4
# $Id: chkrootkit, v 0.50 2014/05/25
5
CHKROOTKIT_VERSION='0.50'
7
# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
8
# Klaus Steding-Jessen <jessen@cert.br>
10
# (c)1997-2014 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
13
### workaround for some Bourne shell implementations
14
unalias login > /dev/null 2>&1
15
unalias ls > /dev/null 2>&1
16
unalias netstat > /dev/null 2>&1
17
unalias ps > /dev/null 2>&1
18
unalias dirname > /dev/null 2>&1
20
cd /usr/lib/chkrootkit
22
# Workaround for recent GNU coreutils
23
_POSIX2_VERSION=199209
24
export _POSIX2_VERSION
26
KALLSYMS="/proc/kallsyms"
27
[ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS"
30
TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \
31
env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \
32
killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \
33
pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
34
tcpdump top telnetd timed traceroute vdir w write"
37
TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
44
INFECTED_BUT_DISABLED=4
46
# Many trojaned commands have this label
47
GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer"
49
######################################################################
56
W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r"
59
for i in ${W55808_FILES}; do
64
if [ ${STATUS} -eq 1 ] ;then
65
echo "Warning: Possible 55808 Worm installed"
67
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
68
return ${NOT_INFECTED}
76
OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings'
77
#echo checking ${OSX_RSPLUG_FILES}
78
for i in ${OSX_RSPLUG_FILES} ; do
79
#echo searching for "${i}"
80
if [ -e "${i}" ] ; then
86
if [ ${STATUS} -eq 1 ] ;then
87
echo "Warning: OSX.RSPlug.A Trojan Horse found"
90
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
91
return ${NOT_INFECTED}
96
# SLAPPER.{A,B,C,D} and the multi-platform variant
99
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
100
SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
101
${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"
102
SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
107
if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
110
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
111
$egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :`
113
for i in ${SLAPPER_FILES}; do
115
file_port="$file_port $i"
119
if [ ${STATUS} -eq 1 ] ;then
120
echo "Warning: Possible Slapper Worm installed ($file_port)"
122
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
123
return ${NOT_INFECTED}
128
SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a"
133
if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then
136
for i in ${SCALPER_FILES}; do
141
if [ ${STATUS} -eq 1 ] ;then
142
echo "Warning: Possible Scalper Worm installed"
144
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
145
return ${NOT_INFECTED}
151
STATUS=${NOT_INFECTED}
152
CMD=`loc asp asp $pth`
154
if [ "${EXPERT}" = "t" ]; then
155
expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
156
expertmode_output "${strings} -a ${CMD}"
160
if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then
161
echo "Warning: Possible Ramen Worm installed in inetd.conf"
164
if [ ${CMD} = "asp" -o ${CMD} = "${ROOTDIR}asp" ]; then
165
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
166
return ${NOT_INFECTED}
168
if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then
172
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
173
return ${NOT_INFECTED}
179
if [ "${ROOTDIR}" != "/" ]; then
184
if [ "$SYSTEM" = "SunOS" ]; then
188
if [ "${EXPERT}" = "t" ]; then
189
expertmode_output "./ifpromisc" -v
192
if [ ! -x ./ifpromisc ]; then
193
echo "not tested: can't exec ./ifpromisc"
196
[ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
201
if [ ! -x ./chkutmp ]; then
202
echo "not tested: can't exec ./chkutmp"
207
if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi
213
if [ ! -x ./chklastlog ]; then
214
echo "not tested: can't exec ./chklastlog"
218
WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
219
LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
221
if [ ! -f $WTMP -a ! -f $LASTLOG ]; then
222
echo "not tested: not found wtmp and/or lastlog file"
226
if [ "${EXPERT}" = "t" ]; then
227
expertmode_output "./chklastlog ${QUIET_ARG} -f ${WTMP} -l ${LASTLOG}"
231
if ./chklastlog ${QUIET_ARG} -f ${WTMP} -l ${LASTLOG}
233
if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi
238
if [ ! -x ./chkwtmp ]; then
239
echo "not tested: can't exec ./chkwtmp"
243
if [ "$SYSTEM" = "SunOS" ]; then
244
if [ ! -x ./check_wtmpx ]; then
245
echo "not tested: can't exec ./check_wtmpx"
247
if [ "${EXPERT}" = "t" ]; then
248
expertmode_output "./check_wtmpx"
251
if [ -f ${ROOTDIR}var/adm/wtmp ]; then
254
if [ "${QUIET}" != "t" ]; then \
255
echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi
260
WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
262
if [ "${EXPERT}" = "t" ]; then
263
expertmode_output "./chkwtmp -f ${WTMP}"
267
if ./chkwtmp -f ${WTMP}
269
if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
274
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
277
if [ "${ROOTDIR}" != "/" ]; then
282
if [ "${EXPERT}" = "t" ]; then
283
expertmode_output "${netstat} ${OPT}"
286
for P in `echo $PORT | ${sed} 's/|/ /g'`; do
287
if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \
288
"[.:]${P}[^0-9.:]" >/dev/null 2>&1
295
echo "INFECTED (PORTS: $PI)"
297
if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
304
if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
305
`echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
306
[ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc"
307
[ -x ./chkdirs ] && prog="$prog ./chkdirs"
308
if [ "$prog" = "" ]; then
309
echo "not tested: can't exec $prog"
313
if [ "${EXPERT}" = "t" ]; then
314
[ -r /proc/$KALLSYMS ] && ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null
315
[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null
316
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
317
[ "$PV" = "" ] && PV=2
318
[ "${SYSTEM}" = "SunOS" ] && PV=0
319
expertmode_output "./chkproc -v -v -p $PV"
324
[ -r /proc/$KALLSYMS ] && \
325
if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then
326
echo "Warning: Adore LKM installed"
329
### sebek LKM (Adore based)
330
[ -r /proc/$KALLSYMS ] && \
331
if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then
332
echo "Warning: Sebek LKM installed"
336
if [ -d /proc/knark ]; then
337
echo "Warning: Knark LKM installed"
340
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
341
[ "$PV" = "" ] && PV=2
342
[ "${SYSTEM}" = "SunOS" ] && PV=0
343
if [ "${DEBUG}" = "t" ]; then
344
${echo} "*** PV=$PV ***"
346
if ./chkproc -p ${PV}; then
347
if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
349
echo "chkproc: Warning: Possible LKM Trojan installed"
352
for i in /usr/share /usr/bin /usr/sbin /lib; do
353
[ -d $i ] && dirs="$dirs $i"
355
if ./chkdirs $dirs; then
356
if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi
358
echo "chkdirs: Warning: Possible LKM Trojan installed"
