]>
Commit | Line | Data |
---|---|---|
7396ff59 | 1 | diff -Nru chkrootkit-0.35/chkrootkit chkrootkit-0.35-new/chkrootkit |
2 | --- chkrootkit-0.35/chkrootkit Fri Jan 18 11:49:46 2002 | |
3 | +++ chkrootkit-0.35-new/chkrootkit Wed Feb 13 12:00:38 2002 | |
4 | @@ -1,6 +1,11 @@ | |
5 | -#! /bin/sh | |
6 | +#! /bin/bash | |
7 | # -*- Shell-script -*- | |
8 | ||
9 | +# We have to go to a dir with chkrootkit-* binaries | |
10 | +# Otherwise some tests will not get executed. | |
11 | + | |
12 | +cd /usr/bin | |
13 | + | |
14 | # $Id: chkrootkit, v 0.35 2002/01/17 | |
15 | CHKROOTKIT_VERSION='0.35' | |
16 | ||
17 | @@ -47,7 +52,7 @@ | |
18 | ||
19 | if [ "${EXPERT}" = "t" ]; then | |
20 | expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" | |
21 | - expertmode_output "${strings} -a ${CMD}" | |
22 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
23 | return 5 | |
24 | fi | |
25 | ||
26 | @@ -63,7 +68,7 @@ | |
27 | STATUS=${INFECTED} | |
28 | fi | |
29 | ||
30 | - if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1 | |
31 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1 | |
32 | then | |
33 | echo "INFECTED" | |
34 | STATUS=${INFECTED} | |
35 | @@ -81,22 +86,22 @@ | |
36 | return ${NOT_TESTED} | |
37 | fi | |
38 | ||
39 | - if [ ! -x ./ifpromisc ]; then | |
40 | - echo "not tested: can't exec ./ifpromisc" | |
41 | + if [ ! -x ./chkrootkit-ifpromisc ]; then | |
42 | + echo "not tested: can't exec ./chkrootkit-ifpromisc" | |
43 | return ${NOT_TESTED} | |
44 | fi | |
45 | ||
46 | if [ "${EXPERT}" = "t" ]; then | |
47 | - expertmode_output "./ifpromisc" | |
48 | + expertmode_output "./chkrootkit-ifpromisc" | |
49 | return 5 | |
50 | fi | |
51 | echo | |
52 | - ./ifpromisc | |
53 | + ./chkrootkit-ifpromisc | |
54 | } | |
55 | ||
56 | z2 () { | |
57 | - if [ ! -x ./chklastlog ]; then | |
58 | - echo "not tested: can't exec ./chklastlog" | |
59 | + if [ ! -x ./chkrootkit-chklastlog ]; then | |
60 | + echo "not tested: can't exec ./chkrootkit-chklastlog" | |
61 | return ${NOT_TESTED} | |
62 | fi | |
63 | ||
64 | @@ -104,31 +109,31 @@ | |
65 | LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"` | |
66 | ||
67 | if [ "${EXPERT}" = "t" ]; then | |
68 | - expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}" | |
69 | + expertmode_output "./chkrootkit-chklastlog -f ${WTMP} -l ${LASTLOG}" | |
70 | return 5 | |
71 | fi | |
72 | ||
73 | - if ./chklastlog -f ${WTMP} -l ${LASTLOG} | |
74 | + if ./chkrootkit-chklastlog -f ${WTMP} -l ${LASTLOG} | |
75 | then | |
76 | if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi | |
77 | fi | |
78 | } | |
79 | ||
80 | wted () { | |
81 | - if [ ! -x ./chkwtmp ]; then | |
82 | - echo "not tested: can't exec ./chkwtmp" | |
83 | + if [ ! -x ./chkrootkit-chkwtmp ]; then | |
84 | + echo "not tested: can't exec ./chkrootkit-chkwtmp" | |
85 | return ${NOT_TESTED} | |
86 | fi | |
87 | ||
88 | if [ "$SYSTEM" = "SunOS" ]; then | |
89 | - if [ ! -x ./check_wtmpx ]; then | |
90 | - echo "not tested: can't exec ./check_wtmpx" | |
91 | + if [ ! -x ./chkrootkit-check_wtmpx ]; then | |
92 | + echo "not tested: can't exec ./chkrootkit-check_wtmpx" | |
93 | else | |
94 | if [ "${EXPERT}" = "t" ]; then | |
95 | expertmode_output "./chec_wtmpx" | |
96 | return 5 | |
97 | fi | |
98 | - if ./check_wtmpx | |
99 | + if ./chkrootkit-check_wtmpx | |
100 | then | |
101 | if [ "${QUIET}" != "t" ]; then \ | |
102 | echo "nothing deleted in /var/adm/wtmpx"; fi | |
103 | @@ -139,11 +144,11 @@ | |
104 | WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` | |
105 | ||
106 | if [ "${EXPERT}" = "t" ]; then | |
107 | - expertmode_output "./chkwtmp -f ${WTMP}" | |
