Hello community,
here is the log from the commit of package chkrootkit for openSUSE:Factory
checked in at Sat Oct 2 01:26:17 CEST 2010.
--------
--- chkrootkit/chkrootkit.changes 2009-11-03 20:16:20.000000000 +0100
+++ /mounts/work_src_done/STABLE/chkrootkit/chkrootkit.changes 2010-09-29 23:19:34.000000000 +0200
@@ -1,0 +2,14 @@
+Wed Sep 29 23:18:10 CEST 2010 - freespacer@gmx.de
+
+- update to version 0.49
+ - new tests: Mac OS X OSX.RSPlug.A Trojan Horse
+ - more tests for suspicious sniffer logs
+ - more tests for suspicious PHP files
+ - more tests for shell history file anomalies
+ - minor bug fixes
+ - chkdirs.c: minor bug fixes
+ - chkproc.c: minor bug fixes
+ - chkutmp.c: bug fix by Michael Schwendt
+- renew patch
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
chkrootkit-0.45.diff
chkrootkit-0.47.tar.gz
New:
----
chkrootkit-0.49.patch
chkrootkit-0.49.tar.gz
chkrootkit-rpmlintrc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ chkrootkit.spec ++++++
--- /var/tmp/diff_new_pack.D1Zbd1/_old 2010-10-02 01:25:50.000000000 +0200
+++ /var/tmp/diff_new_pack.D1Zbd1/_new 2010-10-02 01:25:50.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package chkrootkit (Version 0.47)
+# spec file for package chkrootkit (Version 0.49)
#
-# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,14 +20,14 @@
Name: chkrootkit
Url: http://www.chkrootkit.org/
-License: BSD 3-clause (or similar)
+License: BSD3c(or similar)
Group: Productivity/Security
AutoReqProv: on
Summary: Used to Check for Symptoms of Installed Root Kits
-Version: 0.47
-Release: 113
-Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.47.tar.gz
-Patch0: chkrootkit-0.45.diff
+Version: 0.49
+Release: 1
+Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-%{version}.tar.gz
+Patch0: chkrootkit-%{version}.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -46,7 +46,7 @@
%prep
%setup -q
-%patch0 -p0
+%patch0 -p1
%build
make OPTFLAGS="$RPM_OPT_FLAGS -Os"
++++++ chkrootkit-0.49.patch ++++++
diff -rup chkrootkit-0.49.orig/chkrootkit chkrootkit-0.49/chkrootkit
--- chkrootkit-0.49.orig/chkrootkit 2009-07-30 16:10:54.000000000 +0200
+++ chkrootkit-0.49/chkrootkit 2010-09-29 23:03:56.765108341 +0200
@@ -181,23 +181,23 @@ sniffer () {
fi
if [ "${EXPERT}" = "t" ]; then
- expertmode_output "./ifpromisc" -v
+ expertmode_output "/sbin/ifpromisc" -v
return 5
fi
- if [ ! -x ./ifpromisc ]; then
- echo "not tested: can't exec ./ifpromisc"
+ if [ ! -x /sbin/ifpromisc ]; then
+ echo "not tested: can't exec /sbin/ifpromisc"
return ${NOT_TESTED}
else
- [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
+ [ "${QUIET}" != "t" ] && /sbin/ifpromisc -v || /sbin/ifpromisc -q
fi
}
chkutmp() {
- if [ ! -x ./chkutmp ]; then
- echo "not tested: can't exec ./chkutmp"
+ if [ ! -x /sbin/chkutmp ]; then
+ echo "not tested: can't exec /sbin/chkutmp"
return ${NOT_TESTED}
fi
- if ./chkutmp
+ if /sbin/chkutmp
then
if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi
fi
@@ -205,8 +205,8 @@ chkutmp() {
}
z2 () {
- if [ ! -x ./chklastlog ]; then
- echo "not tested: can't exec ./chklastlog"
+ if [ ! -x /sbin/chklastlog ]; then