361
if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
366
if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d "/root" ]; then
369
if [ "${EXPERT}" = "t" ]; then
371
FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
372
sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \
375
expertmode_output "${find} ${ROOTDIR}dev -type f"
376
expertmode_output "${find} ${ROOTDIR}var/run/.tmp"
377
expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib"
378
expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8"
379
expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'"
380
expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk"
381
expertmode_output "${find} ${ROOTDIR}usr/lib/dy0"
382
expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277"
383
expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/"
385
for i in ${FILES}; do
386
expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null"
388
[ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so"
389
[ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. "
390
[ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx
391
[ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd
392
[ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb
393
[ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
395
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
396
${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
397
.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \
398
-wholename ${ROOTDIR}usr/lib/in.pop3d"
401
expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
402
${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \
403
ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn"
406
[ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib"
407
[ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
408
[ -d ${ROOTDIR}usr/local/lib ] && \
409
LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
411
expertmode_output "${find} ${LIBS} -name libproc.a"
414
expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh
418
expertmode_output "${find} ${ROOTDIR}dev -name ptyxx"
419
expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '"
420
expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'"
423
expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit"
424
expertmode_output "${find} ${ROOTDIR}sbin -name pback"
425
expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null"
426
expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null"
427
expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \
428
autod.o -o -name soundx.o 2> /dev/null"
429
expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \
430
-name ct -o -name snick -o -name kfl"
433
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
434
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
435
home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
437
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}"
439
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
440
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
441
zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
442
for j in ${CGIDIR}; do
443
for i in ${BACKDOORS}; do
444
[ -f ${j}/${i} ] && echo ${j}/${i}
449
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \
450
-o -name n3tstat -o -name chsh2"
451
expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha"
452
expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \
453
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/"
456
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \
457
-o -name frgy -o -name sy"
458
expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir"
459
expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind"
462
expertmode_output "${find} ${ROOTDIR}dev -name chr"
465
expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \
466
-o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \
467
-o -name ldu -o -name lnetstat"
468
expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du"
471
expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \
472
-name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \
474
expertmode_output "${find} ${ROOTDIR}usr/lib/lib"
475
expertmode_output "${find} ${ROOTDIR}usr/lib/libt"
477
### suspicious files and dirs
478
suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk"
479
DIR=${ROOTDIR}usr/lib
480
[ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man"
481
[ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib"
482
[ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib"
483
expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'"
484
expertmode_output "${find} ${DIR} -type d -name '.*'"
485
expertmode_output "${find} ${DIR} -name '...*'"
486
expertmode_output "${ls} ${suspects}"
489
expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc"
492
expertmode_output "${find} ${ROOTDIR}usr/src/.poop \
493
${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp"
496
expertmode_output "${find} ${ROOTDIR}dev/cuc"
499
expertmode_output "${find} ${ROOTDIR}lib/defs"
502
expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \
503
${ROOTDIR}usr/lib/.wormie \
504
${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \
505
${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \
506
${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \
507
${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h"
510
expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf"
513
expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct"
515
expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot"
518
### OpenBSD rootkit v1
519
if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ]
521
expertmode_output "${find} ${ROOTDIR}usr/lib/security"
525
expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c"
528
expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \
529
${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \
530
${ROOTDIR}usr/include/syslogs.h"
533
${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null
536
expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
537
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
538
expertmode_output "cat ${ROOTDIR}dev/.golf"
541
expertmode_output "${ls} ${ROOTDIR}usr/bin/volc"
542
expertmode_output "${find} ${ROOTDIR}usr/lib/volc"
545
expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit"
548
expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \
549
${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb"
552
expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd"
555
expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*"
558
expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash"
561
expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh"
562
expertmode_output "${find} ${ROOTDIR}dev -name tux"
565
expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout"
568
expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \
569
-name iceconf.h -o -name iceseed.h"
572
expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \
573
${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h"
576
expertmode_output "${find} ${ROOTDIR}usr/include/. ."