108 | + expertmode_output "./chkrootkit-chkwtmp -f ${WTMP}" | |
109 | return 5 | |
110 | fi | |
111 | ||
112 | - if ./chkwtmp -f ${WTMP} | |
113 | + if ./chkrootkit-chkwtmp -f ${WTMP} | |
114 | then | |
115 | if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi | |
116 | fi | |
117 | @@ -181,15 +186,15 @@ | |
118 | { | |
119 | if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ | |
120 | ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then | |
121 | - if [ ! -x ./chkproc ]; then | |
122 | - echo "not tested: can't exec ./chkproc" | |
123 | + if [ ! -x ./chkrootkit-chkproc ]; then | |
124 | + echo "not tested: can't exec ./chkrootkit-chkproc" | |
125 | return ${NOT_TESTED} | |
126 | fi | |
127 | ||
128 | if [ "${EXPERT}" = "t" ]; then | |
129 | [ -r /proc/ksyms ] && ${egrep} -i adore < /proc/ksyms 2>/dev/null | |
130 | [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null | |
131 | - expertmode_output "./chkproc -v" | |
132 | + expertmode_output "./chkrootkit-chkproc -v" | |
133 | return 5 | |
134 | fi | |
135 | ||
136 | @@ -204,7 +209,7 @@ | |
137 | echo "Warning: Knark LKM installed" | |
138 | fi | |
139 | ||
140 | - if ./chkproc | |
141 | + if ./chkrootkit-chkproc | |
142 | then | |
143 | if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi | |
144 | else | |
145 | @@ -742,19 +747,19 @@ | |
146 | CMD=`loc chfn chfn $pth` | |
147 | ||
148 | if [ "${EXPERT}" = "t" ]; then | |
149 | - expertmode_output "${strings} -a ${CMD}" | |
150 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
151 | return 5 | |
152 | fi | |
153 | ||
154 | case "${SYSTEM}" in | |
155 | Linux) | |
156 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
157 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
158 | >/dev/null 2>&1 | |
159 | then | |
160 | STATUS=${INFECTED} | |
161 | fi;; | |
162 | FreeBSD) | |
163 | - if [ `${strings} -a ${CMD} | \ | |
164 | + if [ `${chkrootkit-strings} -a ${CMD} | \ | |
165 | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] | |
166 | then | |
167 | STATUS=${INFECTED} | |
168 | @@ -769,16 +774,16 @@ | |
169 | REDHAT_PAM_LABEL="*NOT*" | |
170 | ||
171 | if [ "${EXPERT}" = "t" ]; then | |
172 | - expertmode_output "${strings} -a ${CMD}" | |
173 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
174 | return 5 | |
175 | fi | |
176 | ||
177 | case "${SYSTEM}" in | |
178 | Linux) | |
179 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
180 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
181 | >/dev/null 2>&1 | |
182 | then | |
183 | - if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ | |
184 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ | |
185 | >/dev/null 2>&1 | |
186 | then | |
187 | : | |
188 | @@ -787,7 +792,7 @@ | |
189 | fi | |
190 | fi;; | |
191 | FreeBSD) | |
192 | - if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] | |
193 | + if [ `${chkrootkit-strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] | |
194 | then | |
195 | STATUS=${INFECTED} | |
196 | fi;; | |
197 | @@ -803,12 +808,12 @@ | |
198 | CMD=`loc login login $pth` | |
199 | ||
200 | if [ "${EXPERT}" = "t" ]; then | |
201 | - expertmode_output "${strings} -a ${CMD}" | |
202 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
203 | return 5 | |
204 | fi | |
205 | ||
206 | TROJED_L_L="^root$|vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?" | |
207 | - ret=`${strings} -a ${CMD} | ${egrep} -c "${TROJED_L_L}"` | |
208 | + ret=`${chkrootkit-strings} -a ${CMD} | ${egrep} -c "${TROJED_L_L}"` | |
209 | if [ ${ret} -gt 0 ]; then | |
210 | case ${ret} in | |
211 | 1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 ] && \ | |
212 | @@ -831,14 +836,14 @@ | |
213 | fi | |
214 | ||
