commit chkrootkit

Hello community, here is the log from the commit of package chkrootkit checked in at Tue Nov 7 20:42:18 CET 2006. -------- --- chkrootkit/chkrootkit.changes 2006-05-22 20:39:48.000000000 +0200 +++ /mounts/work_src_done/STABLE/chkrootkit/chkrootkit.changes 2006-11-07 17:17:33.000000000 +0100 @@ -1,0 +2,9 @@ +Tue Nov 7 17:06:28 CET 2006 - meissner@suse.de + +- upgraded to 0.47. + - check for Enye LKM and Lupper.Worm + - Fix for long lines in PS output + - Add getpriority to identify LKMs + - added various new rootkit signatures + +------------------------------------------------------------------- Old: ---- chkrootkit-0.46a.tar.gz New: ---- chkrootkit-0.47.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ chkrootkit.spec ++++++ --- /var/tmp/diff_new_pack.eoqWB9/_old 2006-11-07 20:42:10.000000000 +0100 +++ /var/tmp/diff_new_pack.eoqWB9/_new 2006-11-07 20:42:11.000000000 +0100 @@ -1,5 +1,5 @@ # -# spec file for package chkrootkit (Version 0.46a) +# spec file for package chkrootkit (Version 0.47) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,18 +12,18 @@ Name: chkrootkit URL: http://www.chkrootkit.org/ -License: BSD, Other License(s), see package +License: BSD License and BSD-like, Other License(s), see package Group: Productivity/Security Autoreqprov: on Summary: Used to Check for Symptoms of Installed Root Kits -Version: 0.46a -Release: 12 -Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.46a.tar.gz +Version: 0.47 +Release: 1 +Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.47.tar.gz Patch0: chkrootkit-0.45.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -This is a set of tools that detect rootkit (programs that hide the +This is a set of tools that detect rootkit (a program that hides the presence of attackers) symptoms on a system. Rootkits can hide using kernel modules, but they always leave some @@ -59,6 +59,12 @@ /sbin/* %changelog -n chkrootkit +* Tue Nov 07 2006 - meissner@suse.de +- upgraded to 0.47. + - check for Enye LKM and Lupper.Worm + - Fix for long lines in PS output + - Add getpriority to identify LKMs + - added various new rootkit signatures * Mon May 22 2006 - schwab@suse.de - Don't strip binaries. * Wed Jan 25 2006 - mls@suse.de ++++++ chkrootkit-0.45.diff ++++++ --- /var/tmp/diff_new_pack.eoqWB9/_old 2006-11-07 20:42:11.000000000 +0100 +++ /var/tmp/diff_new_pack.eoqWB9/_new 2006-11-07 20:42:11.000000000 +0100 @@ -52,16 +52,6 @@ clean: rm -f ${OBJS} core chklastlog chkwtmp ifpromisc chkproc chkdirs check_wtmpx strings-static chkutmp ---- chkproc.c -+++ chkproc.c -@@ -46,6 +46,7 @@ - int main (){ return 0; } - #else - #include -+#include - #include - #include - #include --- chkrootkit +++ chkrootkit @@ -158,23 +158,23 @@ ++++++ chkrootkit-0.46a.tar.gz -> chkrootkit-0.47.tar.gz ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/ACKNOWLEDGMENTS new/chkrootkit-0.47/ACKNOWLEDGMENTS --- old/chkrootkit-0.46a/ACKNOWLEDGMENTS 2005-10-26 21:04:34.000000000 +0200 +++ new/chkrootkit-0.47/ACKNOWLEDGMENTS 2006-10-09 21:39:47.000000000 +0200 @@ -84,7 +84,7 @@ Markus Alt (Typo) Egon Eckert (tcpd test at debian) Silvio and nacho (zaRwT rootkit) -Lantz Moore (promisc test on Linux kernels 2.[46].x) +Lantz Moore (promisc test on Linux kernels 2.[46].x and many patches) Marcel Haman (another Suckit sign) Alfred (found sniffer in another area (/usr/lib)) Ymailer (several CGI backdoors) @@ -100,3 +100,8 @@ Ighighi X (chkutmp) Jérémie Andréi (chkwtmp) Aaron Harwood (chkdirs) +Yjesus(unhide) (chkproc.c) +Slider/Flimbo (chkproc.c) +UnSpawn (error reports) +Milan Kerslager (new rootkits signs) +Gary Funk (new rootkits signs) diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/COPYRIGHT new/chkrootkit-0.47/COPYRIGHT --- old/chkrootkit-0.46a/COPYRIGHT 2005-10-19 19:32:15.000000000 +0200 +++ new/chkrootkit-0.47/COPYRIGHT 2006-10-09 21:33:51.000000000 +0200 @@ -1,6 +1,6 @@ # @(#)COPYRIGHT 1.2 (Pangeia Informatica) 2/21/97 -Copyright 1996-2003 - Pangeia Informatica, All rights reserved. +Copyright 1996-2006 - Pangeia Informatica, All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/Makefile new/chkrootkit-0.47/Makefile --- old/chkrootkit-0.46a/Makefile 2005-10-19 19:32:15.000000000 +0200 +++ new/chkrootkit-0.47/Makefile 2006-10-09 21:29:19.000000000 +0200 @@ -1,6 +1,6 @@ # # Makefile