579
expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3"
582
for i in `$echo ${PATH}|tr -s ':' ' '`; do
583
expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor"
586
expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"
588
## SSJD Operation Windigo (Linux/Ebury)
589
expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow"
591
## Common SSH-SCANNERS
592
expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2"
594
### shell history file check
595
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
596
expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
598
expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
599
\( -links 2 -o -type l \)"
603
### expert mode ends here
607
### suspicious files and sniffer's logs
609
suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \
610
usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \
611
tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \
612
usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \
613
etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin"
614
dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \
615
var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so"
616
files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`
617
if [ "${files}" != "" ]; then
622
if [ -d ${ROOTDIR}${i} ]; then
624
echo "Suspect directory ${i} FOUND! Looking for sniffer logs"
625
files=`${find} ${ROOTDIR}${i}`
630
for i in ${suspects}; do
631
if [ -f ${ROOTDIR}${i} ]; then
632
echo "${ROOTDIR}${i} "
636
if [ "${files}" = "" ]; then
637
if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi
639
if [ "${QUIET}" != "t" ]; then \
640
printn "Searching for sniffer's logs, it may take a while... "; fi
641
files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
642
${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
644
if [ "${files}" = "" ]
646
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
653
rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
654
if [ "${QUIET}" != "t" ]; then \
655
printn "Searching for rootkit $rkname's default files... "; fi
659
if [ -r ${ROOTDIR}${f} ]; then
660
for exclude in $EXCLUDES; do
661
if [ /${f} = $exclude ]; then continue 2; fi
663
bad="$bad ${ROOTDIR}$f";
667
if [ -d ${ROOTDIR}${d} ]; then
668
for exclude in $EXCLUDES; do
669
if [ /${d} = $exclude ]; then continue 2; fi
671
bad="$bad ${ROOTDIR}$d";
674
if [ "$bad" != "" ]; then
675
echo "Possible $rkname rootkit installed:"
678
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
684
lookfor_rootkit "HiDrootkit" "" "var/lib/games/.k"
687
lookfor_rootkit "t0rn" "etc/ttyhash sbin/xlogin lib/ldlib.tk" \
688
"usr/src/.puta usr/info/.t0rn"
691
if [ "${QUIET}" != "t" ]; then \
692
printn "Searching for t0rn's v8 defaults... "; fi
693
[ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib
694
[ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
695
[ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
696
if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \
697
"$SYSTEM" != "FreeBSD" ]
699
echo "Possible t0rn v8 (or variation) rootkit installed"
701
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
705
lookfor_rootkit "Lion" "bin/in.telnetd bin/mjy" "usr/info/.torn dev/.lib"
708
lookfor_rootkit "RSHA" "bin/kr4p usr/bin/n3tstat usr/bin/chsh2 \
709
usr/bin/slice2 usr/src/linux/arch/alpha/lib/.lib/.1proc \
710
etc/rc.d/arch/alpha/lib/.lib/.1addr" "etc/rc.d/rsha \
711
etc/rc.d/arch/alpha/lib/.lib"
713
### RH-Sharpe rootkit
714
lookfor_rootkit "RH-Sharpe" "bin/lps usr/bin/lpstree \
715
usr/bin/ltop usr/bin/lkillall usr/bin/ldu \
716
usr/bin/lnetstat usr/bin/wp usr/bin/shad \
717
usr/bin/vadim usr/bin/slice usr/bin/cleaner \
718
usr/include/rpcsvc/du" ""
721
if [ "${QUIET}" != "t" ]; then printn \
722
"Searching for Ambient's rootkit (ark) default files and dirs... "; fi
724
if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \
725
-d ${ROOTDIR}usr/doc/"... " ]; then
726
echo "Possible Ambient's rootkit (ark) installed"
728
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
731
### suspicious files and dirs
732
DIR="${ROOTDIR}usr/lib"
733
[ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man"
734
[ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib"
736
if [ "${QUIET}" != "t" ]; then printn \
737
"Searching for suspicious files and dirs, it may take a while... "; fi
739
files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"`
740
dirs=`${find} ${DIR} -type d -name ".*"`
741
if [ "${files}" = "" -a "${dirs}" = "" ]
743
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
745
if [ "${QUIET}" != "t" ]; then
746
printn "The following suspicious files and directories were found:"
750
if [ -n "${EXCLUDES}" ]; then
751
for name in $files; do
752
for exclude in $EXCLUDES; do
753
if [ $name = $exclude ]; then continue 2; fi
757
for name in $dirs; do
758
for exclude in $EXCLUDES; do
759
if [ $name = $exclude ]; then continue 2; fi
770
if [ "${QUIET}" != "t" ]; then \
771
printn "Searching for LPD Worm files and dirs... "; fi
773
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
774
${egrep} '^[[:space:]]*666[[:space:]]' ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
776
echo "Possible LPD worm installed"
777
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
778
-f ${ROOTDIR}bin/.login ]; then
779
echo "Possible LPD worm installed"
781
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
785
if [ "${QUIET}" != "t" ]; then \
786
printn "Searching for Ramen Worm files and dirs... "; fi
788
if [ -d ${ROOTDIR}usr/src/.poop -o -f \
789
${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ]
791
echo "Possible Ramen worm installed"
793
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
798
if [ "${QUIET}" != "t" ]; then \
799
printn "Searching for Maniac files and dirs... "; fi
801
files=`${find} ${ROOTDIR}usr/bin -name mailrc`
802
if [ "${files}" = "" ]; then
803
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
809
if [ "${QUIET}" != "t" ]; then \
810
printn "Searching for RK17 files and dirs... "; fi
813
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
814
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
815
home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
817
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
819
files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \
820
${find} ${ROOTDIR}sbin -name pback && \
821
${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \
822
${find} ${ROOTDIR}proc -name kset 2> /dev/null && \
823
${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \
825
${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null`
826
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
827
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
828
zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
830
for j in ${CGIDIR}; do
831
for i in ${BACKDOORS}; do
832
[ -f ${j}/${i} ] && files="${files} ${j}/${i}"
835
if [ "${files}" = "" ]; then
836
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
842
if [ "${QUIET}" != "t" ]; then \
843
printn "Searching for Ducoci rootkit... "; fi
845
files=`${find} ${CGIDIR} -name last.cgi`
846
if [ "${files}" = "" ]; then
847
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
853
if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi
855
files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \
856
-name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore`
857
if [ "${files}" = "" ]; then
858
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
861
files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null`
862
[ "${files}" != "" ] && echo ${files}
866
if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi
868
files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \
869
${find} ${ROOTDIR}usr/bin -type d -name dir || \
870
${find} ${ROOTDIR}usr/sbin -name in.slogind`
871
if [ "${files}" = "" ]; then
872
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
878
if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi
880
files=`${find} ${ROOTDIR}dev -name chr`
881
if [ "${files}" = "" ]; then
882
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
887
### China Worm (Sadmind/IIS Worm)
888
if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi
889
files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null`
890
if [ "${files}" = "" ]; then
891
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
897
if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi
898
files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \
900
if [ "${files}" = "" ]; then
901
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