215 | if [ "${EXPERT}" = "t" ]; then | |
216 | - expertmode_output "${strings} -a ${CMD}" | |
217 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
218 | fi | |
219 | ||
220 | if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ] | |
221 | then | |
222 | return ${NOT_TESTED} | |
223 | fi | |
224 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
225 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
226 | >/dev/null 2>&1 | |
227 | then | |
228 | STATUS=${INFECTED} | |
229 | @@ -856,11 +861,11 @@ | |
230 | fi | |
231 | ||
232 | if [ "${EXPERT}" = "t" ]; then | |
233 | - expertmode_output "${strings} -a ${CMD}" | |
234 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
235 | return 5 | |
236 | fi | |
237 | ||
238 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
239 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ | |
240 | >/dev/null 2>&1 | |
241 | then | |
242 | STATUS=${INFECTED} | |
243 | @@ -879,11 +884,11 @@ | |
244 | fi | |
245 | ||
246 | if [ "${EXPERT}" = "t" ]; then | |
247 | - expertmode_output "${strings} -a ${CMD}" | |
248 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
249 | return 5 | |
250 | fi | |
251 | ||
252 | - if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 | |
253 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 | |
254 | then | |
255 | STATUS=${INFECTED} | |
256 | fi | |
257 | @@ -900,11 +905,11 @@ | |
258 | fi | |
259 | ||
260 | if [ "${EXPERT}" = "t" ]; then | |
261 | - expertmode_output "${strings} -a ${CMD}" | |
262 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
263 | return 5 | |
264 | fi | |
265 | ||
266 | - if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ | |
267 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ | |
268 | >/dev/null 2>&1 | |
269 | then | |
270 | STATUS=${INFECTED} | |
271 | @@ -922,11 +927,11 @@ | |
272 | fi | |
273 | ||
274 | if [ "${EXPERT}" = "t" ]; then | |
275 | - expertmode_output "${strings} -a ${CMD}" | |
276 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
277 | return 5 | |
278 | fi | |
279 | ||
280 | - if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ | |
281 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ | |
282 | >/dev/null 2>&1 | |
283 | then | |
284 | STATUS=${INFECTED} | |
285 | @@ -944,11 +949,11 @@ | |
286 | fi | |
287 | ||
288 | if [ "${EXPERT}" = "t" ]; then | |
289 | - expertmode_output "${strings} -a ${CMD}" | |
290 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
291 | return 5 | |
292 | fi | |
293 | ||
294 | - if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ | |
295 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ | |
296 | >/dev/null 2>&1 | |
297 | then | |
298 | STATUS=${INFECTED} | |
299 | @@ -966,11 +971,11 @@ | |
300 | fi | |
301 | ||
302 | if [ "${EXPERT}" = "t" ]; then | |
303 | - expertmode_output "${strings} -a ${CMD}" | |
304 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
305 | return 5 | |
306 | fi | |
307 | ||
308 | - if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ | |
309 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ | |
310 | >/dev/null 2>&1 | |
311 | then | |
312 | STATUS=${INFECTED} | |
313 | @@ -984,11 +989,11 @@ | |
314 | CMD=`loc ls ls $pth` | |
315 | ||
316 | if [ "${EXPERT}" = "t" ]; then | |
317 | - expertmode_output "${strings} -a ${CMD}" | |
318 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
319 | return 5 | |
320 | fi | |
321 | ||
322 | - if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 | |
323 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 | |
324 | then | |
325 | STATUS=${INFECTED} | |
326 | fi | |
327 | @@ -1001,11 +1006,11 @@ | |
328 | CMD=`loc du du $pth` | |
329 | ||
