Hello community,
here is the log from the commit of package chkrootkit
checked in at Tue Nov 7 20:42:18 CET 2006.
--------
--- chkrootkit/chkrootkit.changes 2006-05-22 20:39:48.000000000 +0200
+++ /mounts/work_src_done/STABLE/chkrootkit/chkrootkit.changes 2006-11-07 17:17:33.000000000 +0100
@@ -1,0 +2,9 @@
+Tue Nov 7 17:06:28 CET 2006 - meissner@suse.de
+
+- upgraded to 0.47.
+ - check for Enye LKM and Lupper.Worm
+ - Fix for long lines in PS output
+ - Add getpriority to identify LKMs
+ - added various new rootkit signatures
+
+-------------------------------------------------------------------
Old:
----
chkrootkit-0.46a.tar.gz
New:
----
chkrootkit-0.47.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ chkrootkit.spec ++++++
--- /var/tmp/diff_new_pack.eoqWB9/_old 2006-11-07 20:42:10.000000000 +0100
+++ /var/tmp/diff_new_pack.eoqWB9/_new 2006-11-07 20:42:11.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package chkrootkit (Version 0.46a)
+# spec file for package chkrootkit (Version 0.47)
#
# Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -12,18 +12,18 @@
Name: chkrootkit
URL: http://www.chkrootkit.org/
-License: BSD, Other License(s), see package
+License: BSD License and BSD-like, Other License(s), see package
Group: Productivity/Security
Autoreqprov: on
Summary: Used to Check for Symptoms of Installed Root Kits
-Version: 0.46a
-Release: 12
-Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.46a.tar.gz
+Version: 0.47
+Release: 1
+Source0: ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit-0.47.tar.gz
Patch0: chkrootkit-0.45.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
-This is a set of tools that detect rootkit (programs that hide the
+This is a set of tools that detect rootkit (a program that hides the
presence of attackers) symptoms on a system.
Rootkits can hide using kernel modules, but they always leave some
@@ -59,6 +59,12 @@
/sbin/*
%changelog -n chkrootkit
+* Tue Nov 07 2006 - meissner@suse.de
+- upgraded to 0.47.
+ - check for Enye LKM and Lupper.Worm
+ - Fix for long lines in PS output
+ - Add getpriority to identify LKMs
+ - added various new rootkit signatures
* Mon May 22 2006 - schwab@suse.de
- Don't strip binaries.
* Wed Jan 25 2006 - mls@suse.de
++++++ chkrootkit-0.45.diff ++++++
--- /var/tmp/diff_new_pack.eoqWB9/_old 2006-11-07 20:42:11.000000000 +0100
+++ /var/tmp/diff_new_pack.eoqWB9/_new 2006-11-07 20:42:11.000000000 +0100
@@ -52,16 +52,6 @@
clean:
rm -f ${OBJS} core chklastlog chkwtmp ifpromisc chkproc chkdirs check_wtmpx strings-static chkutmp
---- chkproc.c
-+++ chkproc.c
-@@ -46,6 +46,7 @@
- int main (){ return 0; }
- #else
- #include
-+#include
- #include
- #include
- #include
--- chkrootkit
+++ chkrootkit
@@ -158,23 +158,23 @@
++++++ chkrootkit-0.46a.tar.gz -> chkrootkit-0.47.tar.gz ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/ACKNOWLEDGMENTS new/chkrootkit-0.47/ACKNOWLEDGMENTS
--- old/chkrootkit-0.46a/ACKNOWLEDGMENTS 2005-10-26 21:04:34.000000000 +0200
+++ new/chkrootkit-0.47/ACKNOWLEDGMENTS 2006-10-09 21:39:47.000000000 +0200
@@ -84,7 +84,7 @@
Markus Alt (Typo)
Egon Eckert (tcpd test at debian)
Silvio and nacho (zaRwT rootkit)
-Lantz Moore (promisc test on Linux kernels 2.[46].x)
+Lantz Moore (promisc test on Linux kernels 2.[46].x and many patches)
Marcel Haman (another Suckit sign)
Alfred (found sniffer in another area (/usr/lib))
Ymailer (several CGI backdoors)
@@ -100,3 +100,8 @@
Ighighi X (chkutmp)
Jérémie Andréi (chkwtmp)
Aaron Harwood (chkdirs)
+Yjesus(unhide) (chkproc.c)
+Slider/Flimbo (chkproc.c)
+UnSpawn (error reports)
+Milan Kerslager (new rootkits signs)
+Gary Funk (new rootkits signs)
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/COPYRIGHT new/chkrootkit-0.47/COPYRIGHT
--- old/chkrootkit-0.46a/COPYRIGHT 2005-10-19 19:32:15.000000000 +0200
+++ new/chkrootkit-0.47/COPYRIGHT 2006-10-09 21:33:51.000000000 +0200
@@ -1,6 +1,6 @@
# @(#)COPYRIGHT 1.2 (Pangeia Informatica) 2/21/97
-Copyright 1996-2003 - Pangeia Informatica, All rights reserved.