for chkrootkit -# (C) 1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. +# (C) 1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # CC = gcc diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/README new/chkrootkit-0.47/README --- old/chkrootkit-0.46a/README 2005-10-28 17:23:07.000000000 +0200 +++ new/chkrootkit-0.47/README 2006-10-09 23:25:08.000000000 +0200 @@ -1,4 +1,4 @@ - chkrootkit V. 0.46a + chkrootkit V. 0.47 Nelson Murilo (main author) Klaus Steding-Jessen (co-author) @@ -129,12 +129,12 @@ Where testname stands for one or more from the following list: aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper - z2 chkutmp amd basename biff chfn chsh cron date du dirname echo - egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf - identd init killall ldsopreload login ls lsof mail mingetty netstat - named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin - sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute - vdir w write + z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname + echo egrep env find fingerd gpm grep hdparm su ifconfig inetd + inetdconf identd init killall ldsopreload login ls lsof mail mingetty + netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd + slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed + traceroute vdir w write For example, the following command checks for trojaned ps and ls binaries and also checks if the network interface is in promiscuous @@ -342,5 +342,9 @@ 10/28/2005 - Version 0.46a chkproc.c: bug fix for FreeBSD: chkproc was sending a SIGXFSZ (kill -25) to init, causing a reboot. + 10/10/2006 - Version 0.47 chkproc.c: bug fixes, use of getpriority(), + Enye LKM detected. chkrootkit: crontab + test, Enye LKM and Lupper.Worm detected, + minor bug fixes. -------------- Thx for using chkrootkit ---------------- diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkproc.c new/chkrootkit-0.47/chkproc.c --- old/chkrootkit-0.46a/chkproc.c 2005-10-28 17:23:24.000000000 +0200 +++ new/chkrootkit-0.47/chkproc.c 2006-07-25 16:55:21.000000000 +0200 @@ -1,6 +1,6 @@ /* (C) Nelson Murilo - 2004/09/13 - Version 0.9 + Version 0.10 C port from chkproc.pl code from Klaus Steding-Jessen and Cristine Hoepers +little output changes. @@ -40,12 +40,23 @@ 2005/10/28 - Bug fix for FreeBSD: chkproc was sending a SIGXFSZ (kill -25) to init, causing a reboot. Patch by Nelson Murilo. Thanks to Luiz E. R. Cordeiro. + + 2005/11/15 - Add check for Enye LKM - Nelson Murilo + + 2005/11/25 - Fix for long lines in PS output - patch by Lantz Moore + + 2006/01/05 - Add getpriority to identify LKMs, ideas from Yjesus(unhide) and + Slider/Flimbo (skdet) + + 2006/01/11 - Fix signal 25 on parisc linux and return of kill() - + Thanks to Lantz Moore */ #if !defined(__linux__) && !defined(__FreeBSD__) && !defined(__sun) int main (){ return 0; } #else #include +#include #include #include #include @@ -57,6 +68,7 @@ #include #include #endif +#include #define PS_SUN 0 #define PS_LOL 1 @@ -72,6 +84,10 @@ #define MAX_PROCESSES 99999 #define MAX_BUF 1024 +#if !defined (SIGXFSZ) +#define SIGXFSZ 25 +#endif + static char *ps_cmds[] = { "ps -edf", "ps auxw", @@ -85,6 +101,30 @@ int isathread[MAX_PROCESSES+1]; #endif +/* + * read at most the first (size-1) chars into s and terminate with a '\0'. + * stops reading after a newline or EOF. if a newline is read, it will be + * the last char in the string. if no newline is found in the first + * (size-1) chars, then keep reading and discarding chars until a newline + * is found or EOF. + */ +char *readline(char *s, int size, FILE *stream) +{ + char *rv = fgets(s, size, stream); + + if (strlen(s) == (size-1) && s[size-1] != '\n') + { + char buf[MAX_BUF]; + fgets(buf, MAX_BUF, stream); + while (strlen(buf) == (MAX_BUF-1) && buf[MAX_BUF-1] != '\n') + { + fgets(buf, MAX_BUF, stream); + } + } + + return rv; +} + int main(int argc, char **argv) { char buf[MAX_BUF], *p, path[MAX_BUF]; @@ -102,7 +142,7 @@ psinfo_t psbuf; #endif - pv = verbose = 0; + pv = verbose = 0; if (!proc) { @@ -120,13 +160,15 @@ } #if defined(__linux__) else if (!memcmp(argv[i], "-p", 2)) - if (i+1 < argc) - pv = atoi(argv[++i]); - else - { - printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]); - return 0; - } + { + if (i+1 < argc) + pv = atoi(argv[++i]); + else + { + printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]); + return 0; + } + } #endif } #if defined(__sun) @@ -141,7 +183,7 @@ /* printf("pv = %d\n\r", pv); /* -- DEBUG */ #endif -/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */ +/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */ if (!