1#! /bin/sh 2# -*- Shell-script -*- 3 4# $Id: chkrootkit, v 0.53 2019/02/11 5CHKROOTKIT_VERSION='0.53' 6 7# Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and 8# Klaus Steding-Jessen <jessen@cert.br> 9# 10# (c)1997-2019 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. 11# All rights reserved 12 13### workaround for some Bourne shell implementations 14unalias login > /dev/null 2>&1 15unalias ls > /dev/null 2>&1 16unalias netstat > /dev/null 2>&1 17unalias ss > /dev/null 2>&1 18unalias ps > /dev/null 2>&1 19unalias dirname > /dev/null 2>&1 20 21# Workaround for recent GNU coreutils 22_POSIX2_VERSION=199209 23export _POSIX2_VERSION 24 25KALLSYMS="/proc/kallsyms" 26[ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS" 27 28# Native commands 29TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \ 30env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \ 31killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \ 32pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ 33tcpdump top telnetd timed traceroute vdir w write" 34 35# Tools 36TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG" 37 38# Return Codes 39INFECTED=0 40NOT_INFECTED=1 41NOT_TESTED=2 42NOT_FOUND=3 43INFECTED_BUT_DISABLED=4 44 45# Many trojaned commands have this label 46GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer" 47 48###################################################################### 49# tools functions 50 51# 52# 55808.A Worm 53# 54w55808 (){ 55 W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r" 56 STATUS=0 57 58 for i in ${W55808_FILES}; do 59 if [ -f ${i} ]; then 60 STATUS=1 61 fi 62 done 63 if [ ${STATUS} -eq 1 ] ;then 64 echo "Warning: Possible 55808 Worm installed" 65 else 66 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 67 return ${NOT_INFECTED} 68 fi 69} 70 71OSX_RSPLUG (){ 72 if [ ${SYSTEM} != "Darwin" ]; then 73 if [ "${QUIET}" != "t" ]; then echo "not tested"; fi 74 return 75 fi 76 SAVEIFS=$IFS 77 IFS=';' 78 STATUS=0 79 OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings' 80# echo checking ${OSX_RSPLUG_FILES} 81 for i in ${OSX_RSPLUG_FILES} ; do 82 echo searching for "${i}" 83 if [ -e "${i}" ] ; then 84 STATUS=1 85 fi 86 done 87 IFS=$SAVEIFS 88 89 if [ ${STATUS} -eq 1 ] ;then 90 echo "Warning: OSX.RSPlug.A Trojan Horse found" 91 return ${INFECTED} 92 else 93 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 94 return ${NOT_INFECTED} 95 fi 96} 97 98# 99# SLAPPER.{A,B,C,D} and the multi-platform variant 100# 101slapper (){ 102 SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c" 103 SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \ 104 ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b" 105 SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 " 106 _chk_netstat_or_ss; 107 OPT="-an" 108 [ "${netstat}" = "ss" ] && OPT="-a" 109 STATUS=0 110 file_port= 111 112 if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1 113 then 114 STATUS=1 115 [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \ 116 $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :` 117 fi 118 for i in ${SLAPPER_FILES}; do 119 if [ -f ${i} ]; then 120 file_port="$file_port $i" 121 STATUS=1 122 fi 123 done 124 if [ ${STATUS} -eq 1 ] ;then 125 echo "Warning: Possible Slapper Worm installed ($file_port)" 126 else 127 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 128 return ${NOT_INFECTED} 129 fi 130} 131 132scalper (){ 133 SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a" 134 SCALPER_PORT=2001 135 OPT="-an" 136 _chk_netstat_or_ss; 137 [ "$netstat" = "ss" ] && OPT="-a" 138 STATUS=0 139 140 if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then 141 STATUS=1 142 fi 143 for i in ${SCALPER_FILES}; do 144 if [ -f ${i} ]; then 145 STATUS=1 146 fi 147 done 148 if [ ${STATUS} -eq 1 ] ;then 149 echo "Warning: Possible Scalper Worm installed" 150 else 151 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 152 return ${NOT_INFECTED} 153 fi 154} 155 156asp (){ 157 ASP_LABEL="poop" 158 STATUS=${NOT_INFECTED} 159 CMD=`loc asp asp $pth` 160 161 if [ "${EXPERT}" = "t" ]; then 162 expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" 163 expertmode_output "${strings} -a ${CMD}" 164 return 5 165 fi 166 167 if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then 168 echo "Warning: Possible Ramen Worm installed in inetd.conf" 169 STATUS=${INFECTED} 170 fi 171 if [ ${CMD} = "asp" -o ${CMD} = "${ROOTDIR}asp" ]; then 172 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 173 return ${NOT_INFECTED} 174 fi 175 if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then 176 # echo "INFECTED" 177 STATUS=${INFECTED} 178 else 179 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 180 return ${NOT_INFECTED} 181 fi 182 return ${STATUS} 183} 184 185sniffer () { 186 if [ "${ROOTDIR}" != "/" ]; then 187 echo "not tested" 188 return ${NOT_TESTED} 189 fi 190 191 if [ "$SYSTEM" = "SunOS" ]; then 192 return ${NOT_TESTED} 193 fi 194 195 if [ "${EXPERT}" = "t" ]; then 196 expertmode_output "/usr/local/sbin/ifpromisc" -v 197 return 5 198 fi 199 if [ ! -x /usr/local/sbin/ifpromisc ]; then 200 echo "not tested: can't exec /usr/local/sbin/ifpromisc" 201 return ${NOT_TESTED} 202 else 203 [ "${QUIET}" != "t" ] && /usr/local/sbin/ifpromisc -v || /usr/local/sbin/ifpromisc -q 204 fi 205} 206 207chkutmp() { 208 if [ ! -x /usr/local/sbin/chkutmp -o ${mode} = "pm" ]; then 209 echo "not tested: can't exec /usr/local/sbin/chkutmp" 210 return ${NOT_TESTED} 211 fi 212 if /usr/local/sbin/chkutmp 213 then 214 if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi 215 fi 216} 217 218z2 () { 219 if [ ! -x /usr/local/sbin/chklastlog ]; then 220 echo "not tested: can't exec /usr/local/sbin/chklastlog" 221 return ${NOT_TESTED} 222 fi 223 224 WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 225 LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 226 227 if [ ! -f $WTMP -a ! -f $LASTLOG ]; then 228 echo "not tested: not found wtmp and/or lastlog file" 229 return ${NOT_TESTED} 230 fi 231 232 if [ "${EXPERT}" = "t" ]; then 233 expertmode_output "/usr/local/sbin/chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG}" 234 return 5 235 fi 236 237 if /usr/local/sbin/chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG} 238 then 239 if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi 240 fi 241} 242 243wted () { 244 if [ ! -x /usr/local/sbin/chkwtmp ]; then 245 echo "not tested: can't exec /usr/local/sbin/chkwtmp" 246 return ${NOT_TESTED} 247 fi 248 249 if [ "$SYSTEM" = "SunOS" ]; then 250 if [ ! -x /usr/local/sbin/check_wtmpx ]; then 251 echo "not tested: can't exec /usr/local/sbin/check_wtmpx" 252 else 253 if [ "${EXPERT}" = "t" ]; then 254 expertmode_output "/usr/local/sbin/check_wtmpx" 255 return 5 256 fi 257 if [ -f ${ROOTDIR}var/adm/wtmp ]; then 258 if /usr/local/sbin/check_wtmpx 259 then 260 if [ "${QUIET}" != "t" ]; then \ 261 echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi 262 fi 263 fi 264 fi 265 else 266 WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 267 268 if [ "${EXPERT}" = "t" ]; then 269 expertmode_output "/usr/local/sbin/chkwtmp -f ${WTMP}" 270 return 5 271 fi 272 fi 273 274 if /usr/local/sbin/chkwtmp -f ${WTMP} 275 then 276 if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi 277 fi 278} 279bindshell () { 280PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222" 281 OPT="-an" 282 _chk_netstat_or_ss; 283 [ "$netstat" = "ss" ] && OPT="-a" 284 PI="" 285 if [ "${ROOTDIR}" != "/" ]; then 286 echo "not tested" 287 return ${NOT_TESTED} 288 fi 289 290 if [ "${EXPERT}" = "t" ]; then 291 expertmode_output "${netstat} ${OPT}" 292 return 5 293 fi 294 for P in `echo $PORT | ${sed} 's/|/ /g'`; do 295 if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \ 296"[.:]${P}[^0-9.:]" >/dev/null 2>&1 297 then 298 PI="${PI} ${P}" 299 fi 300 done 301 if [ "${PI}" != "" ] 302 then 303 echo "INFECTED PORTS: ($PI)" 304 else 305 if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 306 fi 307} 308 309lkm () 310{ 311 prog="" 312 if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "DragonFly" -a \ 313 `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then 314 [ -x /usr/local/sbin/chkproc -a "`find /proc 2>/dev/null| wc -l`" -gt 1 ] && prog="/usr/local/sbin/chkproc" 315 [ -x /usr/local/sbin/chkdirs ] && prog="$prog /usr/local/sbin/chkdirs" 316 if [ "$prog" = "" -o ${mode} = "pm" ]; then 317 echo "not tested: can't exec $prog" 318 return ${NOT_TESTED} 319 fi 320 321 if [ "${EXPERT}" = "t" ]; then 322 [ -r /proc/$KALLSYMS ] && ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null 323 [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null 324 PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` 325 [ "$PV" = "" ] && PV=2 326 [ "${SYSTEM}" = "SunOS" ] && PV=0 327 expertmode_output "/usr/local/sbin/chkproc -v -v -p $PV" 328 return 5 329 fi 330 331 ### adore LKM 332 [ -r /proc/$KALLSYMS ] && \ 333 if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then 334 echo "Warning: Adore LKM installed" 335 fi 336 337 ### sebek LKM (Adore based) 338 [ -r /proc/$KALLSYMS ] && \ 339 if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then 340 echo "Warning: Sebek LKM installed" 341 fi 342 343 ### knark LKM 344 if [ -d /proc/knark ]; then 345 echo "Warning: Knark LKM installed" 346 fi 347 348 PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'` 349 [ "$PV" = "" ] && PV=2 350 [ "${SYSTEM}" = "SunOS" ] && PV=0 351 if [ "${DEBUG}" = "t" ]; then 352 ${echo} "*** PV=$PV ***" 353 fi 354 if /usr/local/sbin/chkproc -p ${PV}; then 355 if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi 356 else 357 echo "chkproc: Warning: Possible LKM Trojan installed" 358 fi 359 dirs="/tmp" 360 for i in /usr/share /usr/bin /usr/sbin /lib; do 361 [ -d $i ] && dirs="$dirs $i" 362 done 363 if /usr/local/sbin/chkdirs $dirs; then 364 if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi 365 else 366 echo "chkdirs: Warning: Possible LKM Trojan installed" 367 fi 368 else 369 if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi 370 fi 371} 372 373aliens () { 374 if [ "${EXPERT}" = "t" ]; then 375 ### suspicious files 376 FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \ 377sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \ 378 etc/ld.so.hash" 379 380 expertmode_output "${find} ${ROOTDIR}dev -type f" 381 expertmode_output "${find} ${ROOTDIR}var/run/.tmp" 382 expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib" 383 expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8" 384 expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'" 385 expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk" 386 expertmode_output "${find} ${ROOTDIR}usr/lib/dy0" 387 expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277" 388 expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/" 389 390 for i in ${FILES}; do 391 expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null" 392 done 393 [ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so" 394 [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. " 395 [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx 396 [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd 397 [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb 398 [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so 399 ### sniffer's logs 400 expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \ 401 ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \ 402.linux-sniff -o -name sniff-l0g -o -name core_ -o" 403 expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \ 404-name in.pop3d" 405 406 ### t0rn 407 expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \ 408${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \ 409ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn" 410 411 LIBS= 412 [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib" 413 [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" 414 [ -d ${ROOTDIR}usr/local/lib ] && \ 415 LIBS="${LIBS} ${ROOTDIR}usr/local/lib" 416 417 expertmode_output "${find} ${LIBS} -name libproc.a" 418 419 ## Lion Worm 420 expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh 4212> /dev/null" 422 423 ### ark 424 expertmode_output "${find} ${ROOTDIR}dev -name ptyxx" 425 expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '" 426 expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'" 427 428 ### RK17 429 expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit" 430 expertmode_output "${find} ${ROOTDIR}sbin -name pback" 431 expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null" 432 expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null" 433 expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \ 434autod.o -o -name soundx.o 2> /dev/null" 435 expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \ 436-name ct -o -name snick -o -name kfl" 437 438 CGIDIR="" 439 for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ 440var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ 441home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; 442 do 443 [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}" 444 done 445BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ 446shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ 447zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" 448 for j in ${CGIDIR}; do 449 for i in ${BACKDOORS}; do 450 [ -f ${j}/${i} ] && echo ${j}/${i} 451 done 452 done 453 454 ### rsha 455 expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \ 456-o -name n3tstat -o -name chsh2" 457 expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha" 458 expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \ 459${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/" 460 461 ### ShitC Worm 462 expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \ 463-o -name frgy -o -name sy" 464 expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir" 465 expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind" 466 467 ### Omega Worm 468 expertmode_output "${find} ${ROOTDIR}dev -name chr" 469 470 ### rh-sharpe 471 expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \ 472-o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \ 473-o -name ldu -o -name lnetstat" 474 expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du" 475 476 ### Adore Worm 477 expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \ 478-name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \ 479-o -name adore" 480 expertmode_output "${find} ${ROOTDIR}usr/lib/lib" 481 expertmode_output "${find} ${ROOTDIR}usr/lib/libt" 482 483 ### suspicious files and dirs 484 suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk" 485 DIR=${ROOTDIR}usr/lib 486 [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man" 487 [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib" 488 [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib" 489 expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'" 490 expertmode_output "${find} ${DIR} -type d -name '.*'" 491 expertmode_output "${find} ${DIR} -name '...*'" 492 expertmode_output "${ls} ${suspects}" 493 494 ### Maniac RK 495 expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc" 496 497 ### Ramen Worm 498 expertmode_output "${find} ${ROOTDIR}usr/src/.poop \ 499${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp" 500 501 ### Sadmind/IIS Worm 502 expertmode_output "${find} ${ROOTDIR}dev/cuc" 503 504 ### Monkit 505 expertmode_output "${find} ${ROOTDIR}lib/defs" 506 507 ### Showtee 508 expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \ 509${ROOTDIR}usr/lib/.wormie \ 510${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \ 511${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ 512${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \ 513${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h" 514 515 ### Optickit 516 expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf" 517 518 ### T.R.K 519 expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct" 520 ### MithRa's Rootkit 521 expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot" 522 523 524 ### OpenBSD rootkit v1 525 if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ] 526 then 527 expertmode_output "${find} ${ROOTDIR}usr/lib/security" 528 fi 529 530 ### LOC rootkit 531 expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c" 532 533 ### Romanian rootkit 534 expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \ 535${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \ 536${ROOTDIR}usr/include/syslogs.h" 537 538 ## HKRK rootkit 539 ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null 540 541 ## Suckit rootkit 542 expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" 543 expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." 544 expertmode_output "cat ${ROOTDIR}dev/.golf" 545 546 ## Volc rootkit 547 expertmode_output "${ls} ${ROOTDIR}usr/bin/volc" 548 expertmode_output "${find} ${ROOTDIR}usr/lib/volc" 549 550 ## Gold2 rootkit 551 expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit" 552 553 ## TC2 Worm 554 expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \ 555${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb" 556 557 ## Anonoiyng rootkit 558 expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd" 559 560 ## ZK rootkit 561 expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*" 562 563 ## ShKit 564 expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash" 565 566 ## AjaKit 567 expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh" 568 expertmode_output "${find} ${ROOTDIR}dev -name tux" 569 570 ## zaRwT 571 expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout" 572 573 ## Madalin rootkit 574 expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \ 575-name iceconf.h -o -name iceseed.h" 576 577 ## Fu rootkit 578 expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \ 579 ${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h" 580 581 ## Kenga3 Rookit 582 expertmode_output "${find} ${ROOTDIR}usr/include/. ." 