+Copyright 1996-2006 - Pangeia Informatica, All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/Makefile new/chkrootkit-0.47/Makefile
--- old/chkrootkit-0.46a/Makefile 2005-10-19 19:32:15.000000000 +0200
+++ new/chkrootkit-0.47/Makefile 2006-10-09 21:29:19.000000000 +0200
@@ -1,6 +1,6 @@
#
# Makefile for chkrootkit
-# (C) 1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
+# (C) 1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
#
CC = gcc
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/README new/chkrootkit-0.47/README
--- old/chkrootkit-0.46a/README 2005-10-28 17:23:07.000000000 +0200
+++ new/chkrootkit-0.47/README 2006-10-09 23:25:08.000000000 +0200
@@ -1,4 +1,4 @@
- chkrootkit V. 0.46a
+ chkrootkit V. 0.47
Nelson Murilo (main author)
Klaus Steding-Jessen (co-author)
@@ -129,12 +129,12 @@
Where testname stands for one or more from the following list:
aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper
- z2 chkutmp amd basename biff chfn chsh cron date du dirname echo
- egrep env find fingerd gpm grep hdparm su ifconfig inetd inetdconf
- identd init killall ldsopreload login ls lsof mail mingetty netstat
- named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd slogin
- sendmail sshd syslogd tar tcpd tcpdump top telnetd timed traceroute
- vdir w write
+ z2 chkutmp amd basename biff chfn chsh cron crontab date du dirname
+ echo egrep env find fingerd gpm grep hdparm su ifconfig inetd
+ inetdconf identd init killall ldsopreload login ls lsof mail mingetty
+ netstat named passwd pidof pop2 pop3 ps pstree rpcinfo rlogind rshd
+ slogin sendmail sshd syslogd tar tcpd tcpdump top telnetd timed
+ traceroute vdir w write
For example, the following command checks for trojaned ps and ls
binaries and also checks if the network interface is in promiscuous
@@ -342,5 +342,9 @@
10/28/2005 - Version 0.46a chkproc.c: bug fix for FreeBSD: chkproc
was sending a SIGXFSZ (kill -25) to init,
causing a reboot.
+ 10/10/2006 - Version 0.47 chkproc.c: bug fixes, use of getpriority(),
+ Enye LKM detected. chkrootkit: crontab
+ test, Enye LKM and Lupper.Worm detected,
+ minor bug fixes.
-------------- Thx for using chkrootkit ----------------
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkproc.c new/chkrootkit-0.47/chkproc.c
--- old/chkrootkit-0.46a/chkproc.c 2005-10-28 17:23:24.000000000 +0200
+++ new/chkrootkit-0.47/chkproc.c 2006-07-25 16:55:21.000000000 +0200
@@ -1,6 +1,6 @@
/*
(C) Nelson Murilo - 2004/09/13
- Version 0.9
+ Version 0.10
C port from chkproc.pl code from Klaus Steding-Jessen
and Cristine Hoepers +little output changes.
@@ -40,12 +40,23 @@
2005/10/28 - Bug fix for FreeBSD: chkproc was sending a SIGXFSZ (kill -25)
to init, causing a reboot. Patch by Nelson Murilo.