+ echo "not tested: can't exec /sbin/chklastlog"
return ${NOT_TESTED}
fi
@@ -219,32 +219,32 @@ z2 () {
fi
if [ "${EXPERT}" = "t" ]; then
- expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}"
+ expertmode_output "/sbin/chklastlog -f ${WTMP} -l ${LASTLOG}"
return 5
fi
- if ./chklastlog -f ${WTMP} -l ${LASTLOG}
+ if /sbin/chklastlog -f ${WTMP} -l ${LASTLOG}
then
if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi
fi
}
wted () {
- if [ ! -x ./chkwtmp ]; then
- echo "not tested: can't exec ./chkwtmp"
+ if [ ! -x /sbin/chkwtmp ]; then
+ echo "not tested: can't exec /sbin/chkwtmp"
return ${NOT_TESTED}
fi
if [ "$SYSTEM" = "SunOS" ]; then
- if [ ! -x ./check_wtmpx ]; then
- echo "not tested: can't exec ./check_wtmpx"
+ if [ ! -x /sbin/check_wtmpx ]; then
+ echo "not tested: can't exec /sbin/check_wtmpx"
else
if [ "${EXPERT}" = "t" ]; then
- expertmode_output "./check_wtmpx"
+ expertmode_output "/sbin/check_wtmpx"
return 5
fi
if [ -f ${ROOTDIR}var/adm/wtmp ]; then
- if ./check_wtmpx
+ if /sbin/check_wtmpx
then
if [ "${QUIET}" != "t" ]; then \
echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi
@@ -255,12 +255,12 @@ wted () {
WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
if [ "${EXPERT}" = "t" ]; then
- expertmode_output "./chkwtmp -f ${WTMP}"
+ expertmode_output "/sbin/chkwtmp -f ${WTMP}"
return 5
fi
fi
- if ./chkwtmp -f ${WTMP}
+ if /sbin/chkwtmp -f ${WTMP}
then
if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
fi
@@ -298,8 +298,8 @@ lkm ()
prog=""
if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
`echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
- [ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc"
- [ -x ./chkdirs ] && prog="$prog ./chkdirs"
+ [ -x /sbin/chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="/sbin/chkproc"
+ [ -x /sbin/chkdirs ] && prog="$prog /sbin/chkdirs"
if [ "$prog" = "" ]; then
echo "not tested: can't exec $prog"
return ${NOT_TESTED}
@@ -311,7 +311,7 @@ lkm ()
PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
[ "$PV" = "" ] && PV=2
[ "${SYSTEM}" = "SunOS" ] && PV=0
- expertmode_output "./chkproc -v -v -p $PV"
+ expertmode_output "/sbin/chkproc -v -v -p $PV"
return 5
fi
@@ -338,7 +338,7 @@ lkm ()
if [ "${DEBUG}" = "t" ]; then
${echo} "*** PV=$PV ***"
fi
- if ./chkproc -p ${PV}; then
+ if /sbin/chkproc -p ${PV}; then
if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
else
echo "chkproc: Warning: Possible LKM Trojan installed"
@@ -347,7 +347,7 @@ lkm ()
for i in /usr/share /usr/bin /usr/sbin /lib; do
[ -d $i ] && dirs="$dirs $i"
done
- if ./chkdirs $dirs; then
+ if /sbin/chkdirs $dirs; then
if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi
else
echo "chkdirs: Warning: Possible LKM Trojan installed"
@@ -1718,18 +1718,18 @@ chk_ldsopreload() {
if [ "${SYSTEM}" = "Linux" ]
then
- if [ ! -x ./strings-static ]; then
- printn "can't exec ./strings-static, "
+ if [ ! -x /sbin/strings-static ]; then
+ printn "can't exec /sbin/strings-static, "
return ${NOT_TESTED}
fi
if [ "${EXPERT}" = "t" ]; then
- expertmode_output "./strings-static -a ${CMD}"
+ expertmode_output "/sbin/strings-static -a ${CMD}"