330 | if [ "${EXPERT}" = "t" ]; then | |
331 | - expertmode_output "${strings} -a ${CMD}" | |
332 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
333 | return 5 | |
334 | fi | |
335 | ||
336 | - if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 | |
337 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 | |
338 | then | |
339 | STATUS=${INFECTED} | |
340 | fi | |
341 | @@ -1025,11 +1030,11 @@ | |
342 | fi | |
343 | ||
344 | if [ "${EXPERT}" = "t" ]; then | |
345 | - expertmode_output "${strings} -a ${CMD}" | |
346 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
347 | return 5 | |
348 | fi | |
349 | ||
350 | - if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ | |
351 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ | |
352 | >/dev/null 2>&1 | |
353 | then | |
354 | STATUS=${INFECTED} | |
355 | @@ -1043,11 +1048,11 @@ | |
356 | CMD=`loc netstat netstat $pth` | |
357 | ||
358 | if [ "${EXPERT}" = "t" ]; then | |
359 | - expertmode_output "${strings} -a ${CMD}" | |
360 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
361 | return 5 | |
362 | fi | |
363 | ||
364 | - if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ | |
365 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ | |
366 | >/dev/null 2>&1 | |
367 | then | |
368 | STATUS=${INFECTED} | |
369 | @@ -1062,11 +1067,11 @@ | |
370 | CMD=`loc ps ps $pth` | |
371 | ||
372 | if [ "${EXPERT}" = "t" ]; then | |
373 | - expertmode_output "${strings} -a ${CMD}" | |
374 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
375 | return 5 | |
376 | fi | |
377 | ||
378 | - if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 | |
379 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 | |
380 | then | |
381 | STATUS=${INFECTED} | |
382 | fi | |
383 | @@ -1084,11 +1089,11 @@ | |
384 | fi | |
385 | ||
386 | if [ "${EXPERT}" = "t" ]; then | |
387 | - expertmode_output "${strings} -a ${CMD}" | |
388 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
389 | return 5 | |
390 | fi | |
391 | ||
392 | - if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 | |
393 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 | |
394 | then | |
395 | STATUS=${INFECTED} | |
396 | fi | |
397 | @@ -1106,11 +1111,11 @@ | |
398 | fi | |
399 | ||
400 | if [ "${EXPERT}" = "t" ]; then | |
401 | - expertmode_output "${strings} -a ${CMD}" | |
402 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
403 | return 5 | |
404 | fi | |
405 | ||
406 | - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
407 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
408 | then | |
409 | STATUS=${INFECTED} | |
410 | fi | |
411 | @@ -1128,11 +1133,11 @@ | |
412 | fi | |
413 | ||
414 | if [ "${EXPERT}" = "t" ]; then | |
415 | - expertmode_output "${strings} -a ${CMD}" | |
416 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
417 | return 5 | |
418 | fi | |
419 | ||
420 | - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
421 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
422 | then | |
423 | STATUS=${INFECTED} | |
424 | fi | |
425 | @@ -1150,11 +1155,11 @@ | |
426 | fi | |
427 | ||
428 | if [ "${EXPERT}" = "t" ]; then | |
429 | - expertmode_output "${strings} -a ${CMD}" | |
430 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
431 | return 5 | |
432 | fi | |
433 | ||
434 | - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
435 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
436 | then | |
437 | STATUS=${INFECTED} | |
438 | fi | |
439 | @@ -1167,18 +1172,18 @@ | |
440 | ||
441 | if [ "${SYSTEM}" = "Linux" ] | |
442 | then | |
443 | - if [ ! -x ./strings ]; then | |
444 | - printn "can't exec ./strings-static, " | |