Thanks to Luiz E. R. Cordeiro.
+
+ 2005/11/15 - Add check for Enye LKM - Nelson Murilo
+
+ 2005/11/25 - Fix for long lines in PS output - patch by Lantz Moore
+
+ 2006/01/05 - Add getpriority to identify LKMs, ideas from Yjesus(unhide) and
+ Slider/Flimbo (skdet)
+
+ 2006/01/11 - Fix signal 25 on parisc linux and return of kill() -
+ Thanks to Lantz Moore
*/
#if !defined(__linux__) && !defined(__FreeBSD__) && !defined(__sun)
int main (){ return 0; }
#else
#include
+#include
#include
#include
#include
@@ -57,6 +68,7 @@
#include
#include
#endif
+#include
#define PS_SUN 0
#define PS_LOL 1
@@ -72,6 +84,10 @@
#define MAX_PROCESSES 99999
#define MAX_BUF 1024
+#if !defined (SIGXFSZ)
+#define SIGXFSZ 25
+#endif
+
static char *ps_cmds[] = {
"ps -edf",
"ps auxw",
@@ -85,6 +101,30 @@
int isathread[MAX_PROCESSES+1];
#endif
+/*
+ * read at most the first (size-1) chars into s and terminate with a '\0'.
+ * stops reading after a newline or EOF. if a newline is read, it will be
+ * the last char in the string. if no newline is found in the first
+ * (size-1) chars, then keep reading and discarding chars until a newline
+ * is found or EOF.
+ */
+char *readline(char *s, int size, FILE *stream)
+{
+ char *rv = fgets(s, size, stream);
+
+ if (strlen(s) == (size-1) && s[size-1] != '\n')
+ {
+ char buf[MAX_BUF];
+ fgets(buf, MAX_BUF, stream);
+ while (strlen(buf) == (MAX_BUF-1) && buf[MAX_BUF-1] != '\n')
+ {
+ fgets(buf, MAX_BUF, stream);
+ }
+ }
+
+ return rv;
+}
+
int main(int argc, char **argv)
{
char buf[MAX_BUF], *p, path[MAX_BUF];
@@ -102,7 +142,7 @@
psinfo_t psbuf;
#endif
- pv = verbose = 0;
+ pv = verbose = 0;
if (!proc)
{
@@ -120,13 +160,15 @@
}
#if defined(__linux__)
else if (!memcmp(argv[i], "-p", 2))
- if (i+1 < argc)
- pv = atoi(argv[++i]);
- else
- {
- printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]);
- return 0;
- }
+ {
+ if (i+1 < argc)
+ pv = atoi(argv[++i]);
+ else
+ {
+ printf("Usage: %s [-v] [-v] [-p procps version]\n", argv[0]);
+ return 0;
+ }
+ }
#endif
}
#if defined(__sun)
@@ -141,7 +183,7 @@
/* printf("pv = %d\n\r", pv); /* -- DEBUG */
#endif
-/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */
+/* printf("pscmd = %s\n\r", pscmd); /* -- DEBUG */
if (!(ps = popen(pscmd, "r")))
{
perror("ps");
@@ -149,14 +191,14 @@
}
*buf = 0;
- fgets(buf, MAX_BUF, ps); /* Skip header */
+ readline(buf, MAX_BUF, ps); /* Skip header */
#if defined(__sun)
if (!isspace(*buf))
#else
if (!isalpha(*buf))
#endif
{
- fgets(buf, MAX_BUF, ps); /* Skip header */
+ readline(buf, MAX_BUF, ps); /* Skip header */
if (!isalpha(*buf) && pv != PS_LNX)
{
if (pv != PS_LOL)
@@ -175,7 +217,7 @@
#endif
}
- while (fgets(buf, MAX_BUF, ps))
+ while (readline(buf, MAX_BUF, ps))
{
p = buf;
#if defined(__sun)
@@ -190,7 +232,7 @@
ret = atol(p);
if ( ret < 0 || ret > MAX_PROCESSES )
{
- fprintf (stderr, " OooPS, not expected %d value\n", ret);
+ fprintf (stderr, " OooPS, not expected %ld value\n", ret);
exit (2);
}
psproc[ret] = 1;
@@ -217,7 +259,7 @@
else if (maybeathread) {
isathread[atol(tmp_d_name)] = 1; /* mark it as a linux NTPL thread if it's in the form of "\.[0-9]*" */
if (verbose)
- printf("%d is a Linux Thread, marking as such...\n", atol(tmp_d_name));
+ printf("%ld is a Linux Thread, marking as such...\n", atol(tmp_d_name));
}
#endif
@@ -234,7 +276,6 @@
snprintf(&buf[6], 6, "%d", i);
if (!chdir(buf))
{
-/* if (!dirproc[i] ) /* && !kill(i, 0)) */
if (!dirproc[i] && !psproc[i])
{
#if defined(__linux__)
@@ -293,6 +334,18 @@
}
#endif
}
+ else
+ {
+ errno = 0;
+ getpriority(PRIO_PROCESS, i);
+ if (!errno)
+ {
+ retdir++;
+ if (verbose)
+ printf ("PID %5d(%s): not in getpriority readdir output\n", i, buf);
+ }
+ }
+
}
if (retdir)
printf("You have % 5d process hidden for readdir command\n", retdir);