583 584 ## ESRK Rookit 585 expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3" 586 587 ## rootedoor 588 for i in `$echo ${PATH}|tr -s ':' ' '`; do 589 expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor" 590 done 591 ## ENYE-LKM 592 expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko" 593 594 ## SSJD Operation Windigo (Linux/Ebury) 595 ssh=`which ssh` 596 if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[0-7]" >/dev/null; then 597 expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow" 598 fi 599 600 ## Mumblehard backdoor/botnet 601 expertmode_output "cat ${ROOTDIR}/var/spool/cron/crontabs | egrep var/tmp" 602 603 ## Backdoors.Linux.Mokes.a 604 expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" 605 expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" 606 607 ## Malicious TinyDNS 608 expertmode_output "${ls} -l "${ROOTDIR}home/ ./root/"" 609 610 ## Linux/Xor.DDoS 611 expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" 612 expertmode_output "${find} ${ROOTDIR}etc/cron.hourly" 613 614 ## CrossRAT 615 expertmode_output "${find} ${ROOTDIR}usr/var ${findargs} -name mediamgrs.jar" 616 617 ## Hidden Cobra (IBM AIX) 618 expertmode_output "${find} ${ROOTDIR}tmp/.ICE-unix ${findargs} -name *.so" 619 620 ## Rocke Monero Miner 621 expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" 622 623 ## Common SSH-SCANNERS 624 expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2" 625 626 ### shell history file check 627 if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then 628 expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ 629 -size 0" 630 expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ 631 \( -links 2 -o -type l \)" 632 fi 633 634 return 5 635 ### expert mode ends here 636 fi 637 638 ### 639 ### suspicious files and sniffer's logs 640 ### 641 suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \ 642usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \ 643tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \ 644usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \ 645etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin" 646 dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \ 647 var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so" 648 files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;` 649 if [ "${files}" != "" ]; then 650 echo 651 echo ${files} 652 fi 653 for i in ${dir}; do 654 if [ -d ${ROOTDIR}${i} ]; then 655 echo 656 echo "Suspect directory ${i} FOUND! Looking for sniffer logs" 657 files=`${find} ${ROOTDIR}${i}` 658 echo 659 echo ${files} 660 fi 661 done 662 for i in ${suspects}; do 663 if [ -f ${ROOTDIR}${i} ]; then 664 echo "${ROOTDIR}${i} " 665 files="INFECTED" 666 fi 667 done 668 if [ "${files}" = "" ]; then 669 if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi 670 fi 671 if [ "${QUIET}" != "t" ]; then \ 672 printn "Searching for sniffer's logs, it may take a while... "; fi 673 files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \ 674 ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \ 675 2>/dev/null` 676 if [ "${files}" = "" ] 677 then 678 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 679 else 680 echo 681 echo ${files} 682 fi 683 684 ### HiDrootkit 685 if [ "${QUIET}" != "t" ]; then printn \ 686 "Searching for HiDrootkit's default dir... "; fi 687 if [ -d ${ROOTDIR}var/lib/games/.k ] 688 then 689 echo "Possible HiDrootkit installed" 690 else 691 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 692 fi 693 694 ### t0rn 695 if [ "${QUIET}" != "t" ]; then printn\ 696 "Searching for t0rn's default files and dirs... "; fi 697 if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \ 698 -d ${ROOTDIR}usr/src/.puta -o -r ${ROOTDIR}lib/ldlib.tk -o \ 699 -d ${ROOTDIR}usr/info/.t0rn ] 700 then 701 echo "Possible t0rn rootkit installed" 702 else 703 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 704 fi 705 706 ### t0rn v8 707 if [ "${QUIET}" != "t" ]; then \ 708 printn "Searching for t0rn's v8 defaults... "; fi 709 [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib 710 [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" 711 [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib" 712 if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \ 713 "$SYSTEM" != "DragonFly" ] 714 then 715 echo "Possible t0rn v8 \(or variation\) rootkit installed" 716 else 717 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 718 fi 719 720 ### Lion Worm 721 if [ "${QUIET}" != "t" ]; then \ 722 printn "Searching for Lion Worm default files and dirs... "; fi 723 if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \ 724 -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ] 725 then 726 echo "Possible Lion worm installed" 727 else 728 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 729 fi 730 731 ### RSHA rootkit 732 if [ "${QUIET}" != "t" ]; then \ 733 printn "Searching for RSHA's default files and dir... "; fi 734 735 if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \ 736-o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \ 737-o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \ 738-o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \ 739-o -d "${ROOTDIR}etc/rc.d/rsha" \ 740-o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ] 741 then 742 echo "Possible RSHA's rootkit installed" 743 else 744 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 745 fi 746 747 ### RH-Sharpe rootkit 748 if [ "${QUIET}" != "t" ]; then \ 749 printn "Searching for RH-Sharpe's default files... "; fi 750 751 if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \ 752-o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \ 753-o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \ 754-o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \ 755-o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \ 756-o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ] 757 then 758 echo "Possible RH-Sharpe's rootkit installed" 759 else 760 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 761 fi 762 763 ### ark rootkit 764 if [ "${QUIET}" != "t" ]; then printn \ 765 "Searching for Ambient's rootkit (ark) default files and dirs... "; fi 766 767 if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \ 768 -d ${ROOTDIR}usr/doc/"... " ]; then 769 echo "Possible Ambient's rootkit \(ark\) installed" 770 else 771 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 772 fi 773 774 ### suspicious files and dirs 775 DIR="${ROOTDIR}usr/lib" 776 [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man" 777 [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib" 778 779 if [ "${QUIET}" != "t" ]; then printn \ 780 "Searching for suspicious files and dirs, it may take a while... "; fi 781 782 files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"` 783 dirs=`${find} ${DIR} -type d -name ".*"` 784 if [ "${files}" = "" -a "${dirs}" = "" ] 785 then 786 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 787 else 788 echo 789 echo ${files} 790 echo ${dirs} 791 fi 792 793 ### LPD Worm 794 if [ "${QUIET}" != "t" ]; then \ 795 printn "Searching for LPD Worm files and dirs... "; fi 796 797 if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \ 798 ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; 799 then 800 echo "Possible LPD worm installed" 801 elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \ 802-f ${ROOTDIR}bin/.login ]; then 803 echo "Possible LPD worm installed" 804 else 805 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 806 fi 807 808 ### Ramem Worm 809 if [ "${QUIET}" != "t" ]; then \ 810 printn "Searching for Ramen Worm files and dirs... "; fi 811 812 if [ -d ${ROOTDIR}usr/src/.poop -o -f \ 813 ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ] 814 then 815 echo "Possible Ramen worm installed" 816 else 817 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 818 819 fi 820 821 ### Maniac rootkit 822 if [ "${QUIET}" != "t" ]; then \ 823 printn "Searching for Maniac files and dirs... "; fi 824 825 files=`${find} ${ROOTDIR}usr/bin -name mailrc` 826 if [ "${files}" = "" ]; then 827 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 828 else 829 echo "${files}" 830 fi 831 832 ### RK17 rookit 833 if [ "${QUIET}" != "t" ]; then \ 834 printn "Searching for RK17 files and dirs... "; fi 835 836 CGIDIR="" 837 for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ 838var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ 839home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; 840 do 841 [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}" 842 done 843 files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \ 844${find} ${ROOTDIR}sbin -name pback && \ 845${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \ 846${find} ${ROOTDIR}proc -name kset 2> /dev/null && \ 847${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \ 8482> /dev/null && \ 849${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null` 850BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ 851shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ 852zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" 853 files="" 854 for j in ${CGIDIR}; do 855 for i in ${BACKDOORS}; do 856 [ -f ${j}/${i} ] && files="${files} ${j}/${i}" 857 done 858 done 859 if [ "${files}" = "" ]; then 860 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 861 else 862 echo "${files}" 863 fi 864 865 ### Ducoci rootkit 866 if [ "${QUIET}" != "t" ]; then \ 867 printn "Searching for Ducoci rootkit... "; fi 868 869 files=`${find} ${CGIDIR} -name last.cgi` 870 if [ "${files}" = "" ]; then 871 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 872 else 873 echo "${files}" 874 fi 875 876 ### Adore Worm 877 if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi 878 879 files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \ 880-name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore` 881 if [ "${files}" = "" ]; then 882 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 883 else 884 echo "${files}" 885 files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null` 886 [ "${files}" != "" ] && echo ${files} 887 fi 888 889 ### ShitC Worm 890 if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi 891 892 files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \ 893${find} ${ROOTDIR}usr/bin -type d -name dir || \ 894${find} ${ROOTDIR}usr/sbin -name in.slogind` 895 if [ "${files}" = "" ]; then 896 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 897 else 898 echo "${files}" 899 fi 900 901 ### Omega Worm 902 if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi 903 904 files=`${find} ${ROOTDIR}dev -name chr` 905 if [ "${files}" = "" ]; then 906 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 907 else 908 echo "${files}" 909 fi 910 911 ### China Worm (Sadmind/IIS Worm) 912 if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi 913 files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null` 914 if [ "${files}" = "" ]; then 915 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 916 else 917 echo "${files}" 918 fi 919 920 ### MonKit 921 if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi 922 files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \ 9232> /dev/null` 924 if [ "${files}" = "" ]; then 925 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 926 else 927 echo "${files}" 928 fi 929 930 ### Showtee 931 if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi 932 if [ -d ${ROOTDIR}usr/lib/.egcs ] || \ 933 [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \ 934 [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \ 935 [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \ 936 [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \ 937 [ -f ${ROOTDIR}usr/include/chk.h ]; then 938 echo "Warning: Possible Showtee Rootkit installed" 939 else 940 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 941 fi 942 943 ### 944 ### OpticKit 945 ### 946 if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi 947 files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \ 9482> /dev/null` 949 if [ "${files}" = "" ]; then 950 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 951 else 952 echo "${files}" 953 fi 954 955 ### T.R.K 956 files="" 957 if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi 958 files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1` 959 if [ "${files}" = "" ]; then 960 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 961 else 962 echo "${files}" 963 fi 964 965 ### Mithra's Rootkit 966 files="" 967 if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi 968 files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null` 969 if [ "${files}" = "" ]; then 970 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 971 else 972 echo "${files}" 973 fi 974 975 ### OpenBSD rootkit v1 976 if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then 977 files="" 978 if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi 979 files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null` 980 if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then 981 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 982 else 983 echo "${files}" 984 fi 985 fi 986 987 ### LOC rootkit 988 files="" 989 if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi 990 files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null` 991 if [ "${files}" = "" ]; then 992 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 993 else 994 echo "${files}" 995 loc epic epic $pth 996 fi 997 998 ### Romanian rootkit 999 files="" 1000 if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi 1001 for i in file.h proc.h addr.h syslogs.h; do 1002 if [ -f ${ROOTDIR}usr/include/${i} ]; then 1003 files="$files ${ROOTDIR}usr/include/$i" 1004 fi 1005 done 1006 if [ "${files}" = "" ]; then 1007 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1008 else 1009 echo "${files}" 1010 fi 1011 1012 ### HKRK 1013 if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then 1014 if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi 1015 if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then 1016 echo "Warning: /etc/rc.d/init.d/network INFECTED" 1017 else 1018 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1019 fi 1020 fi 1021 1022 ### Suckit 1023 if [ -f ${ROOTDIR}sbin/init ]; then 1024 if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi 1025 if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \ 1026 cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 1027 then 1028 echo "Warning: ${ROOTDIR}sbin/init INFECTED" 1029 else 1030 if [ -d ${ROOTDIR}/dev/.golf ]; then 1031 echo "Warning: Suspect directory ${ROOTDIR}dev/.golf" 1032 else 1033 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1034 fi 1035 fi 1036 fi 1037 1038 ### Volc 1039 if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi 1040 if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then 1041 echo "Warning: Possible Volc rootkit installed" 1042 else 1043 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1044 fi 1045 1046 ### Gold2 1047 if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi 1048 if [ -f ${ROOTDIR}usr/bin/ishit ] ; then 1049 echo "Warning: Possible Gold2 rootkit installed" 1050 else 1051 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1052 fi 1053 1054 ### TC2 Worm 1055 if [ "${QUIET}" != "t" ]; then \ 1056 printn "Searching for TC2 Worm default files and dirs... "; fi 1057 if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \ 1058 -f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ] 1059 then 1060 echo "Possible TC2 Worm installed" 1061 else 1062 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1063 fi 1064 1065 ### ANONOYING Rootkit 1066 if [ "${QUIET}" != "t" ]; then \ 1067 printn "Searching for Anonoying rootkit default files and dirs... "; fi 1068 if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then 1069 echo "Possible anonoying rootkit installed" 1070 else 1071 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1072 fi 1073 1074 ### ZK Rootkit 1075 if [ "${QUIET}" != "t" ]; then \ 1076 printn "Searching for ZK rootkit default files and dirs... "; fi 1077 if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then 1078 echo "Possible ZK rootkit installed" 1079 else 1080 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1081 fi 1082 ### ShKit 1083 if [ "${QUIET}" != "t" ]; then 1084 printn "Searching for ShKit rootkit default files and dirs... "; fi 1085 if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then 1086 echo "Possible ShKit rootkit installed" 1087 else 1088 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1089 fi 1090 1091 ### AjaKit 1092 if [ "${QUIET}" != "t" ]; then 1093 printn "Searching for AjaKit rootkit default files and dirs... "; fi 1094 if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then 1095 echo "Possible AjaKit rootkit installed" 1096 else 1097 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1098 fi 1099 1100 ### zaRwT 