" -ne 0 ]
2554
then
2555
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2556
return ${NOT_FOUND}
2557
fi
2558
2559
if [ "${EXPERT}" = "t" ]; then
2560
expertmode_output "${strings} -a ${CMD}"
2561
return 5
2562
fi
2563
2564
if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1
2565
then
2566
STATUS=${INFECTED}
2567
fi
2568
return ${STATUS}
2569
}
2570
2571
chk_fingerd () {
2572
STATUS=${NOT_INFECTED}
2573
FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}"
2574
CMD=`loc fingerd fingerd $pth`
2575
2576
if [ ${?} -ne 0 ]; then
2577
CMD=`loc in.fingerd in.fingerd $pth`
2578
if [ ${?} -ne 0 ]; then
2579
return ${NOT_FOUND}
2580
fi
2581
fi
2582
2583
if [ "${EXPERT}" = "t" ]; then
2584
expertmode_output "${strings} -a ${CMD}"
2585
return 5
2586
fi
2587
2588
if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \
2589
> /dev/null 2>&1
2590
then
2591
STATUS=${INFECTED}
2592
fi
2593
return ${STATUS}
2594
}
2595
2596
2597
chk_inetdconf () {
2598
STATUS=${NOT_INFECTED}
2599
SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash"
2600
2601
if [ -r ${ROOTDIR}etc/shells ]; then
2602
SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`";
2603
fi
2604
2605
if [ -r ${ROOTDIR}etc/inetd.conf ]; then
2606
for CHK_SHELL in ${SHELLS}; do
2607
cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null
2608
if [ ${?} -ne 1 ]; then
2609
if [ "${EXPERT}" = "t" ]; then
2610
echo "Backdoor shell record(s) in /etc/inetd.conf: "
2611
cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*"
2612
fi
2613
STATUS=${INFECTED}
2614
fi
2615
done
2616
return ${STATUS}
2617
else
2618
return ${NOT_FOUND}
2619
fi
2620
2621
}
2622
2623
chk_telnetd () {
2624
STATUS=${NOT_INFECTED}
2625
TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]'
2626
CMD=`loc telnetd telnetd $pth`
2627
2628
if [ ${?} -ne 0 ]; then
2629
CMD=`loc in.telnetd in.telnetd $pth`
2630
if [ ${?} -ne 0 ]; then
2631
return ${NOT_FOUND}
2632
fi
2633
fi
2634
2635
if [ "${EXPERT}" = "t" ]; then
2636
expertmode_output "${strings} -a ${CMD}"
2637
return 5
2638
fi
2639
2640
if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \
2641
>/dev/null 2>&1
2642
then
2643
STATUS=${INFECTED}
2644
fi
2645
return ${STATUS}
2646
}
2647
2648
printn ()
2649
{
2650
printf="use printf"
2651
printf_fmt="%-60s"
2652
2653
if [ ! "$PRINTF_BIN" ]; then
2654
# This is first time call to use. Check environment and
2655
# define this global.
2656
2657
PRINTF_BIN=`which printf 2> /dev/null`
2658
2659
# Set to dummy, if not found
2660
[ ! "$PRINTF_BIN" ] && PRINTF_BIN="not exists"
2661
2662
# We're done, and won't enter this if-case any more
2663
fi
2664
2665
# Some messages are continued, so don't use printf
2666
case "$1" in
2667
*exec*|*bogus*) printf="" ;;
2668
esac
2669
2670
if [ "$PRINTF_BIN" ] && [ "$printf" ]; then
2671
$PRINTF_BIN "$printf_fmt" "$1"
2672
else
2673
if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then
2674
${echo} -n "$1"
2675
else
2676
${echo} "${1}\c"
2677
fi
2678
fi
2679
}
2680
2681
# main
2682
#
2683
2684
2685
### using regexps, as the `-w' option to grep/egrep is not portable.
2686
L_REGEXP='(^|[^A-Za-z0-9_])'
2687
R_REGEXP='([^A-Za-z0-9_]|$)'
2688
2689
### default ROOTDIR is "/"
2690
ROOTDIR='/'
2691
2692
while :
2693
do
2694
case $1 in
2695
-r) shift
2696
ROOTDIR=$1;;
2697
2698
-p) shift
2699
CHKRKPATH=$1;;
2700
2701
-d) DEBUG=t;;
2702
2703
-x) EXPERT=t;;
2704
2705
-e) shift
2706
EXCLUDES="$1 $EXCLUDES";;
2707
2708
-q) QUIET=t
2709
QUIET_ARG="-q"
2710
;;
2711
2712
-V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}"
2713
exit 1;;
2714
2715
-l) echo >&2 "$0: tests: ${TOOLS} ${TROJAN}"
2716
exit 1;;
2717
2718
-n) tnfs;;
2719
2720
-h | -*) echo >&2 "Usage: $0 [options] [test ...]
