diff -urNp chkrootkit-0.48/chkrootkit chkrootkit-0.48.gentoo/chkrootkit --- chkrootkit-0.48/chkrootkit 2007-12-17 20:54:42.000000000 +0200 +++ chkrootkit-0.48.gentoo/chkrootkit 2008-01-12 13:18:00.000000000 +0200 @@ -10,6 +10,15 @@ CHKROOTKIT_VERSION='0.48' # (c)1997-2007 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # All rights reserved +# Gentoo specific : Could use `type | cut -f 3 -d " "` +IFPROMISC="/usr/sbin/ifpromisc" +CHKLASTLOG="/usr/sbin/chklastlog" +CHKPROC="/usr/sbin/chkproc" +CHKWTMP="/usr/sbin/chkwtmp" +CHKUTMP="/usr/sbin/chkutmp" +CHECK_WTMPX="/usr/sbin/check_wtmpx" +STRINGS="/usr/sbin/strings-static" + ### workaround for some Bourne shell implementations unalias login > /dev/null 2>&1 unalias ls > /dev/null 2>&1 @@ -125,7 +134,7 @@ asp (){ if [ "${EXPERT}" = "t" ]; then expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi @@ -137,7 +146,7 @@ asp (){ if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi - if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then + if ${STRINGS} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then echo "INFECTED" STATUS=${INFECTED} else @@ -158,23 +167,23 @@ sniffer () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "./ifpromisc" -v + expertmode_output "${IFPROMISC}" -v return 5 fi - if [ ! -x ./ifpromisc ]; then - echo "not tested: can't exec ./ifpromisc" + if [ ! -x ${IFPROMISC} ]; then + echo "not tested: can't exec ${IFPROMISC}" return ${NOT_TESTED} else - [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q + [ "${QUIET}" != "t" ] && ${IFPROMISC} -v || ${IFPROMISC} -q fi } chkutmp() { - if [ ! -x ./chkutmp ]; then - echo "not tested: can't exec ./chkutmp" + if [ ! -x ${CHKUTMP} ]; then + echo "not tested: can't exec ${CHKUTMP}" return ${NOT_TESTED} fi - if ./chkutmp + if ${CHKUTMP} then if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi fi @@ -182,8 +191,8 @@ chkutmp() { } z2 () { - if [ ! -x ./chklastlog ]; then - echo "not tested: can't exec ./chklastlog" + if [ ! -x ${CHKLASTLOG} ]; then + echo "not tested: can't exec ${CHKLASTLOG}" return ${NOT_TESTED} fi @@ -196,32 +205,32 @@ z2 () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}" + expertmode_output "${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}" return 5 fi - if ./chklastlog -f ${WTMP} -l ${LASTLOG} + if ${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG} then if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi fi } wted () { - if [ ! -x ./chkwtmp ]; then - echo "not tested: can't exec ./chkwtmp" + if [ ! -x ${CHKWTMP} ]; then + echo "not tested: can't exec ${CHKWTMP}" return ${NOT_TESTED} fi if [ "$SYSTEM" = "SunOS" ]; then - if [ ! -x ./check_wtmpx ]; then - echo "not tested: can't exec ./check_wtmpx" + if [ ! -x ${CHECK_WTMPX} ]; then + echo "not tested: can't exec ${CHECK_WTMPX}" else if [ "${EXPERT}" = "t" ]; then - expertmode_output "./check_wtmpx" + expertmode_output "${CHECK_WTMPX}" return 5 fi if [ -f ${ROOTDIR}var/adm/wtmp ]; then - if ./check_wtmpx + if ${CHECK_WTMPX} then if [ "${QUIET}" != "t" ]; then \ echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi @@ -232,12 +241,12 @@ wted () { WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` if [ "${EXPERT}" = "t" ]; then - expertmode_output "./chkwtmp -f ${WTMP}" + expertmode_output "${CHKWTMP} -f ${WTMP}" return 5 fi fi - if ./chkwtmp -f ${WTMP} + if ${CHKWTMP} -f ${WTMP} then if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi fi @@ -275,8 +284,8 @@ lkm () prog="" if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then - [ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc" - [ -x ./chkdirs ] && prog="$prog ./chkdirs" + [ -x ${CHKPROC} -a "`find /proc | wc -l`" -gt 1 ] && prog="${CHKPROC}" + [ -x ${CHKDIRS} ] && prog="$prog ${CHKDIRS}" if [ "$prog" = "" ]; then echo "not tested: can't exec $prog" return ${NOT_TESTED} @@ -288,7 +297,7 @@ lkm () PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` [ "$PV" = "" ] && PV=2 [ "${SYSTEM}" = "SunOS" ] && PV=0 - expertmode_output "./chkproc -v -v -p $PV" + expertmode_output "${CHKPROC} -v -v -p $PV" return 5 fi @@ -315,7 +324,7 @@ lkm () if [ "${DEBUG}" = "t" ]; then ${echo} "*** PV=$PV ***" fi - if ./chkproc -p ${PV}; then + if ${CHKPROC} -p ${PV}; then if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi else echo "chkproc: Warning: Possible LKM Trojan installed" @@ -324,7 +333,7 @@ lkm () for i in /usr/share /usr/bin /usr/sbin /lib; do [ -d $i ] && dirs="$dirs $i" done - if ./chkdirs $dirs; then + if ${CHKDIRS} $dirs; then if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi else echo "chkdirs: Warning: Possible LKM Trojan installed" @@ -503,7 +512,7 @@ ${ROOTDIR}usr/include/syslogs.h" ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ## Suckit rootkit - expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME" + expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME" expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." expertmode_output "cat ${ROOTDIR}dev/.golf" @@ -957,7 +966,7 @@ ${find} ${ROOTDIR}usr/sbin -name in.slog ### Suckit if [ -f ${ROOTDIR}sbin/init ]; then if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ + if [ ${SYSTEM} != "HP-UX" ] && ( ${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME || \ cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 then echo "Warning: ${ROOTDIR}sbin/init INFECTED" @@ -1108,7 +1117,7 @@ ${find} ${ROOTDIR}usr/sbin -name in.slog if [ "${QUIET}" != "t" ]; then printn "Searching for suspect PHP files... "; fi files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`" - fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | grep php 2> /dev/null`" + fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n1 {} \; | grep php 2> /dev/null`" if [ "${files}" = "" -a "${fileshead}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi @@ -1223,20 +1232,20 @@ chk_chfn () { [ ${?