1101 if [ "${QUIET}" != "t" ]; then 1102 printn "Searching for zaRwT rootkit default files and dirs... "; fi 1103 if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then 1104 echo "Possible zaRwT rootkit installed" 1105 else 1106 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1107 fi 1108 1109 ### Madalin rootkit 1110 if [ "${QUIET}" != "t" ]; then 1111 printn "Searching for Madalin rootkit default files... "; fi 1112 D=${ROOTDIR}usr/include 1113 if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then 1114 echo "Possible Madalin rootkit installed" 1115 else 1116 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1117 fi 1118 1119 ### Fu rootkit 1120 if [ "${QUIET}" != "t" ]; then 1121 printn "Searching for Fu rootkit default files... "; fi 1122 if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \ 1123 -f ${ROOTDIR}usr/include/ivtype.h ]; then 1124 echo "Possible Fu rootkit installed" 1125 else 1126 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1127 fi 1128 1129 ### ESRK 1130 if [ "${QUIET}" != "t" ]; then 1131 printn "Searching for ESRK rootkit default files... "; fi 1132 if [ -d "${ROOTDIR}usr/lib/tcl5.3" ]; then 1133 echo "Possible ESRK rootkit installed" 1134 else 1135 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1136 fi 1137 1138 ## rootedoor 1139 if [ "${QUIET}" != "t" ]; then 1140 printn "Searching for rootedoor... "; fi 1141 found=0 1142 for i in `$echo $PATH|tr -s ':' ' '`; do 1143 if [ -f "${ROOTDIR}${i}/rootedoor" ]; then 1144 echo "Possible rootedoor installed in ${ROOTDIR}${i}" 1145 found=1 1146 fi 1147 done 1148 [ "${found}" = "0" ] &&\ 1149 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1150 1151 ### ENYELKM 1152 if [ "${QUIET}" != "t" ]; then 1153 printn "Searching for ENYELKM rootkit default files... "; fi 1154 if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then 1155 echo "Possible ENYELKM rootkit installed" 1156 else 1157 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1158 fi 1159 1160 ## Common SSH-SCANNERS 1161 if [ "${QUIET}" != "t" ]; then 1162 printn "Searching for common ssh-scanners default files... "; fi 1163 files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`" 1164 if [ "${files}" = "" ]; then 1165 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1166 else 1167 echo "${files}" 1168 fi 1169 1170 ## SSJD Operation Windigo (Linux/Ebury) 1171 LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" 1172 if [ "${QUIET}" != "t" ]; then 1173 printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi 1174 if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" >/dev/null; then 1175 if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then 1176 if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi 1177 else 1178 echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" 1179 fi 1180 fi 1181 if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then 1182 if [ "${QUIET}" != "t" ]; then 1183 echo "not tested"; fi 1184 else 1185 if ${strings} -a ${ROOTDIR}${LIBKEY} | egrep "libns2|libns5|libpw3|libpw5|libsbr|libslr" >/dev/null; then 1186 echo "Possible Linux/Ebury 1.6 - Operation Windigo installed" 1187 else 1188 if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi 1189 fi 1190 fi 1191 ## 1192 ## Linux Rootkit 64 bits 1193 if [ "${QUIET}" != "t" ]; then 1194 printn "Searching for 64-bit Linux Rootkit ... "; fi 1195 if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \ 1196 ${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then 1197 echo "Possible 64-bit Linux Rootkit" 1198 else 1199 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1200 fi 1201 1202 if [ "${QUIET}" != "t" ]; then 1203 printn "Searching for 64-bit Linux Rootkit modules... "; fi 1204 files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`" 1205 if [ "${files}" = "" ]; then 1206 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1207 else 1208 echo "${files}" 1209 fi 1210 1211 ## Mumblehard backdoor/botnet 1212 if [ "${QUIET}" != "t" ]; then 1213 printn "Searching for Mumblehard Linux ... "; fi 1214 if [ -e ${ROOTDIR}var/spool/cron/crontabs ]; then 1215 cat ${ROOTDIR}var/spool/cron/crontabs/* 2>/dev/null | egrep "var/tmp" 1216 if [ $? -ne 0 ] ; then 1217 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1218 else 1219 echo "Possible Mumblehard backdoor installed" 1220 fi 1221 else 1222 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1223 fi 1224 1225 ## Backdoor.Linux.Mokes.a 1226 if [ "${QUIET}" != "t" ]; then 1227 printn "Searching for Backdoor.Linux.Mokes.a ... "; fi 1228 files="`${find} ${ROOTDIR}tmp/ ${findargs} -name "ss0-[0-9]*" -o -name "kk-[0-9]*" 2> /dev/null`" 1229 if [ "${files}" = "" ]; then 1230 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1231 else 1232 echo "${files}" 1233 fi 1234 1235 ## Malicious TinyDNS 1236 if [ "${QUIET}" != "t" ]; then 1237 printn "Searching for Malicious TinyDNS ... "; fi 1238 files="`${find} "${ROOTDIR}home/ ./" 2> /dev/null`" 1239 if [ "${files}" = "" ]; then 1240 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1241 else 1242 echo "INFECTED: Possible Malicious TinyDNS installed" 1243 fi 1244 1245 ## Linux/Xor.DDoS 1246 if [ "${QUIET}" != "t" ]; then 1247 printn "Searching for Linux.Xor.DDoS ... "; fi 1248 files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`" 1249 if [ "${files}" = "" ]; then 1250 files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`" 1251 files="$files $($ls ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)" 1252 if [ "${files}" = " " ]; then 1253 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1254 else 1255 echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" 1256 fi 1257 else 1258 echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" 1259 echo "${files}" 1260 fi 1261 1262 ## Linux.Proxy 1.0 1263 if [ "${QUIET}" != "t" ]; then 1264 printn "Searching for Linux.Proxy.1.0 ... "; fi 1265 1266 if ${egrep} -i mother ${ROOTDIR}etc/passwd >/dev/null 2>&1 ; then 1267 echo "INFECTED: Possible Malicious Linux.Proxy.10 installed" 1268 else 1269 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1270 fi 1271 1272 # Linux/CrossRAT 1273 if [ "${QUIET}" != "t" ]; then 1274 printn "Searching for CrossRAT ... "; fi 1275 if ${ls} ${ROOTDIR}usr/var/mediamgrs.jar 2>/dev/null; then 1276 echo "INFECTED: Possible Malicious CrossRAT installed" 1277 else 1278 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1279 fi 1280 ## Hidden Cobra (IBM AIX) 1281 if [ "${QUIET}" != "t" ]; then 1282 printn "Searching for Hidden Cobra ... "; fi 1283 if ${ls} "${ROOTDIR}tmp/.ICE-unix/m*.so" ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then 1284 echo "INFECTED: Possible Malicious Hidden Cobra installed" 1285 else 1286 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1287 fi 1288 1289 ### Rocke Monero Miner 1290 if [ "${QUIET}" != "t" ]; then 1291 printn "Searching for Rocke Miner ... "; fi 1292 if [ -f "${ROOTDIR}etc/ld.so.pre" -o -f "${ROOTDIR}etc/xig" ] ; then 1293 echo "INFECTED: Possible Malicious Rocke Miner installed" 1294 else 1295 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1296 fi 1297 1298 ### 1299 ### Suspects PHP files 1300 ### 1301 if [ "${QUIET}" != "t" ]; then 1302 printn "Searching for suspect PHP files... "; fi 1303 files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`" 1304if [ `echo abc | _head -1` = "abc" ]; then 1305 fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" 1306else 1307 fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" 1308fi 1309 if [ "${files}" = "" -a "${fileshead}" = "" ]; then 1310 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1311 else 1312 echo 1313 echo "${files}" 1314 echo "${fileshead}" 1315 fi 1316 1317 ### 1318 ### shell history anomalies 1319 ### 1320 if [ "${QUIET}" != "t" ]; then \ 1321 printn "Searching for anomalies in shell history files... "; fi 1322 files="" 1323 if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then 1324 files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` 1325 [ ! -z "${files}" ] && \ 1326 echo "Warning: \`${files}' file size is zero" 1327 files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` 1328 [ ! -z "${files1}" ] && \ 1329 echo "Warning: \`${files1}' is linked to another file" 1330 fi 1331 if [ -z "${files}" -a -z "${files1}" ]; then 1332 if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1333 fi 1334} 1335 1336###################################################################### 1337# util functions 1338 1339# our which(1) 1340loc () { 1341 ### usage: loc filename filename_to_return_if_nothing_was_found path 1342 thing=$1 1343 shift 1344 dflt=$1 1345 shift 1346 for dir in $*; do 1347 case "$thing" in 1348 .) 