2721
Options:
2722
-h show this help and exit
2723
-V show version information and exit
2724
-l show available tests and exit
2725
-d debug
2726
-q quiet mode
2727
-x expert mode
2728
-e exclude known false positive files/dirs, quoted,
2729
space separated, READ WARNING IN README
2730
-r dir use dir as the root directory
2731
-p dir1:dir2:dirN path for the external commands used by chkrootkit
2732
-n skip NFS mounted dirs"
2733
exit 1;;
2734
*) break
2735
esac
2736
2737
shift
2738
done
2739
2740
### check the external commands needed
2741
2742
cmdlist="
2743
awk
2744
cut
2745
echo
2746
egrep
2747
find
2748
head
2749
id
2750
ls
2751
netstat
2752
ps
2753
sed
2754
ssh
2755
strings
2756
uname
2757
"
2758
2759
### PATH used by loc
2760
pth=`echo $PATH | sed -e "s/:/ /g"`
2761
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
2762
2763
### external command's PATH
2764
if [ "${CHKRKPATH}" = "" ]; then
2765
chkrkpth=${pth}
2766
else
2767
### use the path provided with the -p option
2768
chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"`
2769
fi
2770
echo=echo
2771
for file in $cmdlist; do
2772
xxx=`loc $file $file $chkrkpth`
2773
eval $file=$xxx
2774
case "$xxx" in
2775
/* | ./* | ../*)
2776
2777
if [ ! -x "${xxx}" ]
2778
then
2779
echo >&2 "chkrootkit: can't exec \`$xxx'."
2780
exit 1
2781
fi
2782
;;
2783
*)
2784
echo >&2 "chkrootkit: can't find \`$file'."
2785
exit 1
2786
;;
2787
esac
2788
done
2789
2790
2791
SYSTEM=`${uname} -s`
2792
VERSION=`${uname} -r`
2793
if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then
2794
V=4.4
2795
else
2796
V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'`
2797
fi
2798
2799
# head command
2800
_head()
2801
{
2802
if `$echo a | $head -n 1 >/dev/null 2>&1` ; then
2803
$head -n `echo $1 | tr -d "-"`
2804
else
2805
$head $1
2806
fi
2807
}
2808
# ps command
2809
ps_cmd="ax"
2810
if [ "$SYSTEM" = "SunOS" ]; then
2811
if [ "${CHKRKPATH}" = "" ]; then
2812
if [ -x /usr/ucb/ps ]; then
2813
ps="/usr/ucb/ps"
2814
else
2815
ps_cmd="-fe"
2816
fi
2817
else
2818
### -p is in place: use `-fe' as ps options
2819
ps_cmd="-fe"
2820
fi
2821
fi
2822
# Check if ps command is ok
2823
if ${ps} ax >/dev/null 2>&1 ; then
2824
ps_cmd="ax"
2825
else
2826
ps_cmd="-fe"
2827
fi
2828
2829
if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then
2830
echo "$0 need root privileges"
2831
exit 1
2832
fi
2833
2834
if [ $# -gt 0 ]
2835
then
2836
### perform only tests supplied as arguments
2837
for arg in $*
2838
do
2839
### check if is a valid test name
2840
if echo "${TROJAN} ${TOOLS}"| \
2841
${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1
2842
then
2843
echo >&2 "$0: \`$arg': not a known test"
2844
exit 1
2845
fi
2846
done
2847
LIST=$*
2848
else
2849
### this is the default: perform all tests
2850
LIST="${TROJAN} ${TOOLS}"
2851
fi
2852
2853
if [ "${DEBUG}" = "t" ]; then
2854
set -x
2855
fi
2856
2857
if [ "${ROOTDIR}" != "/" ]; then
2858
2859
### remove trailing `/'
2860
ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'`
2861
2862
for dir in ${pth}
2863
do
2864
if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1
2865
then
2866
newpth="${newpth} ${ROOTDIR}${dir}"
2867
else
2868
newpth="${newpth} ${ROOTDIR}/${dir}"
2869
fi
2870
done
2871
pth=${newpth}
2872
ROOTDIR="${ROOTDIR}/"
2873
fi
2874
2875
if [ "${QUIET}" != "t" ]; then
2876
echo "ROOTDIR is \`${ROOTDIR}'"
2877
fi
2878
2879
2880
for cmd in ${LIST}
2881
do
2882
2883
if echo "${TROJAN}" | \
2884
${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1
2885
then
2886
if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
2887
printn "Checking \`${cmd}'... "
2888
fi
2889
chk_${cmd}
2890
STATUS=$?
2891
2892
### quiet mode
2893
if [ "${QUIET}" = "t" ]; then
2894
### show only INFECTED status
2895
if [ ${STATUS} -eq 0 ]; then
2896
echo "Checking \`${cmd}'... INFECTED"
2897
fi
2898
continue
2899
fi
2900
2901
case $STATUS in
2902
0) echo "INFECTED";;
2903
1) echo "not infected";;
2904
2) echo "not tested";;
2905
3) echo "not found";;
2906
4) echo "infected but disabled";;
2907
5) ;; ### expert mode
2908
esac
2909
else
2910
### external tool
2911
if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
2912
printn "Checking \`$cmd'... "
2913
fi
2914
${cmd}
2915
2916
fi
2917
done
2918
exit 0
2919
### chkrootkit ends here.
Loggerhead is a web-based interface for Breezy
Version: 2.0.1