907
if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi
908
if [ -d ${ROOTDIR}usr/lib/.egcs ] || \
909
[ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \
910
[ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \
911
[ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \
912
[ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \
913
[ -f ${ROOTDIR}usr/include/chk.h ]; then
914
echo "Warning: Possible Showtee Rootkit installed"
916
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
922
if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi
923
files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \
925
if [ "${files}" = "" ]; then
926
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
933
if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi
934
files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`
935
if [ "${files}" = "" ]; then
936
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
943
if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi
944
files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null`
945
if [ "${files}" = "" ]; then
946
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
951
### OpenBSD rootkit v1
952
if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
954
if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi
955
files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`
956
if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
957
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
965
if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi
966
files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null`
967
if [ "${files}" = "" ]; then
968
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
976
if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi
977
for i in file.h proc.h addr.h syslogs.h; do
978
if [ -f ${ROOTDIR}usr/include/${i} ]; then
979
files="$files ${ROOTDIR}usr/include/$i"
982
if [ "${files}" = "" ]; then
983
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
989
if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then
990
if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi
991
if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then
992
echo "Warning: /etc/rc.d/init.d/network INFECTED"
994
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
999
if [ -f ${ROOTDIR}sbin/init ]; then
1000
if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
1001
if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} 'HOME=' || \
1002
cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
1004
echo "Warning: ${ROOTDIR}sbin/init INFECTED"
1006
if [ -d ${ROOTDIR}/dev/.golf ]; then
1007
echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
1009
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1015
if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi
1016
if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then
1017
echo "Warning: Possible Volc rootkit installed"
1019
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1023
if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi
1024
if [ -f ${ROOTDIR}usr/bin/ishit ] ; then
1025
echo "Warning: Possible Gold2 rootkit installed"
1027
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1031
if [ "${QUIET}" != "t" ]; then \
1032
printn "Searching for TC2 Worm default files and dirs... "; fi
1033
if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \
1034
-f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ]
1036
echo "Possible TC2 Worm installed"
1038
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1041
### ANONOYING Rootkit
1042
if [ "${QUIET}" != "t" ]; then \
1043
printn "Searching for Anonoying rootkit default files and dirs... "; fi
1044
if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then
1045
echo "Possible anonoying rootkit installed"
1047
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1051
if [ "${QUIET}" != "t" ]; then \
1052
printn "Searching for ZK rootkit default files and dirs... "; fi
1053
if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then
1054
echo "Possible ZK rootkit installed"
1056
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1059
if [ "${QUIET}" != "t" ]; then
1060
printn "Searching for ShKit rootkit default files and dirs... "; fi
1061
if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then
1062
echo "Possible ShKit rootkit installed"
1064
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1068
if [ "${QUIET}" != "t" ]; then
1069
printn "Searching for AjaKit rootkit default files and dirs... "; fi
1070
if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then
1071
echo "Possible AjaKit rootkit installed"
1073
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1077
if [ "${QUIET}" != "t" ]; then
1078
printn "Searching for zaRwT rootkit default files and dirs... "; fi
1079
if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then
1080
echo "Possible zaRwT rootkit installed"
1082
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1086
if [ "${QUIET}" != "t" ]; then
1087
printn "Searching for Madalin rootkit default files... "; fi
1088
D=${ROOTDIR}usr/include
1089
if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then
1090
echo "Possible Madalin rootkit installed"
1092
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1096
if [ "${QUIET}" != "t" ]; then
1097
printn "Searching for Fu rootkit default files... "; fi
1098
if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \
1099
-f ${ROOTDIR}usr/include/ivtype.h ]; then
1100
echo "Possible Fu rootkit installed"
1102
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1106
if [ "${QUIET}" != "t" ]; then
1107
printn "Searching for ESRK rootkit default files... "; fi
1108
if [ -d "${ROOTDIR}/usr/lib/tcl5.3" ]; then
1109
echo "Possible ESRK rootkit installed"
1111
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1115
if [ "${QUIET}" != "t" ]; then
1116
printn "Searching for rootedoor... "; fi
1118
for i in `$echo $PATH|tr -s ':' ' '`; do
1119
if [ -f "${ROOTDIR}${i}/rootedoor" ]; then
1120
echo "Possible rootedoor installed in ${ROOTDIR}${i}"
1124
[ "${found}" = "0" ] &&\
1125
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1128
if [ "${QUIET}" != "t" ]; then
1129
printn "Searching for ENYELKM rootkit default files... "; fi
1130
if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then
1131
echo "Possible ENYELKM rootkit installed"
1133
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1136
## Common SSH-SCANNERS
1137
if [ "${QUIET}" != "t" ]; then
1138
printn "Searching for common ssh-scanners default files... "; fi
1139
files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`"
1140
if [ "${files}" = "" ]; then
1141
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1146
## SSJD Operation Windigo (Linux/Ebury)
1147
if [ "${QUIET}" != "t" ]; then
1148
printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi
1149
if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then
1150
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1152
echo "Possible Linux/Ebury - Operation Windigo installetd"
1155
## Linux Rootkit 64 bits
1156
if [ "${QUIET}" != "t" ]; then
1157
printn "Searching for 64-bit Linux Rootkit ... "; fi
1158
if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \
1159
${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then
1160
echo "Possible 64-bit Linux Rootkit"
1162
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1165
if [ "${QUIET}" != "t" ]; then
1166
printn "Searching for 64-bit Linux Rootkit modules... "; fi
1167
files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`"
1168
if [ "${files}" = "" ]; then
1169
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1177
### Suspect PHP files
1179
if [ "${QUIET}" != "t" ]; then
1180
printn "Searching for suspect PHP files... "; fi
1181
files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
1182
if [ `echo abc | head -n 1` = "abc" ]; then
1183
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -n 1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`"
1185
fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`"
1187
if [ "${files}" = "" -a "${fileshead}" = "" ]; then
1188
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1196
### shell history anomalies
1198
if [ "${QUIET}" != "t" ]; then \
1199
printn "Searching for anomalies in shell history files... "; fi
1201
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
1202
files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' -size 0`
1203
[ ! -z "${files}" ] && \
1204
echo "Warning: \`${files}' file size is zero"
1205
files1=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' \( -links 2 -o -type l \)`