1349 if test -d $dir/$thing; then 1350 echo $dir 1351 exit 0 1352 fi 1353 ;; 1354 *) 1355 for thisthing in $dir/$thing; do 1356 : 1357 done 1358 if test -f $thisthing; then 1359 echo $thisthing 1360 exit 0 1361 fi 1362 ;; 1363 esac 1364 done 1365 if [ "${ROOTDIR}" = "/" ]; then 1366 echo ${dflt} 1367 else 1368 echo "${ROOTDIR}${dflt}" 1369 fi 1370 exit 1 1371} 1372 1373getCMD() { 1374 RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \ 1375 ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \ 1376 ${awk} '{ print $5 }'` 1377 1378 for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth` 1379 do 1380 CMD="${i}" 1381 if [ -r "${i}" ] 1382 then 1383 return 0 1384 fi 1385 done 1386 return 1 1387} 1388 1389expertmode_output() { 1390 echo "###" 1391 echo "### Output of: $1" 1392 echo "###" 1393 eval $1 2>&1 1394# cat <<EOF 1395#`$1 2>&1` 1396#EOF 1397 return 0 1398} 1399 1400tnfs () 1401{ 1402 ## Check if -fstype nfs works 1403 findargs="" 1404 if find /etc -maxdepth 0 >/dev/null 2>&1; then 1405 find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \ 1406 findargs="! -fstype nfs " 1407 elif find /etc -prune > /dev/null 2>&1; then 1408 find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \ 1409 findargs="! -fstype nfs " 1410 fi 1411} 1412 1413###################################################################### 1414# trojan functions 1415 1416chk_chfn () { 1417 STATUS=${NOT_INFECTED} 1418 CMD=`loc chfn chfn $pth` 1419 [ ${?} -ne 0 ] && return ${NOT_FOUND} 1420 1421 if [ "${EXPERT}" = "t" ]; then 1422 expertmode_output "${strings} -a ${CMD}" 1423 return 5 1424 fi 1425 1426 case "${SYSTEM}" in 1427 Linux) 1428 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1429 >/dev/null 2>&1 1430 then 1431 STATUS=${INFECTED} 1432 fi;; 1433 DragonFly) 1434 [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2 1435 if [ `${strings} -a ${CMD} | \ 1436 ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] 1437 then 1438 STATUS=${INFECTED} 1439 fi;; 1440 esac 1441 return ${STATUS} 1442} 1443 1444chk_chsh () { 1445 STATUS=${NOT_INFECTED} 1446 CMD=`loc chsh chsh $pth` 1447 [ ${?} -ne 0 ] && return ${NOT_FOUND} 1448 1449 REDHAT_PAM_LABEL="*NOT*" 1450 1451 if [ "${EXPERT}" = "t" ]; then 1452 expertmode_output "${strings} -a ${CMD}" 1453 return 5 1454 fi 1455 1456 case "${SYSTEM}" in 1457 Linux) 1458 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1459 >/dev/null 2>&1 1460 then 1461 if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ 1462 >/dev/null 2>&1 1463 then 1464 : 1465 else 1466 STATUS=${INFECTED} 1467 fi 1468 fi;; 1469 DragonFly) 1470 [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2 1471 if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] 1472 then 1473 STATUS=${INFECTED} 1474 fi;; 1475 esac 1476 return ${STATUS} 1477} 1478 1479chk_login () { 1480 STATUS=${NOT_INFECTED} 1481 CMD=`loc login login $pth` 1482 1483 if [ "${EXPERT}" = "t" ]; then 1484 expertmode_output "${strings} -a ${CMD}" 1485 return 5 1486 fi 1487 1488 if [ "$SYSTEM" = "SunOS" ]; then 1489 TROJED_L_L="porcao|/bin/xstat" 1490 if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then 1491 return ${INFECTED} 1492 else 1493 return ${NOT_TESTED} 1494 fi 1495 fi 1496 GENERAL="^root$" 1497 TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola" 1498 ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` 1499 if [ ${ret} -gt 0 ]; then 1500 case ${ret} in 1501 1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 || 1502$1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \ 1503 STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1504 2) [ "${SYSTEM}" = "DragonFly" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \ 1505"OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1506 6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1507 *) STATUS=${INFECTED};; 1508 esac 1509 fi 1510 if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null 1511 then 1512 STATUS=${INFECTED} 1513 fi 1514 return ${STATUS} 1515} 1516 1517chk_passwd () { 1518 STATUS=${NOT_INFECTED} 1519 CMD=`loc passwd passwd $pth` 1520 1521 if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then 1522 CMD="${ROOTDIR}usr/bin/passwd" 1523 fi 1524 1525 if [ "${EXPERT}" = "t" ]; then 1526 expertmode_output "${strings} -a ${CMD}" 1527 fi 1528 1529 if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \ 1530 = "HP-UX" ] 1531 then 1532 return ${NOT_TESTED} 1533 fi 1534 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ 1535 >/dev/null 2>&1 1536 then 1537 STATUS=${INFECTED} 1538 fi 1539 return ${STATUS} 1540} 1541 1542chk_inetd () { 1543 STATUS=${NOT_INFECTED} 1544 getCMD 'inetd' 1545 1546 if [ ! -r ${CMD} -o ${CMD} = '/' ] 1547 then 1548 return ${NOT_TESTED} 1549 fi 1550 1551 if [ "${EXPERT}" = "t" ]; then 1552 expertmode_output "${strings} -a ${CMD}" 1553 return 5 1554 fi 1555 1556 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1557 >/dev/null 2>&1 1558 then 1559 STATUS=${INFECTED} 1560 fi 1561 return ${STATUS} 1562} 1563 1564chk_syslogd () { 1565 STATUS=${NOT_INFECTED} 1566SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h" 1567 CMD=`loc syslogd syslogd $pth` 1568 1569 if [ ! -r ${CMD} ] 1570 then 1571 return ${NOT_TESTED} 1572 fi 1573 1574 if [ "${EXPERT}" = "t" ]; then 1575 expertmode_output "${strings} -a ${CMD}" 1576 return 5 1577 fi 1578 1579 if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 1580 then 1581 STATUS=${INFECTED} 1582 fi 1583 return ${STATUS} 1584} 1585 1586chk_hdparm () { 1587 STATUS=${NOT_INFECTED} 1588 HDPARM_INFECTED_LABEL="/dev/ida" 1589 CMD=`loc hdparm hdparm $pth` 1590 if [ ! -r ${CMD} ] 1591 then 1592 return ${NOT_FOUND} 1593 fi 1594 1595 if [ "${EXPERT}" = "t" ]; then 1596 expertmode_output "${strings} -a ${CMD}" 1597 return 5 1598 fi 1599 1600 if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ 1601 >/dev/null 2>&1 1602 then 1603 STATUS=${INFECTED} 1604 fi 1605 return ${STATUS} 1606} 1607 1608chk_gpm () { 1609 STATUS=${NOT_INFECTED} 1610 GPM_INFECTED_LABEL="mingetty" 1611 CMD=`loc gpm gpm $pth` 1612 if [ ! -r ${CMD} ] 1613 then 1614 return ${NOT_FOUND} 1615 fi 1616 1617 if [ "${EXPERT}" = "t" ]; then 1618 expertmode_output "${strings} -a ${CMD}" 1619 return 5 1620 fi 1621 1622 if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ 1623 >/dev/null 2>&1 1624 then 1625 STATUS=${INFECTED} 1626 fi 1627 return ${STATUS} 1628} 1629 1630chk_mingetty () { 1631 STATUS=${NOT_INFECTED} 1632 MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto" 1633 CMD=`loc mingetty mingetty $pth` 1634 if [ ! -r ${CMD} ] 1635 then 1636 return ${NOT_FOUND} 1637 fi 1638 1639 if [ "${EXPERT}" = "t" ]; then 1640 expertmode_output "${strings} -a ${CMD}" 1641 return 5 1642 fi 1643 1644 if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ 1645 >/dev/null 2>&1 1646 then 1647 STATUS=${INFECTED} 1648 fi 1649 return ${STATUS} 1650} 1651 1652chk_sendmail () { 1653 STATUS=${NOT_INFECTED} 1654 SENDMAIL_INFECTED_LABEL="fuck" 1655 CMD=`loc sendmail sendmail $pth` 1656 if [ ! -r ${CMD} ] 1657 then 1658 return ${NOT_FOUND} 1659 fi 1660 1661 if [ "${EXPERT}" = "t" ]; then 1662 expertmode_output "${strings} -a ${CMD}" 1663 return 5 1664 fi 1665 1666 if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ 1667 >/dev/null 2>&1 1668 then 1669 STATUS=${INFECTED} 1670 fi 1671 return ${STATUS} 1672} 1673 1674chk_ls () { 1675 STATUS=${NOT_INFECTED} 1676LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h" 1677 CMD=`loc ls ls $pth` 1678 1679 if [ "${EXPERT}" = "t" ]; then 1680 expertmode_output "${strings} -a ${CMD}" 1681 return 5 1682 fi 1683 1684 if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 1685 then 1686 STATUS=${INFECTED} 1687 fi 1688 return ${STATUS} 1689} 1690 1691chk_du () { 1692 STATUS=${NOT_INFECTED} 1693 DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h" 1694 CMD=`loc du du $pth` 1695 1696 if [ "${EXPERT}" = "t" ]; then 1697 expertmode_output "${strings} -a ${CMD}" 1698 return 5 1699 fi 1700 1701 if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 1702 then 1703 STATUS=${INFECTED} 1704 fi 1705 return ${STATUS} 1706} 1707 1708chk_named () { 1709 STATUS=${NOT_INFECTED} 1710 NAMED_I_L="blah|bye" 1711 CMD=`loc named named $pth` 1712 1713 if [ ! -r "${CMD}" ]; then 1714 CMD=`loc in.named in.named $pth` 1715 if [ ! -r "${CMD}" ]; then 1716 return ${NOT_FOUND} 1717 fi 1718 fi 1719 1720 if [ "${EXPERT}" = "t" ]; then 1721 expertmode_output "${strings} -a ${CMD}" 1722 return 5 1723 fi 1724 1725 if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ 1726 >/dev/null 2>&1 1727 then 1728 STATUS=${INFECTED} 1729 fi 1730 return ${STATUS} 1731} 1732 1733chk_netstat () { 1734 STATUS=${NOT_INFECTED} 1735NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero" 1736 CMD=`loc netstat netstat $pth` 1737 1738 if [ "${EXPERT}" = "t" ]; then 1739 expertmode_output "${strings} -a ${CMD}" 1740 return 5 1741 fi 1742 1743 if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ 1744 >/dev/null 2>&1 1745 then 1746 STATUS=${INFECTED} 1747 fi 1748 return ${STATUS} 1749} 1750 1751chk_ps () { 1752 STATUS=${NOT_INFECTED} 1753PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\ 1754/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so" 1755 CMD=`loc ps ps $pth` 1756 1757 if [ "${EXPERT}" = "t" ]; then 1758 expertmode_output "${strings} -a ${CMD}" 1759 return 5 1760 fi 1761 1762 if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 1763 then 1764 STATUS=${INFECTED} 1765 fi 1766 return ${STATUS} 1767} 1768 1769chk_pstree () { 1770 STATUS=${NOT_INFECTED} 1771 PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h" 1772 1773 CMD=`loc pstree pstree $pth` 1774 if [ ! -r "${CMD}" ] 1775 then 1776 return ${NOT_FOUND} 1777 fi 1778 1779 if [ "${EXPERT}" = "t" ]; then 1780 expertmode_output "${strings} -a ${CMD}" 1781 return 5 1782 fi 1783 1784 if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 1785 then 1786 STATUS=${INFECTED} 1787 fi 1788 return ${STATUS} 1789} 1790 1791chk_crontab () { 1792 STATUS=${NOT_INFECTED} 1793 CRONTAB_I_L="crontab.