(ps = popen(pscmd, "r"))) { perror("ps"); @@ -149,14 +191,14 @@ } *buf = 0; - fgets(buf, MAX_BUF, ps); /* Skip header */ + readline(buf, MAX_BUF, ps); /* Skip header */ #if defined(__sun) if (!isspace(*buf)) #else if (!isalpha(*buf)) #endif { - fgets(buf, MAX_BUF, ps); /* Skip header */ + readline(buf, MAX_BUF, ps); /* Skip header */ if (!isalpha(*buf) && pv != PS_LNX) { if (pv != PS_LOL) @@ -175,7 +217,7 @@ #endif } - while (fgets(buf, MAX_BUF, ps)) + while (readline(buf, MAX_BUF, ps)) { p = buf; #if defined(__sun) @@ -190,7 +232,7 @@ ret = atol(p); if ( ret < 0 || ret > MAX_PROCESSES ) { - fprintf (stderr, " OooPS, not expected %d value\n", ret); + fprintf (stderr, " OooPS, not expected %ld value\n", ret); exit (2); } psproc[ret] = 1; @@ -217,7 +259,7 @@ else if (maybeathread) { isathread[atol(tmp_d_name)] = 1; /* mark it as a linux NTPL thread if it's in the form of "\.[0-9]*" */ if (verbose) - printf("%d is a Linux Thread, marking as such...\n", atol(tmp_d_name)); + printf("%ld is a Linux Thread, marking as such...\n", atol(tmp_d_name)); } #endif @@ -234,7 +276,6 @@ snprintf(&buf[6], 6, "%d", i); if (!chdir(buf)) { -/* if (!dirproc[i] ) /* && !kill(i, 0)) */ if (!dirproc[i] && !psproc[i]) { #if defined(__linux__) @@ -293,6 +334,18 @@ } #endif } + else + { + errno = 0; + getpriority(PRIO_PROCESS, i); + if (!errno) + { + retdir++; + if (verbose) + printf ("PID %5d(%s): not in getpriority readdir output\n", i, buf); + } + } + } if (retdir) printf("You have % 5d process hidden for readdir command\n", retdir); @@ -300,11 +353,17 @@ printf("You have % 5d process hidden for ps command\n", retps); #if defined(__linux__) kill(1, 100); /* Check for SIGINVISIBLE Adore signal */ - if (kill (1, 25) > 0 && errno == 3) + if (kill (1, SIGXFSZ) < 0 && errno == 3) { printf("SIGINVISIBLE Adore found\n"); retdir+= errno; } + /* Check for Enye LKM */ + if (kill (12345, 58) >= 0) + { + printf("Enye LKM found\n"); + retdir+= errno; + } #endif return (retdir+retps); } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkrootkit new/chkrootkit-0.47/chkrootkit --- old/chkrootkit-0.46a/chkrootkit 2005-10-26 21:35:26.000000000 +0200 +++ new/chkrootkit-0.47/chkrootkit 2006-10-09 21:20:54.000000000 +0200 @@ -1,13 +1,13 @@ #! /bin/sh # -*- Shell-script -*- -# $Id: chkrootkit, v 0.46 2005/10/26 -CHKROOTKIT_VERSION='0.46' +# $Id: chkrootkit, v 0.47 2006/10/10 +CHKROOTKIT_VERSION='0.47' # Authors: Nelson Murilo (main author) and # Klaus Steding-Jessen # -# (C)1997-2005 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. +# (C)1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # All rights reserved ### workaround for some Bourne shell implementations @@ -18,14 +18,14 @@ unalias dirname > /dev/null 2>&1 # Workaround for recent GNU coreutils -export _POSIX2_VERSION=199209 - +_POSIX2_VERSION=199209 +export _POSIX2_VERSION # Native commands -TROJAN="amd basename biff chfn chsh cron date du dirname echo egrep env find \ -fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall \ -ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 \ -ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ +TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \ +env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \ +killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \ +pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ tcpdump top telnetd timed traceroute vdir w write" # Tools @@ -242,9 +242,8 @@ if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi fi } - bindshell () { -PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|10008|12321|23132|27374|29364|30999|31336|31337|45454|47017|47889|60001" +PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222" OPT="-an" PI="" if [ "${ROOTDIR}" != "/" ]; then @@ -286,7 +285,7 @@ if [ "${EXPERT}" = "t" ]; then [ -r /proc/ksyms ] && ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null - PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'` + PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` [ "$PV" = "" ] && PV=2 [ "${SYSTEM}" = "SunOS" ] && PV=0 expertmode_output "./chkproc -v -v -p $PV" @@ -354,8 +353,9 @@ ### sniffer's logs expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \ -.linux-sniff -o -name sniff-l0g -o -name core_ -o -name ${ROOTDIR}usr/lib/in.httpd -o \ --name ${ROOTDIR}usr/lib/in.pop3d" +.linux-sniff -o -name sniff-l0g -o -name core_ -o" + expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \ +-name in.pop3d" ### t0rn expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \ @@ -460,7 +460,7 @@ ### Showtee expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \ -${ROOTDIR}usr/lib/.wormie ${ROOTDIR}usr/lib/libfl.so \ +${ROOTDIR}usr/lib/.wormie \ ${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \ ${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ ${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \ @@ -495,6 +495,7 @@ ## Suckit rootkit expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME" expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." + expertmode_output "cat ${ROOTDIR}dev/.golf" ## Volc rootkit expertmode_output "${ls} ${ROOTDIR}usr/bin/volc" @@ -541,12 +542,14 @@ for i in `$echo ${PATH}|tr -s ':' ' '`; do expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor" done + ## ENYE-LKM + expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko" ### shell history file check if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \ + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ -size 0" - expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \ + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ \( -links 2 -o -type l \)" fi @@ -712,7 +715,7 @@ printn "Searching for LPD Worm files and dirs... "; fi if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \ - ${egrep} "^666" ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; + ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; then echo "Possible LPD worm installed" elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \ @@ -827,7 +830,7 @@ ### China Worm (Sadmind/IIS Worm) if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi - files=`${find} ${ROOTDIR}dev/cuc > /dev/null 2>&1` + files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -837,7 +840,7 @@ ### MonKit if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \ -> /dev/null 2>&1` +2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -846,7 +849,7 @@ ### Showtee if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi - if [ -d ${ROOTDIR}usr/lib/.egcs ] || [ -f ${ROOTDIR}usr/lib/libfl.so ] || \ + if [ -d ${ROOTDIR}usr/lib/.egcs ] || \ [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \ [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \ [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \ @@ -862,7 +865,7 @@ ### if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \ -> /dev/null 2>&1` +2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -872,7 +875,7 @@ ### T.R.K files="" if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi - files=`${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1` + files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -882,7 +885,7 @@ ### Mithra's Rootkit files="" if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi - files=`${ROOTDIR}usr/lib/locale -name uboot >/dev/null 2>&1` + files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -893,7 +896,7 @@ if [ "${SYSTEM}" != "SunOS" -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then files="" if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi - files=`find ${ROOTDIR}usr/lib/security 2>/dev/null` + files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null` if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else @@ -944,7 +947,11 @@ then echo "Warning: ${ROOTDIR}sbin/init INFECTED" else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + if [ -d ${ROOTDIR}/dev/.golf ]; then + echo "Warning: Suspect directory ${ROOTDIR}dev/.golf" + else + if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + fi fi fi @@ -1061,6 +1068,15 @@ [ "${found}" = "0" ] &&\ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + ### ENYELKM + if [ "${QUIET}" != "t" ]; then + printn "Searching for ENYELKM rootkit default files... "; fi + if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then + echo "Possible ENYELKM rootkit installed" + else + if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + fi + ### ### shell history anomalies ### @@ -1068,14 +1084,14 @@ printn "Searching for anomalies in shell history files... "; fi files="" if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - files=`${find} ${ROOTDIR}${HOME} -name '.