1206
[ ! -z "${files1}" ] && \
1207
echo "Warning: \`${files1}' is linked to another file"
1209
if [ -z "${files}" -a -z "${files1}" ]; then
1210
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
1214
######################################################################
1219
### usage: loc filename filename_to_return_if_nothing_was_found path
1227
if test -d $dir/$thing; then
1233
for thisthing in $dir/$thing; do
1236
if test -f $thisthing; then
1243
if [ "${ROOTDIR}" = "/" ]; then
1246
echo "${ROOTDIR}${dflt}"
1253
RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \
1254
${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \
1255
${awk} '{ print $5 }'`
1257
if [ -n "${RUNNING}" ]; then
1258
for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
1270
expertmode_output() {
1272
echo "### Output of: $1"
1283
## Check if -fstype nfs works
1285
if find /etc -maxdepth 0 >/dev/null 2>&1; then
1286
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
1287
findargs=" -fstype nfs -prune -o "
1288
elif find /etc -prune > /dev/null 2>&1; then
1289
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
1290
findargs=" -fstype nfs -prune -o "
1294
######################################################################
1298
STATUS=${NOT_INFECTED}
1299
CMD=`loc chfn chfn $pth`
1300
[ ${?} -ne 0 ] && return ${NOT_FOUND}
1302
if [ "${EXPERT}" = "t" ]; then
1303
expertmode_output "${strings} -a ${CMD}"
1309
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1315
[ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2
1316
if [ `${strings} -a ${CMD} | \
1317
${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1326
STATUS=${NOT_INFECTED}
1327
CMD=`loc chsh chsh $pth`
1328
[ ${?} -ne 0 ] && return ${NOT_FOUND}
1330
REDHAT_PAM_LABEL="*NOT*"
1332
if [ "${EXPERT}" = "t" ]; then
1333
expertmode_output "${strings} -a ${CMD}"
1339
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1342
if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \
1351
[ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2
1352
if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1361
STATUS=${NOT_INFECTED}
1362
CMD=`loc login login $pth`
1365
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1369
if [ "${EXPERT}" = "t" ]; then
1370
expertmode_output "${strings} -a ${CMD}"
1374
if [ "$SYSTEM" = "SunOS" ]; then
1375
TROJED_L_L="porcao|/bin/xstat"
1376
if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then
1379
return ${NOT_TESTED}
1383
TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola"
1384
ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
1385
if [ ${ret} -gt 0 ]; then
1387
1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 ||
1388
$1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \
1389
STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1390
2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \
1391
"OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1392
6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
1393
*) STATUS=${INFECTED};;
1396
if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null
1404
STATUS=${NOT_INFECTED}
1405
CMD=`loc passwd passwd $pth`
1407
if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then
1408
CMD="${ROOTDIR}usr/bin/passwd"
1410
if [ ! -r "${CMD}" ]
1412
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1416
if [ "${EXPERT}" = "t" ]; then
1417
expertmode_output "${strings} -a ${CMD}"
1420
if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \
1423
return ${NOT_TESTED}
1425
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \
1434
STATUS=${NOT_INFECTED}
1437
if [ ! -r ${CMD} -o ${CMD} = '/' ]
1439
return ${NOT_TESTED}
1442
if [ "${EXPERT}" = "t" ]; then
1443
expertmode_output "${strings} -a ${CMD}"
1447
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1456
STATUS=${NOT_INFECTED}
1457
SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h"
1458
CMD=`loc syslogd syslogd $pth`
1462
return ${NOT_TESTED}
1465
if [ "${EXPERT}" = "t" ]; then
1466
expertmode_output "${strings} -a ${CMD}"
1470
if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1
1478
STATUS=${NOT_INFECTED}
1479
HDPARM_INFECTED_LABEL="/dev/ida"
1480
CMD=`loc hdparm hdparm $pth`
1486
if [ "${EXPERT}" = "t" ]; then
1487
expertmode_output "${strings} -a ${CMD}"
1491
if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \
1500
STATUS=${NOT_INFECTED}
1501
GPM_INFECTED_LABEL="mingetty"
1502
CMD=`loc gpm gpm $pth`
1508
if [ "${EXPERT}" = "t" ]; then
1509
expertmode_output "${strings} -a ${CMD}"
1513
if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \
1522
STATUS=${NOT_INFECTED}
1523
MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto"
1524
CMD=`loc mingetty mingetty $pth`
1530
if [ "${EXPERT}" = "t" ]; then
1531
expertmode_output "${strings} -a ${CMD}"
1535
if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \
1544
STATUS=${NOT_INFECTED}
1545
SENDMAIL_INFECTED_LABEL="fuck"
1546
CMD=`loc sendmail sendmail $pth`
1552
if [ "${EXPERT}" = "t" ]; then
1553
expertmode_output "${strings} -a ${CMD}"
1557
if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \
1566
STATUS=${NOT_INFECTED}
1567
LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h"
1568
CMD=`loc ls ls $pth`
1571
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1575
if [ "${EXPERT}" = "t" ]; then
1576
expertmode_output "${strings} -a ${CMD}"
1580
if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1
1588
STATUS=${NOT_INFECTED}
1589
DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h"
1590
CMD=`loc du du $pth`
1593
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1597
if [ "${EXPERT}" = "t" ]; then
1598
expertmode_output "${strings} -a ${CMD}"
1602
if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1
1610
STATUS=${NOT_INFECTED}
1611
NAMED_I_L="blah|bye"
1612
CMD=`loc named named $pth`
1614
if [ ! -r "${CMD}" ]; then
1615
CMD=`loc in.named in.named $pth`
1616
if [ ! -r "${CMD}" ]; then
1621
if [ "${EXPERT}" = "t" ]; then
1622
expertmode_output "${strings} -a ${CMD}"
1626
if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \
1635
STATUS=${NOT_INFECTED}
1636
NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero"
1637
CMD=`loc netstat netstat $pth`
1640
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1644
if [ "${EXPERT}" = "t" ]; then
1645
expertmode_output "${strings} -a ${CMD}"
1649
if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \
1658
STATUS=${NOT_INFECTED}
1659
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
1660
/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so"
1661
CMD=`loc ps ps $pth`
1664
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1668
if [ "${EXPERT}" = "t" ]; then
1669
expertmode_output "${strings} -a ${CMD}"
1673
if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1
1681
STATUS=${NOT_INFECTED}
1682
PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h"
1684
CMD=`loc pstree pstree $pth`
1685
if [ ! -r "${CMD}" ]
1690
if [ "${EXPERT}" = "t" ]; then
1691
expertmode_output "${strings} -a ${CMD}"
1695
if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1
1703
STATUS=${NOT_INFECTED}
1704
CRONTAB_I_L="crontab.*666"
1706
CMD=`loc crontab crontab $pth`
1713
if [ "${EXPERT}" = "t" ]; then
1714
expertmode_output "${CMD} -l -u nobody"
1717
# slackware's crontab have a bug
1718
if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then
1719
${echo} "Warning: crontab for nobody found, possible Lupper.Worm... "
1720
if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
1729
STATUS=${NOT_INFECTED}
1730
TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit"
1732
CMD=`loc top top $pth`
1739
if [ "${EXPERT}" = "t" ]; then
1740
expertmode_output "${strings} -a ${CMD}"
1744
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1752
STATUS=${NOT_INFECTED}
1753
TOP_INFECTED_LABEL="/dev/pty[pqrs]"
1754
CMD=`loc pidof pidof $pth`
1761
if [ "${EXPERT}" = "t" ]; then
1762
expertmode_output "${strings} -a ${CMD}"
1766
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1774
STATUS=${NOT_INFECTED}
1775
TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h"
1776
CMD=`loc killall killall $pth`
1783
if [ "${EXPERT}" = "t" ]; then
1784
expertmode_output "${strings} -a ${CMD}"
1788
if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1796
STATUS=${NOT_INFECTED}
1797
CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a"
1799
if [ "${SYSTEM}" = "Linux" ]
1801
if [ ! -x ./strings-static ]; then
1802
printn "can't exec ./strings-static, "
1803
return ${NOT_TESTED}
1806
if [ "${EXPERT}" = "t" ]; then
1807
expertmode_output "./strings-static -a ${CMD}"