@@ -300,11 +353,17 @@
printf("You have % 5d process hidden for ps command\n", retps);
#if defined(__linux__)
kill(1, 100); /* Check for SIGINVISIBLE Adore signal */
- if (kill (1, 25) > 0 && errno == 3)
+ if (kill (1, SIGXFSZ) < 0 && errno == 3)
{
printf("SIGINVISIBLE Adore found\n");
retdir+= errno;
}
+ /* Check for Enye LKM */
+ if (kill (12345, 58) >= 0)
+ {
+ printf("Enye LKM found\n");
+ retdir+= errno;
+ }
#endif
return (retdir+retps);
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkrootkit new/chkrootkit-0.47/chkrootkit
--- old/chkrootkit-0.46a/chkrootkit 2005-10-26 21:35:26.000000000 +0200
+++ new/chkrootkit-0.47/chkrootkit 2006-10-09 21:20:54.000000000 +0200
@@ -1,13 +1,13 @@
#! /bin/sh
# -*- Shell-script -*-
-# $Id: chkrootkit, v 0.46 2005/10/26
-CHKROOTKIT_VERSION='0.46'
+# $Id: chkrootkit, v 0.47 2006/10/10
+CHKROOTKIT_VERSION='0.47'
# Authors: Nelson Murilo (main author) and
# Klaus Steding-Jessen
#
-# (C)1997-2005 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
+# (C)1997-2006 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
# All rights reserved
### workaround for some Bourne shell implementations
@@ -18,14 +18,14 @@
unalias dirname > /dev/null 2>&1
# Workaround for recent GNU coreutils
-export _POSIX2_VERSION=199209
-
+_POSIX2_VERSION=199209
+export _POSIX2_VERSION
# Native commands
-TROJAN="amd basename biff chfn chsh cron date du dirname echo egrep env find \
-fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init killall \
-ldsopreload login ls lsof mail mingetty netstat named passwd pidof pop2 pop3 \
-ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
+TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \
+env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \
+killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \
+pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
tcpdump top telnetd timed traceroute vdir w write"
# Tools
@@ -242,9 +242,8 @@
if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
fi
}
-
bindshell () {
-PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|10008|12321|23132|27374|29364|30999|31336|31337|45454|47017|47889|60001"
+PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
OPT="-an"
PI=""
if [ "${ROOTDIR}" != "/" ]; then
@@ -286,7 +285,7 @@
if [ "${EXPERT}" = "t" ]; then
[ -r /proc/ksyms ] && ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null
- PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
+ PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |$awk -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
[ "$PV" = "" ] && PV=2
[ "${SYSTEM}" = "SunOS" ] && PV=0
expertmode_output "./chkproc -v -v -p $PV"
@@ -354,8 +353,9 @@
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
-.linux-sniff -o -name sniff-l0g -o -name core_ -o -name ${ROOTDIR}usr/lib/in.httpd -o \
--name ${ROOTDIR}usr/lib/in.pop3d"
+.linux-sniff -o -name sniff-l0g -o -name core_ -o"
+ expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \
+-name in.pop3d"
### t0rn
expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
@@ -460,7 +460,7 @@
### Showtee
expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \
-${ROOTDIR}usr/lib/.wormie ${ROOTDIR}usr/lib/libfl.so \
+${ROOTDIR}usr/lib/.wormie \
${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \
${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \
${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \
@@ -495,6 +495,7 @@
## Suckit rootkit
expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"
expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
+ expertmode_output "cat ${ROOTDIR}dev/.golf"
## Volc rootkit
expertmode_output "${ls} ${ROOTDIR}usr/bin/volc"
@@ -541,12 +542,14 @@
for i in `$echo ${PATH}|tr -s ':' ' '`; do
expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor"
done
+ ## ENYE-LKM
+ expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"
### shell history file check
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \
+ expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
-size 0"
- expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \
+ expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
\( -links 2 -o -type l \)"
fi
@@ -712,7 +715,7 @@
printn "Searching for LPD Worm files and dirs... "; fi
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
- ${egrep} "^666" ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
+ ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
then
echo "Possible LPD worm installed"
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
@@ -827,7 +830,7 @@
### China Worm (Sadmind/IIS Worm)
if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi
- files=`${find} ${ROOTDIR}dev/cuc > /dev/null 2>&1`
+ files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -837,7 +840,7 @@
### MonKit
if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi
files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \
-> /dev/null 2>&1`
+2> /dev/null`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -846,7 +849,7 @@
### Showtee
if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi
- if [ -d ${ROOTDIR}usr/lib/.egcs ] || [ -f ${ROOTDIR}usr/lib/libfl.so ] || \
+ if [ -d ${ROOTDIR}usr/lib/.egcs ] || \
[ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \
[ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \
[ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \
@@ -862,7 +865,7 @@
###
if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi
files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \
-> /dev/null 2>&1`
+2> /dev/null`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -872,7 +875,7 @@
### T.R.K
files=""
if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi
- files=`${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`
+ files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -882,7 +885,7 @@
### Mithra's Rootkit
files=""
if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi
- files=`${ROOTDIR}usr/lib/locale -name uboot >/dev/null 2>&1`
+ files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null`
if [ "${files}" = "" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -893,7 +896,7 @@
if [ "${SYSTEM}" != "SunOS" -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
files=""
if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi
- files=`find ${ROOTDIR}usr/lib/security 2>/dev/null`
+ files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`
if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
else
@@ -944,7 +947,11 @@
then
echo "Warning: ${ROOTDIR}sbin/init INFECTED"
else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ if [ -d ${ROOTDIR}/dev/.golf ]; then
+ echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
+ else
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ fi
fi
fi
@@ -1061,6 +1068,15 @@
[ "${found}" = "0" ] &&\
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ ### ENYELKM
+ if [ "${QUIET}" != "t" ]; then
+ printn "Searching for ENYELKM rootkit default files... "; fi
+ if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then
+ echo "Possible ENYELKM rootkit installed"
+ else
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ fi
+
###
### shell history anomalies
###
@@ -1068,14 +1084,14 @@
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- files=`${find} ${ROOTDIR}${HOME} -name '.*history' -size 0`
+ files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
- files=`${find} ${ROOTDIR}${HOME} -name '.*history' \( -links 2 -o -type l \)`
- [ ! -z "${files}" ] && \
+ files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