return 5
fi
### strings must be a statically linked binary.
- if ./strings-static -a ${CMD} > /dev/null 2>&1
+ if /sbin/strings-static -a ${CMD} > /dev/null 2>&1
then
STATUS=${INFECTED}
fi
@@ -2605,7 +2605,7 @@ for file in $cmdlist; do
xxx=`loc $file $file $chkrkpth`
eval $file=$xxx
case "$xxx" in
- /* | ./* | ../*)
+ /* | /sbin/* | ../*)
if [ ! -x "${xxx}" ]
then
diff -rup chkrootkit-0.49.orig/Makefile chkrootkit-0.49/Makefile
--- chkrootkit-0.49.orig/Makefile 2007-12-24 13:18:02.000000000 +0100
+++ chkrootkit-0.49/Makefile 2010-09-29 22:51:54.766101051 +0200
@@ -4,7 +4,8 @@
#
CC = gcc
-CFLAGS = -DHAVE_LASTLOG_H
+OPTFLAGS =
+CFLAGS = -DHAVE_LASTLOG_H -Wall $(OPTFLAGS)
STATIC = -static
###
@@ -41,36 +42,28 @@ sense: chklastlog chkwtmp ifpromisc chkp
chklastlog: chklastlog.c
${CC} ${CFLAGS} -o $@ chklastlog.c
- @strip $@
chkwtmp: chkwtmp.c
${CC} ${CFLAGS} -o $@ chkwtmp.c
- @strip $@
ifpromisc: ifpromisc.c
${CC} ${CFLAGS} ${LDFLAGS} -D_FILE_OFFSET_BITS=64 -o $@ ifpromisc.c
- @strip $@
chkproc: chkproc.c
- ${CC} ${LDFLAGS} -o $@ chkproc.c
- @strip $@
+ ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkproc.c
chkdirs: chkdirs.c
- ${CC} ${LDFLAGS} -o $@ chkdirs.c
- @strip $@
+ ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkdirs.c
check_wtmpx: check_wtmpx.c
- ${CC} ${LDFLAGS} -o $@ check_wtmpx.c
- @strip $@
+ ${CC} ${CFLAGS} ${LDFLAGS} -o $@ check_wtmpx.c
chkutmp: chkutmp.c
- ${CC} ${LDFLAGS} -o $@ chkutmp.c
- @strip $@
+ ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkutmp.c
strings-static: strings.c
- ${CC} ${STATIC} ${LDFLAGS} -o $@ strings.c
- @strip $@
+ ${CC} ${STATIC} ${CFLAGS} ${LDFLAGS} -o $@ strings.c
clean:
rm -f ${OBJS} core chklastlog chkwtmp ifpromisc chkproc chkdirs check_wtmpx strings-static chkutmp
diff -rup chkrootkit-0.49.orig/strings.c chkrootkit-0.49/strings.c
--- chkrootkit-0.49.orig/strings.c 2007-12-24 13:18:02.000000000 +0100
+++ chkrootkit-0.49/strings.c 2010-09-29 23:04:19.841105766 +0200
@@ -11,6 +11,7 @@
#include
#include
+#include
#include
#include
#include
++++++ chkrootkit-0.47.tar.gz -> chkrootkit-0.49.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/ACKNOWLEDGMENTS new/chkrootkit-0.49/ACKNOWLEDGMENTS
--- old/chkrootkit-0.47/ACKNOWLEDGMENTS 2006-10-09 21:39:47.000000000 +0200
+++ new/chkrootkit-0.49/ACKNOWLEDGMENTS 2009-07-30 14:29:28.000000000 +0200
@@ -105,3 +105,19 @@
UnSpawn (error reports)
Milan Kerslager (new rootkits signs)
Gary Funk (new rootkits signs)
+Florian Gleixne (Solaris bug report and patch)
+Andre Russ (bug report and crontab patch)
+Michael Schwendt (OpenBSDrk v1 false positives on linux boxes)
+Johann Burkard (r57 backdoor report)
+Lieven De Keyzer (bug report)
+Bartosz Lis (bug report and patch)
+Ken Olum (bug report)
+Steve Pirk (Slackware crontab bug report and patch)
+Scott A. McIntyre (Nice ideas)
+Lorenzo Patocchi (new rootkits signs)
+NIDE, Naoyuki (Bug report in chkdirs.c)
+Steve Pirk (Bug report in slackware's crontab)
+Michael Schwendt (Bug report and patch)
+Michael Grant (Bug report and patch)
+Ondrej Svetlik (new rk)
+Enrico Zini (Bug report and patch)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/COPYRIGHT new/chkrootkit-0.49/COPYRIGHT
--- old/chkrootkit-0.47/COPYRIGHT 2006-10-09 21:33:51.000000000 +0200
+++ new/chkrootkit-0.49/COPYRIGHT 2009-07-30 15:43:40.000000000 +0200
@@ -1,6 +1,6 @@
# @(#)COPYRIGHT 1.2 (Pangeia Informatica) 2/21/97
-Copyright 1996-2006 - Pangeia Informatica, All rights reserved.
+Copyright 1996-2009 - Pangeia Informatica, All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/Makefile new/chkrootkit-0.49/Makefile
--- old/chkrootkit-0.47/Makefile 2006-10-09 21:29:19.000000000 +0200
+++ new/chkrootkit-0.49/Makefile 2007-12-24 13:18:02.000000000 +0100
@@ -1,6 +1,6 @@
#
# Makefile for chkrootkit
-# (C) 1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
+# (C) 1997-2007 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
#
CC = gcc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/README new/chkrootkit-0.49/README
--- old/chkrootkit-0.47/README 2006-10-09 23:25:08.000000000 +0200
+++ new/chkrootkit-0.49/README 2009-07-30 15:46:28.000000000 +0200
@@ -1,4 +1,4 @@
- chkrootkit V. 0.47
+ chkrootkit V. 0.49
Nelson Murilo (main author)
Klaus Steding-Jessen (co-author)
@@ -66,8 +66,9 @@
--------------------
chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x,
- FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x,
- Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac OS X.
+ FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x, 3.x and 4.x., NetBSD
+ 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64, BSDI and Mac
+ OS X.
4. Package Contents
@@ -346,5 +347,14 @@
Enye LKM detected. chkrootkit: crontab
test, Enye LKM and Lupper.Worm detected,
minor bug fixes.
+ 12/17/2007 - Version 0.48 new tests: common SSH brute force
+ scanners, suspicious PHP files. Enhanced
+ tests: login, netstat, top, backdoor.
+ Minor bug fixes.
+ 09/30/2009 - Version 0.49 new tests: Mac OS X OSX.RSPlug.A. Enhanced
+ tests: suspicious sniffer logs, suspicious
+ PHP files, shell history file anomalies.
+ Bug fixes in chkdirs.c, chkproc.c and
+ chkutmp.c.
-------------- Thx for using chkrootkit ----------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chkdirs.c new/chkrootkit-0.49/chkdirs.c
--- old/chkrootkit-0.47/chkdirs.c 2006-07-25 16:48:26.000000000 +0200
+++ new/chkrootkit-0.49/chkdirs.c 2009-07-30 14:30:38.000000000 +0200
@@ -22,6 +22,8 @@
2003/01/20 - NAME_MAX Fix by Hal Pomeranz
2003/09/01 - BSDI port by Nelson Murilo and Thomas Davidson
2005/22/05 - APPLE test for limits.h included by Aaron Harwood
+ 2007/08/10 - strncpy used instead of strcpy - nm
+ 2007/12/24 - change `c' variable type - NIDE, Naoyuki
*/
@@ -76,7 +78,7 @@
offs = 0;
}
else {
- strcpy(*buffer, path);
+ strncpy(*buffer, path, bufsize);
if ((*buffer)[plen-1] == '/') { /* "path" ends in "/", don't add extra */
offs = plen;
}
@@ -85,7 +87,7 @@
offs = plen + 1;
}
}
- strcpy((*buffer)+offs, dir);
+ strncpy((*buffer)+offs, dir, bufsize - offs);
return((*buffer));
}
@@ -128,7 +130,7 @@
fprintf(stderr, "malloc() failed: %s\n", strerror(errno));
return(-1);
}
- strcpy(curpath, path);
+ strncpy(curpath, path, plen+1);
}
/* Now set "fullpath" to be the absolute path name of the directory
@@ -201,7 +203,7 @@
continue;
}
- strcpy(dl->dil_name, finfo->d_name);
+ strncpy(dl->dil_name, finfo->d_name, sizeof(dl->dil_name));
dl->dil_lc = statinfo.st_nlink;
dl->dil_next = dptr;
}
@@ -237,7 +239,7 @@
{
int norecurse = 0;
int i, retval;
- char c;
+ int c;
opterr = 0;
while ((c = getopt(argc, argv, "n")) > 0) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chklastlog.c new/chkrootkit-0.49/chklastlog.c
--- old/chkrootkit-0.47/chklastlog.c 2006-02-11 18:02:48.000000000 +0100
+++ new/chkrootkit-0.49/chklastlog.c 2009-07-30 14:34:20.000000000 +0200
@@ -20,12 +20,11 @@
Nelson Murilo, nelson@pangeia.com.br
01/20/01 - More little fixes
Nelson Murilo, nelson@pangeia.com.br
- 24/01/01 - Segfault in some systems fixed, Thanks for Manfred Bartz
- 02/06/01 - Beter system detection & fix bug in OBSD, Thanks for Rudolf Leitgeb
- 09/19/01 - Another Segfault in some systems fixed, Thanks for Andreas Tirok
- 06/26/02 - Fix problem with maximum uid number - Thanks for Gerard van Wageningen
- 07/02/02 - Minor fixes
- Nelson Murilo, nelson@pangeia.com.br
+ 24/01/01 - Segfault in some systems fixed, Thanks to Manfred Bartz
+ 02/06/01 - Beter system detection & fix bug in OBSD, Thanks to Rudolf Leitgeb
+ 09/19/01 - Another Segfault in some systems fixed, Thanks to Andreas Tirok
+ 06/26/02 - Fix problem with maximum uid number - Thanks to Gerard van Wageningen
+ 07/02/02 - Minor fixes - Nelson Murilo, nelson@pangeia.com.br
*/
#if defined(SOLARIS2) || defined(__linux__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chkproc.c new/chkrootkit-0.49/chkproc.c
--- old/chkrootkit-0.47/chkproc.c 2006-07-25 16:55:21.000000000 +0200
+++ new/chkrootkit-0.49/chkproc.c 2009-07-30 14:38:20.000000000 +0200
@@ -44,8 +44,8 @@
2005/11/15 - Add check for Enye LKM - Nelson Murilo
2005/11/25 - Fix for long lines in PS output - patch by Lantz Moore
-
- 2006/01/05 - Add getpriority to identify LKMs, ideas from Yjesus(unhide) and
+
+ 2006/01/05 - Add getpriority to identify LKMs, ideas from Yjesus(unhide) and
Slider/Flimbo (skdet)
2006/01/11 - Fix signal 25 on parisc linux and return of kill() -
@@ -56,7 +56,7 @@
int main (){ return 0; }
#else
#include
-#include
+#include
#include
#include
#include
@@ -64,6 +64,7 @@
#include
#include
#include
+#include
#if defined(__sun)
#include