1811
### strings must be a statically linked binary.
1812
if ./strings-static -a ${CMD} > /dev/null 2>&1
1817
STATUS=${NOT_TESTED}
1823
STATUS=${NOT_INFECTED}
1824
CMD=`loc basename basename $pth`
1827
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1831
if [ "${EXPERT}" = "t" ]; then
1832
expertmode_output "${strings} -a ${CMD}"
1833
expertmode_output "${ls} -l ${CMD}"
1836
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1841
[ "$SYSTEM" != "OSF1" ] &&
1843
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1852
STATUS=${NOT_INFECTED}
1853
CMD=`loc dirname dirname $pth`
1856
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1860
if [ "${EXPERT}" = "t" ]; then
1861
expertmode_output "${strings} -a ${CMD}"
1862
expertmode_output "${ls} -l ${CMD}"
1865
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1869
if ${ls} -l ${MD} | ${egrep} "^...s" > /dev/null 2>&1
1877
STATUS=${NOT_INFECTED}
1878
CMD=`loc traceroute traceroute $pth`
1880
if [ ! -r "${CMD}" ]
1885
if [ "${EXPERT}" = "t" ]; then
1886
expertmode_output "${strings} -a ${CMD}"
1890
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1898
STATUS=${NOT_INFECTED}
1899
CMD=`loc rpcinfo rpcinfo $pth`
1901
if [ ! -r "${CMD}" ]
1906
if [ "${EXPERT}" = "t" ]; then
1907
expertmode_output "${strings} -a ${CMD}"
1908
expertmode_output "${ls} -l ${CMD}"
1912
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1916
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1924
STATUS=${NOT_INFECTED}
1926
CMD=`loc date date $pth`
1929
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1933
if [ "${EXPERT}" = "t" ]; then
1934
expertmode_output "${strings} -a ${CMD}"
1935
expertmode_output "${ls} -l ${CMD}"
1938
[ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] &&
1940
N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
1942
if [ ${N} -ne 2 -a ${N} -ne 0 ]; then
1947
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1
1952
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1960
STATUS=${NOT_INFECTED}
1961
CMD=`loc echo echo $pth`
1964
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1968
if [ "${EXPERT}" = "t" ]; then
1969
expertmode_output "${strings} -a ${CMD}"
1970
expertmode_output "${ls} -l ${CMD}"
1974
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1978
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
1986
STATUS=${NOT_INFECTED}
1987
CMD=`loc env env $pth`
1990
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
1994
if [ "${EXPERT}" = "t" ]; then
1995
expertmode_output "${strings} -a ${CMD}"
1996
expertmode_output "${ls} -l ${CMD}"
2000
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2004
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2013
STATUS=${NOT_INFECTED}
2014
CMD=`loc timed timed $pth`
2015
if [ ${?} -ne 0 ]; then
2016
CMD=`loc in.timed in.timed $pth`
2017
if [ ${?} -ne 0 ]; then
2021
if [ "${EXPERT}" = "t" ]; then
2022
expertmode_output "${strings} -a ${CMD}"
2026
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2034
STATUS=${NOT_INFECTED}
2035
CMD=`loc in.identd in.identd $pth`
2036
if [ ${?} -ne 0 ]; then
2039
if [ "${EXPERT}" = "t" ]; then
2040
expertmode_output "${strings} -a ${CMD}"
2044
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2052
STATUS=${NOT_INFECTED}
2053
INIT_INFECTED_LABEL="UPX"
2054
CMD=`loc init init $pth`
2055
if [ ${?} -ne 0 ]; then
2058
if [ "${EXPERT}" = "t" ]; then
2059
expertmode_output "${strings} -a ${CMD}"
2063
if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1
2071
STATUS=${NOT_INFECTED}
2072
CMD=`loc in.pop2d in.pop2d $pth`
2073
if [ ${?} -ne 0 ]; then
2076
if [ "${EXPERT}" = "t" ]; then
2077
expertmode_output "${strings} -a ${CMD}"
2081
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2089
STATUS=${NOT_INFECTED}
2090
CMD=`loc in.pop3d in.pop3d $pth`
2091
if [ ${?} -ne 0 ]; then
2094
if [ "${EXPERT}" = "t" ]; then
2095
expertmode_output "${strings} -a ${CMD}"
2099
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2107
STATUS=${NOT_INFECTED}
2108
CMD=`loc write write $pth`
2111
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2114
WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"
2115
if [ "${EXPERT}" = "t" ]; then
2116
expertmode_output "${strings} -a ${CMD}"
2117
expertmode_output "${ls} -l ${CMD}"
2121
if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1
2125
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2133
STATUS=${NOT_INFECTED}
2137
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2140
W_INFECTED_LABEL="uname -a"
2142
if [ "${EXPERT}" = "t" ]; then
2143
expertmode_output "${strings} -a ${CMD}"
2144
expertmode_output "${ls} -l ${CMD}"
2147
if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1
2155
STATUS=${NOT_INFECTED}
2156
CMD=`loc vdir vdir $pth`
2157
VDIR_INFECTED_LABEL="/lib/volc"
2158
if [ ! -r ${CMD} ]; then
2162
if [ "${EXPERT}" = "t" ]; then
2163
expertmode_output "${strings} -a ${CMD}"
2164
expertmode_output "${ls} -l ${CMD}"
2167
if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1
2175
STATUS=${NOT_INFECTED}
2176
CMD=`loc tar tar $pth`
2179
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2183
if [ "${EXPERT}" = "t" ]; then
2184
expertmode_output "${ls} -l ${CMD}"
2187
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2195
STATUS=${NOT_INFECTED}
2196
CMD=`loc in.rexedcs in.rexedcs $pth`
2199
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2203