*666" 1794 1795 CMD=`loc crontab crontab $pth` 1796 1797 if [ ! -r ${CMD} ] 1798 then 1799 return ${NOT_FOUND} 1800 fi 1801 1802 if [ "${EXPERT}" = "t" ]; then 1803 expertmode_output "${CMD} -l -u nobody" 1804 return 5 1805 fi 1806 # slackware's crontab have a bug 1807 if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then 1808 ${echo} "Warning: crontab for nobody found, possible Lupper.Worm... " 1809 if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1 1810 then 1811 STATUS=${INFECTED} 1812 fi 1813 fi 1814 return ${STATUS} 1815} 1816 1817chk_top () { 1818 STATUS=${NOT_INFECTED} 1819 TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit" 1820 1821 CMD=`loc top top $pth` 1822 1823 if [ ! -r ${CMD} ] 1824 then 1825 return ${NOT_FOUND} 1826 fi 1827 1828 if [ "${EXPERT}" = "t" ]; then 1829 expertmode_output "${strings} -a ${CMD}" 1830 return 5 1831 fi 1832 1833 if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1834 then 1835 STATUS=${INFECTED} 1836 fi 1837 return ${STATUS} 1838} 1839 1840chk_pidof () { 1841 STATUS=${NOT_INFECTED} 1842 TOP_INFECTED_LABEL="/dev/pty[pqrs]" 1843 CMD=`loc pidof pidof $pth` 1844 1845 if [ "${?}" -ne 0 ] 1846 then 1847 return ${NOT_FOUND} 1848 fi 1849 1850 if [ "${EXPERT}" = "t" ]; then 1851 expertmode_output "${strings} -a ${CMD}" 1852 return 5 1853 fi 1854 1855 if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1856 then 1857 STATUS=${INFECTED} 1858 fi 1859 return ${STATUS} 1860} 1861 1862chk_killall () { 1863 STATUS=${NOT_INFECTED} 1864 TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h" 1865 CMD=`loc killall killall $pth` 1866 1867 if [ "${?}" -ne 0 ] 1868 then 1869 return ${NOT_FOUND} 1870 fi 1871 1872 if [ "${EXPERT}" = "t" ]; then 1873 expertmode_output "${strings} -a ${CMD}" 1874 return 5 1875 fi 1876 1877 if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1878 then 1879 STATUS=${INFECTED} 1880 fi 1881 return ${STATUS} 1882} 1883 1884chk_ldsopreload() { 1885 STATUS=${NOT_INFECTED} 1886 CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a" 1887 1888 if [ "${SYSTEM}" = "Linux" ] 1889 then 1890 if [ ! -x /usr/local/sbin/strings-static ]; then 1891 printn "can't exec /usr/local/sbin/strings-static, " 1892 return ${NOT_TESTED} 1893 fi 1894 1895 if [ "${EXPERT}" = "t" ]; then 1896 expertmode_output "/usr/local/sbin/strings-static -a ${CMD}" 1897 return 5 1898 fi 1899 1900 ### strings must be a statically linked binary. 1901 if /usr/local/sbin/strings-static -a ${CMD} > /dev/null 2>&1 1902 then 1903 STATUS=${INFECTED} 1904 fi 1905 else 1906 STATUS=${NOT_TESTED} 1907 fi 1908 return ${STATUS} 1909} 1910 1911chk_basename () { 1912 STATUS=${NOT_INFECTED} 1913 CMD=`loc basename basename $pth` 1914 1915 if [ "${EXPERT}" = "t" ]; then 1916 expertmode_output "${strings} -a ${CMD}" 1917 expertmode_output "${ls} -l ${CMD}" 1918 return 5 1919 fi 1920 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1921 then 1922 STATUS=${INFECTED} 1923 fi 1924 1925 [ "$SYSTEM" != "OSF1" ] && 1926 { 1927 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1928 then 1929 STATUS=${INFECTED} 1930 fi 1931 } 1932 return ${STATUS} 1933} 1934 1935chk_dirname () { 1936 STATUS=${NOT_INFECTED} 1937 CMD=`loc dirname dirname $pth` 1938 1939 if [ "${EXPERT}" = "t" ]; then 1940 expertmode_output "${strings} -a ${CMD}" 1941 expertmode_output "${ls} -l ${CMD}" 1942 return 5 1943 fi 1944 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1945 then 1946 STATUS=${INFECTED} 1947 fi 1948 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1949 then 1950 STATUS=${INFECTED} 1951 fi 1952 return ${STATUS} 1953} 1954 1955chk_traceroute () { 1956 STATUS=${NOT_INFECTED} 1957 CMD=`loc traceroute traceroute $pth` 1958 1959 if [ ! -r "${CMD}" ] 1960 then 1961 return ${NOT_FOUND} 1962 fi 1963 1964 if [ "${EXPERT}" = "t" ]; then 1965 expertmode_output "${strings} -a ${CMD}" 1966 return 5 1967 fi 1968 1969 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1970 then 1971 STATUS=${INFECTED} 1972 fi 1973 return ${STATUS} 1974} 1975 1976chk_rpcinfo () { 1977 STATUS=${NOT_INFECTED} 1978 CMD=`loc rpcinfo rpcinfo $pth` 1979 1980 if [ ! -r "${CMD}" ] 1981 then 1982 return ${NOT_FOUND} 1983 fi 1984 1985 if [ "${EXPERT}" = "t" ]; then 1986 expertmode_output "${strings} -a ${CMD}" 1987 expertmode_output "${ls} -l ${CMD}" 1988 return 5 1989 fi 1990 1991 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1992 then 1993 STATUS=${INFECTED} 1994 fi 1995 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1996 then 1997 STATUS=${INFECTED} 1998 fi 1999 return ${STATUS} 2000} 2001 2002chk_date () { 2003 STATUS=${NOT_INFECTED} 2004 S_L="/bin/.*sh" 2005 CMD=`loc date date $pth` 2006 2007 if [ "${EXPERT}" = "t" ]; then 2008 expertmode_output "${strings} -a ${CMD}" 2009 expertmode_output "${ls} -l ${CMD}" 2010 return 5 2011 fi 2012 [ "${SYSTEM}" = "DragonFly" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] && 2013 { 2014 N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ 2015 ${egrep} -c "$S_L"` 2016 if [ ${N} -ne 2 -a ${N} -ne 0 ]; then 2017 STATUS=${INFECTED} 2018 fi 2019 } || 2020 { 2021 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1 2022 then 2023 STATUS=${INFECTED} 2024 fi 2025 } 2026 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2027 then 2028 STATUS=${INFECTED} 2029 fi 2030 return ${STATUS} 2031} 2032 2033chk_echo () { 2034 STATUS=${NOT_INFECTED} 2035 CMD=`loc echo echo $pth` 2036 2037 if [ "${EXPERT}" = "t" ]; then 2038 expertmode_output "${strings} -a ${CMD}" 2039 expertmode_output "${ls} -l ${CMD}" 2040 return 5 2041 fi 2042 2043 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2044 then 2045 STATUS=${INFECTED} 2046 fi 2047 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2048 then 2049 STATUS=${INFECTED} 2050 fi 2051 return ${STATUS} 2052} 2053 2054chk_env () { 2055 STATUS=${NOT_INFECTED} 2056 CMD=`loc env env $pth` 2057 2058 if [ "${EXPERT}" = "t" ]; then 2059 expertmode_output "${strings} -a ${CMD}" 2060 expertmode_output "${ls} -l ${CMD}" 2061 return 5 2062 fi 2063 2064 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2065 then 2066 STATUS=${INFECTED} 2067 fi 2068 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2069 then 2070 STATUS=${INFECTED} 2071 fi 2072 2073 return ${STATUS} 2074} 2075 2076chk_timed () { 2077 STATUS=${NOT_INFECTED} 2078 CMD=`loc timed timed $pth` 2079 if [ ${?} -ne 0 ]; then 2080 CMD=`loc in.timed in.timed $pth` 2081 if [ ${?} -ne 0 ]; then 2082 return ${NOT_FOUND} 2083 fi 2084 fi 2085 if [ "${EXPERT}" = "t" ]; then 2086 expertmode_output "${strings} -a ${CMD}" 2087 return 5 2088 fi 2089 2090 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2091 then 2092 STATUS=${INFECTED} 2093 fi 2094 return ${STATUS} 2095} 2096 2097chk_identd () { 2098 STATUS=${NOT_INFECTED} 2099 CMD=`loc in.identd in.identd $pth` 2100 if [ ${?} -ne 0 ]; then 2101 return ${NOT_FOUND} 2102 fi 2103 if [ "${EXPERT}" = "t" ]; then 2104 expertmode_output "${strings} -a ${CMD}" 2105 return 5 2106 fi 2107 2108 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2109 then 2110 STATUS=${INFECTED} 2111 fi 2112 return ${STATUS} 2113} 2114 2115chk_init () { 2116 STATUS=${NOT_INFECTED} 2117 INIT_INFECTED_LABEL="UPX" 2118 CMD=`loc init init $pth` 2119 if [ ${?} -ne 0 ]; then 2120 return ${NOT_FOUND} 2121 fi 2122 if [ "${EXPERT}" = "t" ]; then 2123 expertmode_output "${strings} -a ${CMD}" 2124 return 5 2125 fi 2126 2127 if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 2128 then 2129 STATUS=${INFECTED} 2130 fi 2131 return ${STATUS} 2132} 2133 2134chk_pop2 () { 2135 STATUS=${NOT_INFECTED} 2136 CMD=`loc in.pop2d in.pop2d $pth` 2137 if [ ${?