445 | + if [ ! -x ./chkrootkit-strings ]; then | |
446 | + printn "can't exec ./chkrootkit-strings-static, " | |
447 | return ${NOT_TESTED} | |
448 | fi | |
449 | ||
450 | if [ "${EXPERT}" = "t" ]; then | |
451 | - expertmode_output "./strings -a ${CMD}" | |
452 | + expertmode_output "./chkrootkit-strings -a ${CMD}" | |
453 | return 5 | |
454 | fi | |
455 | ||
456 | - ### strings must be a statically linked binary. | |
457 | - if ./strings-static -a ${CMD} > /dev/null 2>&1 | |
458 | + ### chkrootkit-strings must be a statically linked binary. | |
459 | + if ./chkrootkit-strings-static -a ${CMD} > /dev/null 2>&1 | |
460 | then | |
461 | STATUS=${INFECTED} | |
462 | fi | |
463 | @@ -1193,11 +1198,11 @@ | |
464 | CMD=`loc basename basename $pth` | |
465 | ||
466 | if [ "${EXPERT}" = "t" ]; then | |
467 | - expertmode_output "${strings} -a ${CMD}" | |
468 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
469 | expertmode_output "${ls} -l ${CMD}" | |
470 | return 5 | |
471 | fi | |
472 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
473 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
474 | then | |
475 | STATUS=${INFECTED} | |
476 | fi | |
477 | @@ -1213,11 +1218,11 @@ | |
478 | CMD=`loc dirname dirname $pth` | |
479 | ||
480 | if [ "${EXPERT}" = "t" ]; then | |
481 | - expertmode_output "${strings} -a ${CMD}" | |
482 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
483 | expertmode_output "${ls} -l ${CMD}" | |
484 | return 5 | |
485 | fi | |
486 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
487 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
488 | then | |
489 | STATUS=${INFECTED} | |
490 | fi | |
491 | @@ -1238,11 +1243,11 @@ | |
492 | fi | |
493 | ||
494 | if [ "${EXPERT}" = "t" ]; then | |
495 | - expertmode_output "${strings} -a ${CMD}" | |
496 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
497 | return 5 | |
498 | fi | |
499 | ||
500 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
501 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
502 | then | |
503 | STATUS=${INFECTED} | |
504 | fi | |
505 | @@ -1254,12 +1259,12 @@ | |
506 | CMD=`loc rpcinfo rpcinfo $pth` | |
507 | ||
508 | if [ "${EXPERT}" = "t" ]; then | |
509 | - expertmode_output "${strings} -a ${CMD}" | |
510 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
511 | expertmode_output "${ls} -l ${CMD}" | |
512 | return 5 | |
513 | fi | |
514 | ||
515 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
516 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
517 | then | |
518 | STATUS=${INFECTED} | |
519 | fi | |
520 | @@ -1275,12 +1280,12 @@ | |
521 | CMD=`loc date date $pth` | |
522 | ||
523 | if [ "${EXPERT}" = "t" ]; then | |
524 | - expertmode_output "${strings} -a ${CMD}" | |
525 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
526 | expertmode_output "${ls} -l ${CMD}" | |
527 | return 5 | |
528 | fi | |
529 | ||
530 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
531 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
532 | then | |
533 | STATUS=${INFECTED} | |
534 | fi | |
535 | @@ -1296,12 +1301,12 @@ | |
536 | CMD=`loc echo echo $pth` | |
537 | ||
538 | if [ "${EXPERT}" = "t" ]; then | |
539 | - expertmode_output "${strings} -a ${CMD}" | |
540 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
541 | expertmode_output "${ls} -l ${CMD}" | |
542 | return 5 | |
543 | fi | |
544 | ||
545 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
546 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
547 | then | |
548 | STATUS=${INFECTED} | |
549 | fi | |
550 | @@ -1317,12 +1322,12 @@ | |
551 | CMD=`loc env env $pth` | |
552 | ||
553 | if [ "${EXPERT}" = "t" ]; then | |
554 | - expertmode_output "${strings} -a ${CMD}" | |