if [ "${EXPERT}" = "t" ]; then
2204
expertmode_output "${strings} -a ${CMD}"
2212
STATUS=${NOT_INFECTED}
2213
CMD=`loc mail mail $pth`
2219
[ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED
2221
MAIL_INFECTED_LABEL="sh -i"
2223
if [ "${EXPERT}" = "t" ]; then
2224
expertmode_output "${strings} -a ${CMD}"
2225
expertmode_output "${ls} -l ${CMD}"
2229
if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1
2233
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2241
STATUS=${NOT_INFECTED}
2242
CMD=`loc biff biff $pth`
2248
if [ "${EXPERT}" = "t" ]; then
2249
expertmode_output "${strings} -a ${CMD}"
2250
expertmode_output "${ls} -l ${CMD}"
2254
if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
2258
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2266
STATUS=${NOT_INFECTED}
2267
EGREP_INFECTED_LABEL="blah"
2268
CMD=`loc egrep egrep $pth`
2271
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2275
if [ "${EXPERT}" = "t" ]; then
2276
expertmode_output "${strings} -a ${CMD}"
2277
expertmode_output "${ls} -l ${CMD}"
2280
if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1
2288
STATUS=${NOT_INFECTED}
2289
GREP_INFECTED_LABEL="givemer"
2290
CMD=`loc grep grep $pth`
2293
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2297
if [ "${EXPERT}" = "t" ]; then
2298
expertmode_output "${strings} -a ${CMD}"
2299
expertmode_output "${ls} -l ${CMD}"
2303
if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1
2307
if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
2315
STATUS=${NOT_INFECTED}
2316
FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h"
2317
CMD=`loc find find $pth`
2324
if [ "${EXPERT}" = "t" ]; then
2325
expertmode_output "${strings} -a ${CMD}"
2329
if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1
2337
STATUS=${NOT_INFECTED}
2338
RLOGIN_INFECTED_LABEL="p1r0c4|r00t"
2339
CMD=`loc in.rlogind in.rlogind $pth`
2340
if [ ! -x "${CMD}" ]; then
2341
CMD=`loc rlogind rlogind $pth`
2342
if [ ! -x "${CMD}" ]; then
2346
if [ "${EXPERT}" = "t" ]; then
2347
expertmode_output "${strings} -a ${CMD}"
2350
if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
2358
STATUS=${NOT_INFECTED}
2359
LSOF_INFECTED_LABEL="^/prof"
2360
CMD=`loc lsof lsof $pth`
2361
if [ ! -x "${CMD}" ]; then
2364
if [ "${EXPERT}" = "t" ]; then
2365
expertmode_output "${strings} -a ${CMD}"
2368
if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1
2376
STATUS=${NOT_INFECTED}
2377
AMD_INFECTED_LABEL="blah"
2378
CMD=`loc amd amd $pth`
2379
if [ ! -x "${CMD}" ]; then
2382
if [ "${EXPERT}" = "t" ]; then
2383
expertmode_output "${strings} -a ${CMD}"
2386
if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1
2394
STATUS=${NOT_INFECTED}
2395
SLOGIN_INFECTED_LABEL="homo"
2396
CMD=`loc slogin slogin $pth`
2397
if [ ! -x "${CMD}" ]; then
2400
if [ "${EXPERT}" = "t" ]; then
2401
expertmode_output "${strings} -a ${CMD}"
2404
if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
2412
STATUS=${NOT_INFECTED}
2413
CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0"
2414
CMD=`loc cron cron $pth`
2415
if [ "${?}" -ne 0 ]; then
2416
CMD=`loc crond crond $pth`
2422
if [ "${EXPERT}" = "t" ]; then
2423
expertmode_output "${strings} -a ${CMD}"
2426
if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1
2435
CMD=`loc ifconfig ifconfig $pth`
2436
if [ "${?}" -ne 0 ]; then
2440
if [ "${EXPERT}" = "t" ]; then
2441
expertmode_output "${strings} -a ${CMD}"
2445
IFCONFIG_NOT_INFECTED_LABEL="PROMISC"
2446
IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"
2447
if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \
2450
STATUS=${NOT_INFECTED}
2452
if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \
2461
STATUS=${NOT_INFECTED}
2463
Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";;
2464
FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";;
2465
*) CMD=`loc rshd rshd $pth`;;
2468
if [ ! -x ${CMD} ] ;then
2471
if [ "${EXPERT}" = "t" ]; then
2472
expertmode_output "${strings} -a ${CMD}"
2476
RSHD_INFECTED_LABEL="HISTFILE"
2477
if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1
2480
if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \
2481
${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then
2482
STATUS=${INFECTED_BUT_DISABLED}
2489
STATUS=${NOT_INFECTED}
2490
TCPDUMP_I_L="212.146.0.34:1963";
2492
if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then
2499
STATUS=${NOT_INFECTED}
2500
TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"
2502
[ -r ${ROOTDIR}etc/inetd.conf ] &&
2503
CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \
2504
${awk} '{ print $6 }'`
2505
if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1; then
2506
CMD=`loc tcpd tcpd $pth`
2508
[ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth`
2510
[ "tcpd" = "${CMD}" -o ! -f "${CMD}" ] && return ${NOT_FOUND};
2512
if [ "${EXPERT}" = "t" ]; then
2513
expertmode_output "${strings} -a ${CMD}"
2517
if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1
2525
STATUS=${NOT_INFECTED}
2526
SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk"
2529
if [ ${?} -ne 0 ]; then
2533
if [ "${EXPERT}" = "t" ]; then
2534
expertmode_output "${strings} -a ${CMD}"
2538
if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \
2542
if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then
2543
STATUS=${INFECTED_BUT_DISABLED}
2550