#include
@@ -75,6 +76,8 @@
#define PS_COM 2
#define PS_LNX 3
#define PS_MAX 3
+#define ENYELKM "/proc/12345"
+// #define ENYELKM "/tmp/12345"
#if defined(__sun)
#define FIRST_PROCESS 0
@@ -86,7 +89,7 @@
#if !defined (SIGXFSZ)
#define SIGXFSZ 25
-#endif
+#endif
static char *ps_cmds[] = {
"ps -edf",
@@ -132,6 +135,7 @@
FILE *ps;
DIR *proc = opendir("/proc");
struct dirent *dir;
+ struct stat sb;
int i, j, retps, retdir, pv, verbose;
long ret = 0L;
char * tmp_d_name;
@@ -142,7 +146,7 @@
psinfo_t psbuf;
#endif
- pv = verbose = 0;
+ pv = verbose = 0;
if (!proc)
{
@@ -161,10 +165,10 @@
#if defined(__linux__)
else if (!memcmp(argv[i], "-p", 2))
{
- if (i+1 < argc)
+ if (i+1 < argc)
pv = atoi(argv[++i]);
else
- {
+ {
printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]);
return 0;
}
@@ -183,7 +187,7 @@
/* printf("pv = %d\n\r", pv); /* -- DEBUG */
#endif
-/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */
+/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */
if (!(ps = popen(pscmd, "r")))
{
perror("ps");
@@ -334,7 +338,8 @@
}
#endif
}
- else
+#ifndef __FreeBSD__
+ else
{
errno = 0;
getpriority(PRIO_PROCESS, i);
@@ -345,7 +350,7 @@
printf ("PID %5d(%s): not in getpriority readdir output\n", i, buf);
}
}
-
+#endif
}
if (retdir)
printf("You have % 5d process hidden for readdir command\n", retdir);
@@ -359,7 +364,7 @@
retdir+= errno;
}
/* Check for Enye LKM */
- if (kill (12345, 58) >= 0)
+ if (stat(ENYELKM, &sb) && kill (12345, 58) >= 0)
{
printf("Enye LKM found\n");
retdir+= errno;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chkrootkit new/chkrootkit-0.49/chkrootkit
--- old/chkrootkit-0.47/chkrootkit 2006-10-09 21:20:54.000000000 +0200
+++ new/chkrootkit-0.49/chkrootkit 2009-07-30 16:10:54.000000000 +0200
@@ -1,13 +1,13 @@
#! /bin/sh
# -*- Shell-script -*-
-# $Id: chkrootkit, v 0.47 2006/10/10
-CHKROOTKIT_VERSION='0.47'
+# $Id: chkrootkit, v 0.49 2009/07/30
+CHKROOTKIT_VERSION='0.49'
# Authors: Nelson Murilo (main author) and
# Klaus Steding-Jessen
#
-# (C)1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
+# (c)1997-2009 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
# All rights reserved
### workaround for some Bourne shell implementations
@@ -29,7 +29,7 @@
tcpdump top telnetd timed traceroute vdir w write"
# Tools
-TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp"
+TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
# Return Codes
INFECTED=0
@@ -39,7 +39,7 @@
INFECTED_BUT_DISABLED=4
# Many trojaned commands have this label
-GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark"
+GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer"
######################################################################
# tools functions
@@ -64,6 +64,29 @@
fi
}
+OSX_RSPLUG (){
+ SAVEIFS=$IFS
+ IFS=';'
+ STATUS=0
+ OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings'
+ #echo checking ${OSX_RSPLUG_FILES}
+ for i in ${OSX_RSPLUG_FILES} ; do
+ #echo searching for "${i}"
+ if [ -e "${i}" ] ; then
+ STATUS=1
+ fi
+ done
+ IFS=$SAVEIFS
+
+ if [ ${STATUS} -eq 1 ] ;then
+ echo "Warning: OSX.RSPlug.A Trojan Horse found"
+ return ${INFECTED}
+ else
+ if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
+ return ${NOT_INFECTED}
+ fi
+}
+
#
# SLAPPER.{A,B,C,D} and the multi-platform variant
#
@@ -76,11 +99,11 @@
STATUS=0
file_port=
- if ${netstat} "${OPT}"|${egrep} ^tcp|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
+ if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
then
STATUS=1
[ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
- $egrep ^tcp|$egrep "${SLAPPER_PORT}" | awk '{ print $7 }' | tr -d :`
+ $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :`
fi
for i in ${SLAPPER_FILES}; do
if [ -f ${i} ]; then
@@ -274,18 +297,18 @@
{
prog=""
if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
- `echo ${V} | ${awk} '{ if ($1 > 4.3) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
- [ ! -x ./chkproc ] && prog="./chkproc"
- [ ! -x ./chkdirs ] && prog="$prog ./chkdirs"
- if [ "$prog" != "" ]; then
-# echo "not tested: can't exec $prog"
- return ${NOT_TESTED}