555 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
556 | expertmode_output "${ls} -l ${CMD}" | |
557 | return 5 | |
558 | fi | |
559 | ||
560 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
561 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
562 | then | |
563 | STATUS=${INFECTED} | |
564 | fi | |
565 | @@ -1344,11 +1349,11 @@ | |
566 | fi | |
567 | fi | |
568 | if [ "${EXPERT}" = "t" ]; then | |
569 | - expertmode_output "${strings} -a ${CMD}" | |
570 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
571 | return 5 | |
572 | fi | |
573 | ||
574 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
575 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
576 | then | |
577 | STATUS=${INFECTED} | |
578 | fi | |
579 | @@ -1362,11 +1367,11 @@ | |
580 | return ${NOT_FOUND} | |
581 | fi | |
582 | if [ "${EXPERT}" = "t" ]; then | |
583 | - expertmode_output "${strings} -a ${CMD}" | |
584 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
585 | return 5 | |
586 | fi | |
587 | ||
588 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
589 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
590 | then | |
591 | STATUS=${INFECTED} | |
592 | fi | |
593 | @@ -1380,11 +1385,11 @@ | |
594 | return ${NOT_FOUND} | |
595 | fi | |
596 | if [ "${EXPERT}" = "t" ]; then | |
597 | - expertmode_output "${strings} -a ${CMD}" | |
598 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
599 | return 5 | |
600 | fi | |
601 | ||
602 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
603 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
604 | then | |
605 | STATUS=${INFECTED} | |
606 | fi | |
607 | @@ -1398,11 +1403,11 @@ | |
608 | return ${NOT_FOUND} | |
609 | fi | |
610 | if [ "${EXPERT}" = "t" ]; then | |
611 | - expertmode_output "${strings} -a ${CMD}" | |
612 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
613 | return 5 | |
614 | fi | |
615 | ||
616 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
617 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
618 | then | |
619 | STATUS=${INFECTED} | |
620 | fi | |
621 | @@ -1414,12 +1419,12 @@ | |
622 | CMD=`loc write write $pth` | |
623 | ||
624 | if [ "${EXPERT}" = "t" ]; then | |
625 | - expertmode_output "${strings} -a ${CMD}" | |
626 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
627 | expertmode_output "${ls} -l ${CMD}" | |
628 | return 5 | |
629 | fi | |
630 | ||
631 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
632 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
633 | then | |
634 | STATUS=${INFECTED} | |
635 | fi | |
636 | @@ -1455,7 +1460,7 @@ | |
637 | fi | |
638 | ||
639 | if [ "${EXPERT}" = "t" ]; then | |
640 | - expertmode_output "${strings} -a ${CMD}" | |
641 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
642 | return 5 | |
643 | fi | |
644 | STATUS=${INFECTED} | |
645 | @@ -1473,12 +1478,12 @@ | |
646 | MAIL_INFECTED_LABEL="sh -i" | |
647 | ||
648 | if [ "${EXPERT}" = "t" ]; then | |
649 | - expertmode_output "${strings} -a ${CMD}" | |
650 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
651 | expertmode_output "${ls} -l ${CMD}" | |
652 | return 5 | |
653 | fi | |
654 | ||
655 | - if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 | |
656 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 | |
657 | then | |
658 | STATUS=${INFECTED} | |
659 | fi | |
660 | @@ -1498,12 +1503,12 @@ | |
661 | fi | |
662 | ||
663 | if [ "${EXPERT}" = "t" ]; then | |
664 | - expertmode_output "${strings} -a ${CMD}" | |
665 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
666 | expertmode_output "${ls} -l ${CMD}" | |
667 | return 5 | |
668 | fi | |
669 | ||