*history' -size 0` + files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` [ ! -z "${files}" ] && \ echo "Warning: \`${files}' file size is zero" - files=`${find} ${ROOTDIR}${HOME} -name '.*history' \( -links 2 -o -type l \)` - [ ! -z "${files}" ] && \ + files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` + [ ! -z "${files1}" ] && \ echo "Warning: \`${files}' is linked to another file" fi - if [ -z "${files}" ]; then + if [ -z "${files}" -a -z "${files1}" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi } @@ -1120,7 +1136,7 @@ getCMD() { RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \ - ${egrep} -v egrep | ${egrep} -v chkrootkit | _head -1 | \ + ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \ ${awk} '{ print $5 }'` for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth` @@ -1251,7 +1267,7 @@ STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \ "OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; - 7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; + 6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; *) STATUS=${INFECTED};; esac fi @@ -1499,7 +1515,7 @@ chk_ps () { STATUS=${NOT_INFECTED} PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\ -/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|proc\.h" +/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h" CMD=`loc ps ps $pth` if [ "${EXPERT}" = "t" ]; then @@ -1536,6 +1552,31 @@ return ${STATUS} } +chk_crontab () { + STATUS=${NOT_INFECTED} + CRONTAB_I_L="crontab.*666" + + CMD=`loc crontab crontab $pth` + + if [ ! -r ${CMD} ] + then + return ${NOT_FOUND} + fi + + if [ "${EXPERT}" = "t" ]; then + expertmode_output "${CMD} -l -u nobody" + return 5 + fi + if ${CMD} -l -u nobody >/dev/null 2>&1 ; then + printn "Warning: crontab for nobody found, possible Lupper.Worm... " + if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1 + then + STATUS=${INFECTED} + fi + fi + return ${STATUS} +} + chk_top () { STATUS=${NOT_INFECTED} TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h" diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkrootkit.lsm new/chkrootkit-0.47/chkrootkit.lsm --- old/chkrootkit-0.46a/chkrootkit.lsm 2005-10-28 17:24:00.000000000 +0200 +++ new/chkrootkit-0.47/chkrootkit.lsm 2006-10-09 21:26:16.000000000 +0200 @@ -1,7 +1,7 @@ Begin3 Title: Chkrootkit -Version: 0.46a -Entered-date: Fri Oct 28 13:23:52 BRST 2005 +Version: 0.47 +Entered-date: Mon Oct 9 16:25:06 BRT 2006 Description: locally checks for signs of a rootkit Keywords: rootkit check vulnerability unix LKM Ramen Lion Worn Adore Worm Author: Nelson Murilo @@ -9,6 +9,6 @@ Primary-site: http://www.chkrootkit.org Alternate-site: ftp://ftp.pangeia.com.br/pub/seg/pac/ Original-site: -Platform: Linux, FreeBSD, OpenBSD, NetBSD, Sun/Solaris, HPUX, BSDI, TRU64 +Platform: Linux, FreeBSD, OpenBSD, NetBSD, Sun/Solaris, HPUX, BSDI, TRU64, Mac OS X Copying-policy: AMS End diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkwtmp.c new/chkrootkit-0.47/chkwtmp.c --- old/chkrootkit-0.46a/chkwtmp.c 2005-10-19 19:32:36.000000000 +0200 +++ new/chkrootkit-0.47/chkwtmp.c 2006-10-09 21:56:33.000000000 +0200 @@ -46,7 +46,7 @@ char buffer[30]; printf("%d deletion(s) between ", counter); - strcpy(buffer, ctime( (time_t *) &start)); + strncpy(buffer, ctime( (time_t *) &start), 30); buffer[24]='\0'; printf("%s and %s", buffer, ctime( (time_t *) &end)); } diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/ifpromisc.c new/chkrootkit-0.47/ifpromisc.c --- old/chkrootkit-0.46a/ifpromisc.c 2005-10-19 19:32:38.000000000 +0200 +++ new/chkrootkit-0.47/ifpromisc.c 2006-10-09 22:12:33.000000000 +0200 @@ -303,9 +303,9 @@ struct ifreq ifr; memset((char *) ife, 0, sizeof(struct interface)); - strcpy(ife->name, ifname); + strncpy(ife->name, ifname, sizeof(ife->name)); - strcpy(ifr.ifr_name, ifname); + strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); if (ioctl(skfd, SIOCGIFFLAGS, &ifr) < 0) return(-1); ife->flags = ifr.ifr_flags; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org