+ `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
+ [ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc"
+ [ -x ./chkdirs ] && prog="$prog ./chkdirs"
+ if [ "$prog" = "" ]; then
+ echo "not tested: can't exec $prog"
+ return ${NOT_TESTED}
fi
if [ "${EXPERT}" = "t" ]; then
[ -r /proc/ksyms ] && ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null
- PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
+ PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
[ "$PV" = "" ] && PV=2
[ "${SYSTEM}" = "SunOS" ] && PV=0
expertmode_output "./chkproc -v -v -p $PV"
@@ -308,21 +331,30 @@
if [ -d /proc/knark ]; then
echo "Warning: Knark LKM installed"
fi
- PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
+
+ PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
[ "$PV" = "" ] && PV=2
[ "${SYSTEM}" = "SunOS" ] && PV=0
if [ "${DEBUG}" = "t" ]; then
${echo} "*** PV=$PV ***"
fi
- if ./chkproc -p ${PV}
- then
- if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
+ if ./chkproc -p ${PV}; then
+ if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
else
- echo "chkproc: Warning: Possible LKM Trojan installed"
+ echo "chkproc: Warning: Possible LKM Trojan installed"
fi
- else
- if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
- fi
+ dirs="/tmp"
+ for i in /usr/share /usr/bin /usr/sbin /lib; do
+ [ -d $i ] && dirs="$dirs $i"
+ done
+ if ./chkdirs $dirs; then
+ if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi
+ else
+ echo "chkdirs: Warning: Possible LKM Trojan installed"
+ fi
+ else
+ if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
+ fi
}
aliens () {
@@ -340,6 +372,7 @@
expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk"
expertmode_output "${find} ${ROOTDIR}usr/lib/dy0"
expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277"
+ expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/"
for i in ${FILES}; do
expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null"
@@ -349,7 +382,7 @@
[ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx
[ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd
[ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb
-
+ [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
@@ -392,13 +425,13 @@
CGIDIR=""
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
-home/httpd/cgi-bin /usr/local/apache2;
+home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
do
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}"
done
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
-zxcvbnm.cgi secure.cgi ubb.cgi"
+zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
for j in ${CGIDIR}; do
for i in ${BACKDOORS}; do
[ -f ${j}/${i} ] && echo ${j}/${i}
@@ -476,7 +509,7 @@
### OpenBSD rootkit v1
- if [ "$SYSTEM" != "SunOS" -a ! -f /usr/lib/security/libgcj.security ]
+ if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ]
then
expertmode_output "${find} ${ROOTDIR}usr/lib/security"
fi
@@ -545,6 +578,9 @@
## ENYE-LKM
expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"
+ ## Common SSH-SCANNERS
+ expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2"
+
### shell history file check
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
@@ -560,12 +596,13 @@
###
### suspicious files and sniffer's logs
###
- suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese /dev/ptyzx dev/ptyzy \
+ suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \
usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \
tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \
-usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc \
-etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d"
- dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb"
+usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \
+etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin"
+ dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \
+ var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so"
files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`
if [ "${files}" != "" ]; then
echo
@@ -630,7 +667,8 @@
[ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib
[ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
[ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
- if [ `find ${LIBS} -name libproc.a 2> /dev/null` ]
+ if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \
+ "$SYSTEM" != "FreeBSD" ]
then
echo "Possible t0rn v8 \(or variation\) rootkit installed"
else
@@ -756,7 +794,7 @@
CGIDIR=""
for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
-home/httpd/cgi-bin /usr/local/apache2 ;
+home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
do
[ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
done
@@ -769,7 +807,7 @@
${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null`
BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
-zxcvbnm.cgi secure.cgi ubb.cgi"
+zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
files=""
for j in ${CGIDIR}; do
for i in ${BACKDOORS}; do
@@ -786,7 +824,7 @@
if [ "${QUIET}" != "t" ]; then \
printn "Searching for Ducoci rootkit... "; fi
- files=`${find} . ${CGIDIR} -name last.cgi`
+ files=`${find} ${CGIDIR} -name last.cgi`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -893,7 +931,7 @@
fi
### OpenBSD rootkit v1
- if [ "${SYSTEM}" != "SunOS" -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
+ if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
files=""
if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi
files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`
@@ -1077,6 +1115,35 @@
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
fi
+ ## Common SSH-SCANNERS
+ if [ "${QUIET}" != "t" ]; then
+ printn "Searching for common ssh-scanners default files... "; fi
+ files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`"
+ if [ "${files}" = "" ]; then
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ else
+ echo "${files}"
+ fi
+
+ ###
+ ### Suspect PHP files
+ ###
+ if [ "${QUIET}" != "t" ]; then
+ printn "Searching for suspect PHP files... "; fi
+ files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
+if [ `echo abc | head -n 1` = "abc" ]; then
+ fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | $egrep '#!.*php' 2> /dev/null`"
+else
+ fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep '#!.*php' 2> /dev/null`"
+fi
+ if [ "${files}" = "" -a "${fileshead}" = "" ]; then
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ else
+ echo
+ echo "${files}"
+ echo "${fileshead}"
+ fi
+
###
### shell history anomalies
###
@@ -1089,7 +1156,7 @@
echo "Warning: \`${files}' file size is zero"
files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
[ ! -z "${files1}" ] && \
- echo "Warning: \`${files}' is linked to another file"
+ echo "Warning: \`${files1}' is linked to another file"
fi
if [ -z "${files}" -a -z "${files1}" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
@@ -1195,7 +1262,7 @@
STATUS=${INFECTED}
fi;;
FreeBSD)
- [ `echo $V | awk '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2
+ [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2
if [ `${strings} -a ${CMD} | \
${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
then
@@ -1231,7 +1298,7 @@
fi
fi;;
FreeBSD)
- [ `echo $V | awk '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2
+ [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2
if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
then
STATUS=${INFECTED}
@@ -1258,7 +1325,7 @@
fi
fi
GENERAL="^root$"
- TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT"
+ TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola"
ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
if [ ${ret} -gt 0 ]; then
case ${ret} in
@@ -1496,7 +1563,7 @@
chk_netstat () {
STATUS=${NOT_INFECTED}
-NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h"
+NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero"
CMD=`loc netstat netstat $pth`
if [ "${EXPERT}" = "t" ]; then
@@ -1515,7 +1582,7 @@
chk_ps () {
STATUS=${NOT_INFECTED}
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
-/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h"
+/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so"
CMD=`loc ps ps $pth`
if [ "${EXPERT}" = "t" ]; then
@@ -1567,8 +1634,9 @@