670 | - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
671 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 | |
672 | then | |
673 | STATUS=${INFECTED} | |
674 | fi | |
675 | @@ -1520,11 +1525,11 @@ | |
676 | CMD=`loc egrep egrep $pth` | |
677 | ||
678 | if [ "${EXPERT}" = "t" ]; then | |
679 | - expertmode_output "${strings} -a ${CMD}" | |
680 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
681 | expertmode_output "${ls} -l ${CMD}" | |
682 | return 5 | |
683 | fi | |
684 | - if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 | |
685 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 | |
686 | then | |
687 | STATUS=${INFECTED} | |
688 | fi | |
689 | @@ -1537,12 +1542,12 @@ | |
690 | CMD=`loc grep grep $pth` | |
691 | ||
692 | if [ "${EXPERT}" = "t" ]; then | |
693 | - expertmode_output "${strings} -a ${CMD}" | |
694 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
695 | expertmode_output "${ls} -l ${CMD}" | |
696 | return 5 | |
697 | fi | |
698 | ||
699 | - if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 | |
700 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 | |
701 | then | |
702 | STATUS=${INFECTED} | |
703 | fi | |
704 | @@ -1564,11 +1569,11 @@ | |
705 | fi | |
706 | ||
707 | if [ "${EXPERT}" = "t" ]; then | |
708 | - expertmode_output "${strings} -a ${CMD}" | |
709 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
710 | return 5 | |
711 | fi | |
712 | ||
713 | - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
714 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 | |
715 | then | |
716 | STATUS=${INFECTED} | |
717 | fi | |
718 | @@ -1586,10 +1591,10 @@ | |
719 | fi | |
720 | fi | |
721 | if [ "${EXPERT}" = "t" ]; then | |
722 | - expertmode_output "${strings} -a ${CMD}" | |
723 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
724 | return 5 | |
725 | fi | |
726 | - if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 | |
727 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 | |
728 | then | |
729 | STATUS=${INFECTED} | |
730 | fi | |
731 | @@ -1604,10 +1609,10 @@ | |
732 | return ${NOT_FOUND} | |
733 | fi | |
734 | if [ "${EXPERT}" = "t" ]; then | |
735 | - expertmode_output "${strings} -a ${CMD}" | |
736 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
737 | return 5 | |
738 | fi | |
739 | - if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 | |
740 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 | |
741 | then | |
742 | STATUS=${INFECTED} | |
743 | fi | |
744 | @@ -1622,10 +1627,10 @@ | |
745 | return ${NOT_FOUND} | |
746 | fi | |
747 | if [ "${EXPERT}" = "t" ]; then | |
748 | - expertmode_output "${strings} -a ${CMD}" | |
749 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
750 | return 5 | |
751 | fi | |
752 | - if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 | |
753 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 | |
754 | then | |
755 | STATUS=${INFECTED} | |
756 | fi | |
757 | @@ -1640,10 +1645,10 @@ | |
758 | return ${NOT_FOUND} | |
759 | fi | |
760 | if [ "${EXPERT}" = "t" ]; then | |
761 | - expertmode_output "${strings} -a ${CMD}" | |
762 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
763 | return 5 | |
764 | fi | |
765 | - if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 | |
766 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 | |
767 | then | |
768 | STATUS=${INFECTED} | |
769 | fi | |
770 | @@ -1662,10 +1667,10 @@ | |
771 | return ${NOT_FOUND} | |
772 | fi | |
773 | if [ "${EXPERT}" = "t" ]; then | |
774 | - expertmode_output "${strings} -a ${CMD}" | |
775 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
776 | return 5 | |
777 | fi | |
778 | - if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 | |