+ [ ! -z "${files1}" ] && \
echo "Warning: \`${files}' is linked to another file"
fi
- if [ -z "${files}" ]; then
+ if [ -z "${files}" -a -z "${files1}" ]; then
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
fi
}
@@ -1120,7 +1136,7 @@
getCMD() {
RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \
- ${egrep} -v egrep | ${egrep} -v chkrootkit | _head -1 | \
+ ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \
${awk} '{ print $5 }'`
for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
@@ -1251,7 +1267,7 @@
STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \
"OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
- 7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
+ 6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
*) STATUS=${INFECTED};;
esac
fi
@@ -1499,7 +1515,7 @@
chk_ps () {
STATUS=${NOT_INFECTED}
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
-/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|proc\.h"
+/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h"
CMD=`loc ps ps $pth`
if [ "${EXPERT}" = "t" ]; then
@@ -1536,6 +1552,31 @@
return ${STATUS}
}
+chk_crontab () {
+ STATUS=${NOT_INFECTED}
+ CRONTAB_I_L="crontab.*666"
+
+ CMD=`loc crontab crontab $pth`
+
+ if [ ! -r ${CMD} ]
+ then
+ return ${NOT_FOUND}
+ fi
+
+ if [ "${EXPERT}" = "t" ]; then
+ expertmode_output "${CMD} -l -u nobody"
+ return 5
+ fi
+ if ${CMD} -l -u nobody >/dev/null 2>&1 ; then
+ printn "Warning: crontab for nobody found, possible Lupper.Worm... "
+ if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
+ then
+ STATUS=${INFECTED}
+ fi
+ fi
+ return ${STATUS}
+}
+
chk_top () {
STATUS=${NOT_INFECTED}
TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h"
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkrootkit.lsm new/chkrootkit-0.47/chkrootkit.lsm
--- old/chkrootkit-0.46a/chkrootkit.lsm 2005-10-28 17:24:00.000000000 +0200
+++ new/chkrootkit-0.47/chkrootkit.lsm 2006-10-09 21:26:16.000000000 +0200
@@ -1,7 +1,7 @@
Begin3
Title: Chkrootkit
-Version: 0.46a
-Entered-date: Fri Oct 28 13:23:52 BRST 2005
+Version: 0.47
+Entered-date: Mon Oct 9 16:25:06 BRT 2006
Description: locally checks for signs of a rootkit
Keywords: rootkit check vulnerability unix LKM Ramen Lion Worn Adore Worm
Author: Nelson Murilo
@@ -9,6 +9,6 @@
Primary-site: http://www.chkrootkit.org
Alternate-site: ftp://ftp.pangeia.com.br/pub/seg/pac/
Original-site:
-Platform: Linux, FreeBSD, OpenBSD, NetBSD, Sun/Solaris, HPUX, BSDI, TRU64
+Platform: Linux, FreeBSD, OpenBSD, NetBSD, Sun/Solaris, HPUX, BSDI, TRU64, Mac OS X
Copying-policy: AMS
End
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/chkwtmp.c new/chkrootkit-0.47/chkwtmp.c
--- old/chkrootkit-0.46a/chkwtmp.c 2005-10-19 19:32:36.000000000 +0200
+++ new/chkrootkit-0.47/chkwtmp.c 2006-10-09 21:56:33.000000000 +0200
@@ -46,7 +46,7 @@
char buffer[30];
printf("%d deletion(s) between ", counter);
- strcpy(buffer, ctime( (time_t *) &start));
+ strncpy(buffer, ctime( (time_t *) &start), 30);
buffer[24]='\0';
printf("%s and %s", buffer, ctime( (time_t *) &end));
}
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/chkrootkit-0.46a/ifpromisc.c new/chkrootkit-0.47/ifpromisc.c
--- old/chkrootkit-0.46a/ifpromisc.c 2005-10-19 19:32:38.000000000 +0200
+++ new/chkrootkit-0.47/ifpromisc.c 2006-10-09 22:12:33.000000000 +0200
@@ -303,9 +303,9 @@
struct ifreq ifr;
memset((char *) ife, 0, sizeof(struct interface));
- strcpy(ife->name, ifname);
+ strncpy(ife->name, ifname, sizeof(ife->name));
- strcpy(ifr.ifr_name, ifname);
+ strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name));
if (ioctl(skfd, SIOCGIFFLAGS, &ifr) < 0)
return(-1);
ife->flags = ifr.ifr_flags;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org