expertmode_output "${CMD} -l -u nobody"
return 5
fi
- if ${CMD} -l -u nobody >/dev/null 2>&1 ; then
- printn "Warning: crontab for nobody found, possible Lupper.Worm... "
+ # slackware's crontab have a bug
+ if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then
+ ${echo} "Warning: crontab for nobody found, possible Lupper.Worm... "
if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
then
STATUS=${INFECTED}
@@ -1579,7 +1647,7 @@
chk_top () {
STATUS=${NOT_INFECTED}
- TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h"
+ TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit"
CMD=`loc top top $pth`
@@ -2400,12 +2468,12 @@
fi
if [ -r ${ROOTDIR}etc/inetd.conf ]; then
- for SHELL in ${SHELLS}; do
- cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$SHELL.*" > /dev/null
+ for CHK_SHELL in ${SHELLS}; do
+ cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null
if [ ${?} -ne 1 ]; then
if [ "${EXPERT}" = "t" ]; then
echo "Backdoor shell record(s) in /etc/inetd.conf: "
- cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$SHELL.*"
+ cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*"
fi
STATUS=${INFECTED}
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chkrootkit.lsm new/chkrootkit-0.49/chkrootkit.lsm
--- old/chkrootkit-0.47/chkrootkit.lsm 2006-10-09 21:26:16.000000000 +0200
+++ new/chkrootkit-0.49/chkrootkit.lsm 2009-07-30 15:40:46.000000000 +0200
@@ -1,7 +1,7 @@
Begin3
Title: Chkrootkit
-Version: 0.47
-Entered-date: Mon Oct 9 16:25:06 BRT 2006
+Version: 0.49
+Entered-date: Thu Jul 30 10:40:29 BRT 2009
Description: locally checks for signs of a rootkit
Keywords: rootkit check vulnerability unix LKM Ramen Lion Worn Adore Worm
Author: Nelson Murilo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/chkutmp.c new/chkrootkit-0.49/chkutmp.c
--- old/chkrootkit-0.47/chkutmp.c 2006-02-11 18:02:49.000000000 +0100
+++ new/chkrootkit-0.49/chkutmp.c 2009-07-30 15:43:17.000000000 +0200
@@ -21,9 +21,10 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
- * Changelog:
- * Ighighi X - Improved speed via break command - 2005/03/27
- *
+ * Changelog:
+ * Ighighi X - Improved speed via break command - 2005/03/27
+ * Some overflow fixes by Michael Schwendt - 2009/07/21
+ *
*/
#if !defined(__sun) && !defined(__linux__)
@@ -80,7 +81,7 @@
char line[MAXREAD + 1], pid[UT_PIDSIZE];
char *s, *d;
struct ps_line *curp = &psl_p[0];
- struct ps_line *endp = &psl_p[MAXBUF];
+ struct ps_line *endp = &psl_p[MAXBUF-1];
int i, x;
i = 0;
@@ -132,7 +133,7 @@
struct utmp ut;
#endif
struct utmp_line *curp = &utl_p[0];
- struct utmp_line *endp = &utl_p[MAXBUF];
+ struct utmp_line *endp = &utl_p[MAXBUF-1];
int i, f, del_cnt, sz_ut;
i = del_cnt = 0;
@@ -176,9 +177,9 @@
y = fetchps(ps_l);
z = fetchutmp(ut_l);
hdr_prntd = 0;
- for (h = 0; h <= y; h++) { /* loop through 'ps' data */
+ for (h = 0; h < y; h++) { /* loop through 'ps' data */
mtch_fnd = 0;
- for (i = 0; i <= z; i++) { /* try and match the tty from 'ps' to one in utmp */
+ for (i = 0; i < z; i++) { /* try and match the tty from 'ps' to one in utmp */
if (ut_l[i].ut_type == LOGIN_PROCESS /* ignore getty processes with matching pid from 'ps' */
&& ut_l[i].ut_pid == ps_l[h].ps_pid)
{
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/chkrootkit-0.47/ifpromisc.c new/chkrootkit-0.49/ifpromisc.c
--- old/chkrootkit-0.47/ifpromisc.c 2006-10-09 22:12:33.000000000 +0200
+++ new/chkrootkit-0.49/ifpromisc.c 2007-12-24 13:18:02.000000000 +0100
@@ -63,7 +63,8 @@
};
char *Release = "chkrootkit package",
- *Version = "@(#) ifpromisc 0.8 (2003/11/30)";
+ *Version = "@(#) ifpromisc 0.9 (2007/06/15)";
+// *Version = "@(#) ifpromisc 0.8 (2003/11/30)";
int skfd = -1; /* AF_INET or AF_PACKET raw socket desc. */
int q = 0; /* Quiet mode on or off */
@@ -166,7 +167,8 @@
if ((dir = opendir(path)) == NULL)
{
- perror(path);
+ if (errno != ENOENT)
+ perror(path);
return;
}
++++++ chkrootkit-rpmlintrc ++++++
# This line is mandatory to access the configuration functions
from Config import *
addFilter("chkrootkit.* statically-linked-binary")
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org