779 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 | |
780 | then | |
781 | STATUS=${INFECTED} | |
782 | fi | |
783 | @@ -1677,12 +1682,12 @@ | |
784 | CMD="${ROOTDIR}sbin/ifconfig" | |
785 | ||
786 | if [ "${EXPERT}" = "t" ]; then | |
787 | - expertmode_output "${strings} -a ${CMD}" | |
788 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
789 | return 5 | |
790 | fi | |
791 | ||
792 | IFCONFIG_NOT_INFECTED_LABEL="PROMISC" | |
793 | - if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ | |
794 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ | |
795 | >/dev/null 2>&1 | |
796 | then | |
797 | STATUS=${NOT_INFECTED} | |
798 | @@ -1702,12 +1707,12 @@ | |
799 | return ${NOT_FOUND} | |
800 | fi | |
801 | if [ "${EXPERT}" = "t" ]; then | |
802 | - expertmode_output "${strings} -a ${CMD}" | |
803 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
804 | return 5 | |
805 | fi | |
806 | ||
807 | RSHD_INFECTED_LABEL="HISTFILE" | |
808 | - if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 | |
809 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 | |
810 | then | |
811 | STATUS=${INFECTED} | |
812 | if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ | |
813 | @@ -1733,11 +1738,11 @@ | |
814 | CMD=${ROOTDIR}${CMD} | |
815 | ||
816 | if [ "${EXPERT}" = "t" ]; then | |
817 | - expertmode_output "${strings} -a ${CMD}" | |
818 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
819 | return 5 | |
820 | fi | |
821 | ||
822 | - if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 | |
823 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 | |
824 | then | |
825 | STATUS=${INFECTED} | |
826 | fi | |
827 | @@ -1754,11 +1759,11 @@ | |
828 | fi | |
829 | ||
830 | if [ "${EXPERT}" = "t" ]; then | |
831 | - expertmode_output "${strings} -a ${CMD}" | |
832 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
833 | return 5 | |
834 | fi | |
835 | ||
836 | - if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ | |
837 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ | |
838 | > /dev/null 2>&1 | |
839 | then | |
840 | STATUS=${INFECTED} | |
841 | @@ -1775,11 +1780,11 @@ | |
842 | CMD=`loc su su $pth` | |
843 | ||
844 | if [ "${EXPERT}" = "t" ]; then | |
845 | - expertmode_output "${strings} -a ${CMD}" | |
846 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
847 | return 5 | |
848 | fi | |
849 | ||
850 | - if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 | |
851 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 | |
852 | then | |
853 | STATUS=${INFECTED} | |
854 | fi | |
855 | @@ -1799,11 +1804,11 @@ | |
856 | fi | |
857 | ||
858 | if [ "${EXPERT}" = "t" ]; then | |
859 | - expertmode_output "${strings} -a ${CMD}" | |
860 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
861 | return 5 | |
862 | fi | |
863 | ||
864 | - if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ | |
865 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ | |
866 | > /dev/null 2>&1 | |
867 | then | |
868 | STATUS=${INFECTED} | |
869 | @@ -1851,11 +1856,11 @@ | |
870 | fi | |
871 | ||
872 | if [ "${EXPERT}" = "t" ]; then | |
873 | - expertmode_output "${strings} -a ${CMD}" | |
874 | + expertmode_output "${chkrootkit-strings} -a ${CMD}" | |
875 | return 5 | |
876 | fi | |
877 | ||
878 | - if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ | |
879 | + if ${chkrootkit-strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ | |
880 | >/dev/null 2>&1 | |
881 | then | |
882 | STATUS=${INFECTED} | |
883 | @@ -1935,7 +1940,7 @@ | |
884 | netstat | |
885 | ps | |
886 | sed | |
887 | -strings | |
888 | +chkrootkit-strings | |
889 | uname | |
890 | " | |
891 |