STATUS=${NOT_INFECTED}
2551
SU_INFECTED_LABEL="satori|vejeta|conf\.inv"
2552
CMD=`loc su su $pth`
2555
if [ "${QUIET}" != "t" ]; then echo "not found"; fi
2559
if [ "${EXPERT}" = "t" ]; then
2560
expertmode_output "${strings} -a ${CMD}"
2564
if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1
2572
STATUS=${NOT_INFECTED}
2573
FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}"
2574
CMD=`loc fingerd fingerd $pth`
2576
if [ ${?} -ne 0 ]; then
2577
CMD=`loc in.fingerd in.fingerd $pth`
2578
if [ ${?} -ne 0 ]; then
2583
if [ "${EXPERT}" = "t" ]; then
2584
expertmode_output "${strings} -a ${CMD}"
2588
if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \
2598
STATUS=${NOT_INFECTED}
2599
SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash"
2601
if [ -r ${ROOTDIR}etc/shells ]; then
2602
SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`";
2605
if [ -r ${ROOTDIR}etc/inetd.conf ]; then
2606
for CHK_SHELL in ${SHELLS}; do
2607
cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null
2608
if [ ${?} -ne 1 ]; then
2609
if [ "${EXPERT}" = "t" ]; then
2610
echo "Backdoor shell record(s) in /etc/inetd.conf: "
2611
cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*"
2624
STATUS=${NOT_INFECTED}
2625
TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]'
2626
CMD=`loc telnetd telnetd $pth`
2628
if [ ${?} -ne 0 ]; then
2629
CMD=`loc in.telnetd in.telnetd $pth`
2630
if [ ${?} -ne 0 ]; then
2635
if [ "${EXPERT}" = "t" ]; then
2636
expertmode_output "${strings} -a ${CMD}"
2640
if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \
2653
if [ ! "$PRINTF_BIN" ]; then
2654
# This is first time call to use. Check environment and
2655
# define this global.
2657
PRINTF_BIN=`which printf 2> /dev/null`
2659
# Set to dummy, if not found
2660
[ ! "$PRINTF_BIN" ] && PRINTF_BIN="not exists"
2662
# We're done, and won't enter this if-case any more
2665
# Some messages are continued, so don't use printf
2667
*exec*|*bogus*) printf="" ;;
2670
if [ "$PRINTF_BIN" ] && [ "$printf" ]; then
2671
$PRINTF_BIN "$printf_fmt" "$1"
2673
if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then
2685
### using regexps, as the `-w' option to grep/egrep is not portable.
2686
L_REGEXP='(^|[^A-Za-z0-9_])'
2687
R_REGEXP='([^A-Za-z0-9_]|$)'
2689
### default ROOTDIR is "/"
2706
EXCLUDES="$1 $EXCLUDES";;
2712
-V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}"
2715
-l) echo >&2 "$0: tests: ${TOOLS} ${TROJAN}"
2720
-h | -*) echo >&2 "Usage: $0 [options] [test ...]
2722
-h show this help and exit
2723
-V show version information and exit
2724
-l show available tests and exit
2728
-e exclude known false positive files/dirs, quoted,
2729
space separated, READ WARNING IN README
2730
-r dir use dir as the root directory
2731
-p dir1:dir2:dirN path for the external commands used by chkrootkit
2732
-n skip NFS mounted dirs"
2740
### check the external commands needed
2759
### PATH used by loc
2760
pth=`echo $PATH | sed -e "s/:/ /g"`
2761
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
2763
### external command's PATH
2764
if [ "${CHKRKPATH}" = "" ]; then
2767
### use the path provided with the -p option
2768
chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"`
2771
for file in $cmdlist; do
2772
xxx=`loc $file $file $chkrkpth`
2777
if [ ! -x "${xxx}" ]
2779
echo >&2 "chkrootkit: can't exec \`$xxx'."
2784
echo >&2 "chkrootkit: can't find \`$file'."
2791
SYSTEM=`${uname} -s`
2792
VERSION=`${uname} -r`
2793
if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then
2796
V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'`
2802
if `$echo a | $head -n 1 >/dev/null 2>&1` ; then
2803
$head -n `echo $1 | tr -d "-"`
2810
if [ "$SYSTEM" = "SunOS" ]; then
2811
if [ "${CHKRKPATH}" = "" ]; then
2812
if [ -x /usr/ucb/ps ]; then
2818
### -p is in place: use `-fe' as ps options
2822
# Check if ps command is ok
2823
if ${ps} ax >/dev/null 2>&1 ; then
2829
if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then
2830
echo "$0 need root privileges"
2836
### perform only tests supplied as arguments
2839
### check if is a valid test name
2840
if echo "${TROJAN} ${TOOLS}"| \
2841
${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1
2843
echo >&2 "$0: \`$arg': not a known test"
2849
### this is the default: perform all tests
2850
LIST="${TROJAN} ${TOOLS}"
2853
if [ "${DEBUG}" = "t" ]; then
2857
if [ "${ROOTDIR}" != "/" ]; then
2859
### remove trailing `/'
2860
ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'`
2864
if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1
2866
newpth="${newpth} ${ROOTDIR}${dir}"
2868
newpth="${newpth} ${ROOTDIR}/${dir}"
2872
ROOTDIR="${ROOTDIR}/"
2875
if [ "${QUIET}" != "t" ]; then
2876
echo "ROOTDIR is \`${ROOTDIR}'"
2883
if echo "${TROJAN}" | \
2884
${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1
2886
if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
2887
printn "Checking \`${cmd}'... "
2893
if [ "${QUIET}" = "t" ]; then
2894
### show only INFECTED status
2895
if [ ${STATUS} -eq 0 ]; then
2896
echo "Checking \`${cmd}'... INFECTED"
2902
0) echo "INFECTED";;
2903
1) echo "not infected";;
2904
2) echo "not tested";;
2905
3) echo "not found";;
2906
4) echo "infected but disabled";;
2907
5) ;; ### expert mode
2911
if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
2912
printn "Checking \`$cmd'... "
2919
### chkrootkit ends here.