} -ne 0 ] && return ${NOT_FOUND} if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi;; FreeBSD) [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2 - if [ `${strings} -a ${CMD} | \ + if [ `${STRINGS} -a ${CMD} | \ ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then STATUS=${INFECTED} @@ -1253,16 +1262,16 @@ chk_chsh () { REDHAT_PAM_LABEL="*NOT*" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then - if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ >/dev/null 2>&1 then : @@ -1272,7 +1281,7 @@ chk_chsh () { fi;; FreeBSD) [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2 - if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] + if [ `${STRINGS} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then STATUS=${INFECTED} fi;; @@ -1285,13 +1294,13 @@ chk_login () { CMD=`loc login login $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi if [ "$SYSTEM" = "SunOS" ]; then TROJED_L_L="porcao|/bin/xstat" - if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then + if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then return ${INFECTED} else return ${NOT_TESTED} @@ -1299,7 +1308,7 @@ chk_login () { fi GENERAL="^root$" TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola" - ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` + ret=`${STRINGS} -a ${CMD} | ${egrep} -c "${GENERAL}"` if [ ${ret} -gt 0 ]; then case ${ret} in 1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 || @@ -1311,7 +1320,7 @@ $1 >= 3.0) print 1; else print 0}'` -eq *) STATUS=${INFECTED};; esac fi - if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null + if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null then STATUS=${INFECTED} fi @@ -1327,7 +1336,7 @@ chk_passwd () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" fi if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \ @@ -1335,7 +1344,7 @@ chk_passwd () { then return ${NOT_TESTED} fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1353,11 +1362,11 @@ chk_inetd () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1376,11 +1385,11 @@ SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs] fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1397,11 +1406,11 @@ chk_hdparm () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1419,11 +1428,11 @@ chk_gpm () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1441,11 +1450,11 @@ chk_mingetty () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1463,11 +1472,11 @@ chk_sendmail () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1481,11 +1490,11 @@ LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[p CMD=`loc ls ls $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1498,11 +1507,11 @@ chk_du () { CMD=`loc du du $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1522,11 +1531,11 @@ chk_named () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1540,11 +1549,11 @@ NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/tty CMD=`loc netstat netstat $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1559,11 +1568,11 @@ PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev CMD=`loc ps ps $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1581,11 +1590,11 @@ chk_pstree () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1629,11 +1638,11 @@ chk_top () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1651,11 +1660,11 @@ chk_pidof () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1673,11 +1682,11 @@ chk_killall () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1690,18 +1699,18 @@ chk_ldsopreload() { if [ "${SYSTEM}" = "Linux" ] then - if [ ! -x ./strings-static ]; then - printn "can't exec ./strings-static, " + if [ ! -x ${STRINGS} ]; then + printn "can't exec ${STRINGS}, " return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "./strings-static -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi ### strings must be a statically linked binary. - if ./strings-static -a ${CMD} > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1716,11 +1725,11 @@ chk_basename () { CMD=`loc basename basename $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1740,11 +1749,11 @@ chk_dirname () { CMD=`loc dirname dirname $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1765,11 +1774,11 @@ chk_traceroute () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1786,12 +1795,12 @@ chk_rpcinfo () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1808,20 +1817,20 @@ chk_date () { CMD=`loc date date $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi [ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] && { - N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ + N=`${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ ${egrep} -c "$S_L"` if [ ${N} -ne 2 -a ${N} -ne 0 ]; then STATUS=${INFECTED} fi } || { - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1 then STATUS=${INFECTED} fi @@ -1838,12 +1847,12 @@ chk_echo () { CMD=`loc echo echo $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1859,12 +1868,12 @@ chk_env () { CMD=`loc env env $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1886,11 +1895,11 @@ chk_timed () { fi fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1904,11 +1913,11 @@ chk_identd () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1923,11 +1932,11 @@ chk_init () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1941,11 +1950,11 @@ chk_pop2 () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1959,11 +1968,11 @@ chk_pop3 () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1975,12 +1984,12 @@ chk_write () { CMD=`loc write write $pth` WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1997,11 +2006,11 @@ chk_w () { W_INFECTED_LABEL="uname -a" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2017,11 +2026,11 @@ chk_vdir () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2053,7 +2062,7 @@ rexedcs () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi STATUS=${INFECTED} @@ -2073,12 +2082,12 @@ chk_mail () { MAIL_INFECTED_LABEL="sh -i" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2098,12 +2107,12 @@ chk_biff () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2120,11 +2129,11 @@ chk_egrep () { CMD=`loc egrep egrep $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2137,12 +2146,12 @@ chk_grep () { CMD=`loc grep grep $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2164,11 +2173,11 @@ chk_find () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2186,10 +2195,10 @@ chk_rlogind () { fi fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2204,10 +2213,10 @@ chk_lsof () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2222,10 +2231,10 @@ chk_amd () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2240,10 +2249,10 @@ chk_slogin () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2262,10 +2271,10 @@ chk_cron () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2280,18 +2289,18 @@ chk_ifconfig () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi IFCONFIG_NOT_INFECTED_LABEL="PROMISC" IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null" - if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${NOT_INFECTED} fi - if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -2311,12 +2320,12 @@ chk_rshd () { return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi RSHD_INFECTED_LABEL="HISTFILE" - if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ @@ -2352,11 +2361,11 @@ chk_tcpd () { [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND}; if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2373,11 +2382,11 @@ chk_sshd () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} @@ -2394,11 +2403,11 @@ chk_su () { CMD=`loc su su $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2418,11 +2427,11 @@ chk_fingerd () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} @@ -2470,11 +2479,11 @@ chk_telnetd () { fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} diff -urNp chkrootkit-0.48/chkwtmp.c chkrootkit-0.48.gentoo/chkwtmp.c --- chkrootkit-0.48/chkwtmp.c 2007-08-10 21:01:24.000000000 +0300 +++ chkrootkit-0.48.gentoo/chkwtmp.c 2008-01-12 13:22:44.000000000 +0200 @@ -21,6 +21,7 @@ #include +#include #include #include #include diff -urNp chkrootkit-0.48/Makefile chkrootkit-0.48.gentoo/Makefile --- chkrootkit-0.48/Makefile 2007-08-10 21:48:08.000000000 +0300 +++ chkrootkit-0.48.gentoo/Makefile 2008-01-12 13:22:14.000000000 +0200 @@ -3,9 +3,10 @@ # (C) 1997-2007 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # -CC = gcc -CFLAGS = -DHAVE_LASTLOG_H -STATIC = -static +CC ?= gcc +CFLAGS += -DHAVE_LASTLOG_H +STATIC ?= -static +STRIP ?= strip ### ### Solaris 2.x @@ -41,36 +42,36 @@ sense: chklastlog chkwtmp ifpromisc chkp chklastlog: chklastlog.c ${CC} ${CFLAGS} -o $@ chklastlog.c - @strip $@ + @$(STRIP) $@ chkwtmp: chkwtmp.c ${CC} ${CFLAGS} -o $@ chkwtmp.c - @strip $@ + @$(STRIP) $@ ifpromisc: ifpromisc.c ${CC} ${CFLAGS} ${LDFLAGS} -D_FILE_OFFSET_BITS=64 -o $@ ifpromisc.c - @strip $@ + @$(STRIP) $@ chkproc: chkproc.c - ${CC} ${LDFLAGS} -o $@ chkproc.c - @strip $@ + ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkproc.c + @$(STRIP) $@ chkdirs: chkdirs.c - ${CC} ${LDFLAGS} -o $@ chkdirs.c - @strip $@ + ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkdirs.c + @$(STRIP) $@ check_wtmpx: check_wtmpx.c - ${CC} ${LDFLAGS} -o $@ check_wtmpx.c - @strip $@ + ${CC} ${CFLAGS} ${LDFLAGS} -o $@ check_wtmpx.c + @$(STRIP) $@ chkutmp: chkutmp.c - ${CC} ${LDFLAGS} -o $@ chkutmp.c - @strip $@ + ${CC} ${CFLAGS} ${LDFLAGS} -o $@ chkutmp.c + @$(STRIP) $@ strings-static: strings.c - ${CC} ${STATIC} ${LDFLAGS} -o $@ strings.c - @strip $@ + ${CC} ${CFLAGS} ${STATIC} ${LDFLAGS} -o $@ strings.c + @$(STRIP) $@ clean: rm -f ${OBJS} core chklastlog chkwtmp ifpromisc chkproc chkdirs check_wtmpx strings-static chkutmp