} -ne 0 ]; then 2138 return ${NOT_FOUND} 2139 fi 2140 if [ "${EXPERT}" = "t" ]; then 2141 expertmode_output "${strings} -a ${CMD}" 2142 return 5 2143 fi 2144 2145 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2146 then 2147 STATUS=${INFECTED} 2148 fi 2149 return ${STATUS} 2150} 2151 2152chk_pop3 () { 2153 STATUS=${NOT_INFECTED} 2154 CMD=`loc in.pop3d in.pop3d $pth` 2155 if [ ${?} -ne 0 ]; then 2156 return ${NOT_FOUND} 2157 fi 2158 if [ "${EXPERT}" = "t" ]; then 2159 expertmode_output "${strings} -a ${CMD}" 2160 return 5 2161 fi 2162 2163 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2164 then 2165 STATUS=${INFECTED} 2166 fi 2167 return ${STATUS} 2168} 2169 2170chk_write () { 2171 STATUS=${NOT_INFECTED} 2172 CMD=`loc write write $pth` 2173 WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark" 2174 if [ "${EXPERT}" = "t" ]; then 2175 expertmode_output "${strings} -a ${CMD}" 2176 expertmode_output "${ls} -l ${CMD}" 2177 return 5 2178 fi 2179 2180 if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 2181 then 2182 STATUS=${INFECTED} 2183 fi 2184 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2185 then 2186 STATUS=${INFECTED} 2187 fi 2188 return ${STATUS} 2189} 2190 2191chk_w () { 2192 STATUS=${NOT_INFECTED} 2193 CMD=`loc w w $pth` 2194 W_INFECTED_LABEL="uname -a" 2195 2196 if [ "${EXPERT}" = "t" ]; then 2197 expertmode_output "${strings} -a ${CMD}" 2198 expertmode_output "${ls} -l ${CMD}" 2199 return 5 2200 fi 2201 if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 2202 then 2203 STATUS=${INFECTED} 2204 fi 2205 return ${STATUS} 2206} 2207 2208chk_vdir () { 2209 STATUS=${NOT_INFECTED} 2210 CMD=`loc vdir vdir $pth` 2211 VDIR_INFECTED_LABEL="/lib/volc" 2212 if [ ! -r ${CMD} ]; then 2213 return ${NOT_FOUND} 2214 fi 2215 2216 if [ "${EXPERT}" = "t" ]; then 2217 expertmode_output "${strings} -a ${CMD}" 2218 expertmode_output "${ls} -l ${CMD}" 2219 return 5 2220 fi 2221 if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 2222 then 2223 STATUS=${INFECTED} 2224 fi 2225 return ${STATUS} 2226} 2227 2228chk_tar () { 2229 STATUS=${NOT_INFECTED} 2230 CMD=`loc tar tar $pth` 2231 2232 if [ "${EXPERT}" = "t" ]; then 2233 expertmode_output "${ls} -l ${CMD}" 2234 return 5 2235 fi 2236 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2237 then 2238 STATUS=${INFECTED} 2239 fi 2240 return ${STATUS} 2241} 2242 2243rexedcs () { 2244 STATUS=${NOT_INFECTED} 2245 CMD=`loc in.rexedcs in.rexedcs $pth` 2246 if [ "${?}" -ne 0 ] 2247 then 2248 if [ "${QUIET}" != "t" ]; then echo "not found"; fi 2249 return ${NOT_FOUND} 2250 fi 2251 2252 if [ "${EXPERT}" = "t" ]; then 2253 expertmode_output "${strings} -a ${CMD}" 2254 return 5 2255 fi 2256 STATUS=${INFECTED} 2257 return ${STATUS} 2258} 2259 2260chk_mail () { 2261 STATUS=${NOT_INFECTED} 2262 CMD=`loc mail mail $pth` 2263 if [ "${?}" -ne 0 ] 2264 then 2265 return ${NOT_FOUND} 2266 fi 2267 2268 [ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED 2269 2270 MAIL_INFECTED_LABEL="sh -i" 2271 2272 if [ "${EXPERT}" = "t" ]; then 2273 expertmode_output "${strings} -a ${CMD}" 2274 expertmode_output "${ls} -l ${CMD}" 2275 return 5 2276 fi 2277 2278 if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 2279 then 2280 STATUS=${INFECTED} 2281 fi 2282 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2283 then 2284 STATUS=${INFECTED} 2285 fi 2286 return ${STATUS} 2287} 2288 2289chk_biff () { 2290 STATUS=${NOT_INFECTED} 2291 CMD=`loc biff biff $pth` 2292 if [ "${?}" -ne 0 ] 2293 then 2294 return ${NOT_FOUND} 2295 fi 2296 2297 if [ "${EXPERT}" = "t" ]; then 2298 expertmode_output "${strings} -a ${CMD}" 2299 expertmode_output "${ls} -l ${CMD}" 2300 return 5 2301 fi 2302 2303 if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2304 then 2305 STATUS=${INFECTED} 2306 fi 2307 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2308 then 2309 STATUS=${INFECTED} 2310 fi 2311 return ${STATUS} 2312} 2313 2314chk_egrep () { 2315 STATUS=${NOT_INFECTED} 2316 EGREP_INFECTED_LABEL="blah" 2317 CMD=`loc egrep egrep $pth` 2318 2319 if [ "${EXPERT}" = "t" ]; then 2320 expertmode_output "${strings} -a ${CMD}" 2321 expertmode_output "${ls} -l ${CMD}" 2322 return 5 2323 fi 2324 if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 2325 then 2326 STATUS=${INFECTED} 2327 fi 2328 return ${STATUS} 2329} 2330 2331chk_grep () { 2332 STATUS=${NOT_INFECTED} 2333 GREP_INFECTED_LABEL="givemer" 2334 CMD=`loc grep grep $pth` 2335 2336 if [ "${EXPERT}" = "t" ]; then 2337 expertmode_output "${strings} -a ${CMD}" 2338 expertmode_output "${ls} -l ${CMD}" 2339 return 5 2340 fi 2341 2342 if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 2343 then 2344 STATUS=${INFECTED} 2345 fi 2346 if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2347 then 2348 STATUS=${INFECTED} 2349 fi 2350 return ${STATUS} 2351} 2352 2353chk_find () { 2354 STATUS=${NOT_INFECTED} 2355 FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h" 2356 CMD=`loc find find $pth` 2357 2358 if [ "${?}" -ne 0 ] 2359 then 2360 return ${NOT_FOUND} 2361 fi 2362 2363 if [ "${EXPERT}" = "t" ]; then 2364 expertmode_output "${strings} -a ${CMD}" 2365 return 5 2366 fi 2367 2368 if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1 2369 then 2370 STATUS=${INFECTED} 2371 fi 2372 return ${STATUS} 2373} 2374 2375chk_rlogind () { 2376 STATUS=${NOT_INFECTED} 2377 RLOGIN_INFECTED_LABEL="p1r0c4|r00t" 2378 CMD=`loc in.rlogind in.rlogind $pth` 2379 if [ ! -x "${CMD}" ]; then 2380 CMD=`loc rlogind rlogind $pth` 2381 if [ ! -x "${CMD}" ]; then 2382 return ${NOT_FOUND} 2383 fi 2384 fi 2385 if [ "${EXPERT}" = "t" ]; then 2386 expertmode_output "${strings} -a ${CMD}" 2387 return 5 2388 fi 2389 if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 2390 then 2391 STATUS=${INFECTED} 2392 fi 2393 return ${STATUS} 2394} 2395 2396chk_lsof () { 2397 STATUS=${NOT_INFECTED} 2398 LSOF_INFECTED_LABEL="^/prof" 2399 CMD=`loc lsof lsof $pth` 2400 if [ ! -x "${CMD}" ]; then 2401 return ${NOT_FOUND} 2402 fi 2403 if [ "${EXPERT}" = "t" ]; then 2404 expertmode_output "${strings} -a ${CMD}" 2405 return 5 2406 fi 2407 if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 2408 then 2409 STATUS=${INFECTED} 2410 fi 2411 return ${STATUS} 2412} 2413 2414chk_amd () { 2415 STATUS=${NOT_INFECTED} 2416 AMD_INFECTED_LABEL="blah" 2417 CMD=`loc amd amd $pth` 2418 if [ ! -x "${CMD}" ]; then 2419 return ${NOT_FOUND} 2420 fi 2421 if [ "${EXPERT}" = "t" ]; then 2422 expertmode_output "${strings} -a ${CMD}" 2423 return 5 2424 fi 2425 if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 2426 then 2427 STATUS=${INFECTED} 2428 fi 2429 return ${STATUS} 2430} 2431 2432chk_slogin () { 2433 STATUS=${NOT_INFECTED} 2434 SLOGIN_INFECTED_LABEL="homo" 2435 CMD=`loc slogin slogin $pth` 2436 if [ ! -x "${CMD}" ]; then 2437 return ${NOT_FOUND} 2438 fi 2439 if [ "${EXPERT}" = "t" ]; then 2440 expertmode_output "${strings} -a ${CMD}" 2441 return 5 2442 fi 2443 if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 2444 then 2445 STATUS=${INFECTED} 2446 fi 2447 return ${STATUS} 2448} 2449 2450chk_cron () { 2451 STATUS=${NOT_INFECTED} 2452 CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0" 2453 CMD=`loc cron cron $pth` 2454 if [ "${?}" -ne 0 ]; then 2455 CMD=`loc crond crond $pth` 2456 fi 2457 if [ "${?}" -ne 0 ] 2458 then 2459 return ${NOT_FOUND} 2460 fi 2461 if [ "${EXPERT}" = "t" ]; then 2462 expertmode_output "${strings} -a ${CMD}" 2463 return 5 2464 fi 2465 if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 2466 then 2467 STATUS=${INFECTED} 2468 fi 2469 return ${STATUS} 2470} 2471 2472chk_ifconfig () { 2473 STATUS=${INFECTED} 2474 CMD=`loc ifconfig ifconfig $pth` 2475 if [ "${?}" -ne 0 ]; then 2476 return ${NOT_FOUND} 2477 fi 2478 2479 if [ "${EXPERT}" = "t" ]; then 2480 expertmode_output "${strings} -a ${CMD}" 2481 return 5 2482 fi 2483 2484 IFCONFIG_NOT_INFECTED_LABEL="PROMISC" 2485 IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null" 2486 if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ 2487 >/dev/null 2>&1 2488 then 2489 STATUS=${NOT_INFECTED} 2490 fi 2491 if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ 2492 >/dev/null 2>&1 2493 then 2494 STATUS=${INFECTED} 2495 fi 2496 return ${STATUS} 2497} 2498 2499chk_rshd () { 2500 STATUS=${NOT_INFECTED} 2501 case "${SYSTEM}" in 2502 Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";; 2503 DragonFly) CMD="${ROOTDIR}usr/libexec/rshd";; 2504 *) CMD=`loc rshd rshd $pth`;; 2505 esac 2506 2507 if [ ! -x ${CMD} ] ;then 2508 return ${NOT_FOUND} 2509 fi 2510 if [ "${EXPERT}" = "t" ]; then 2511 expertmode_output "${strings} -a ${CMD}" 2512 return 5 2513 fi 2514 2515 RSHD_INFECTED_LABEL="HISTFILE" 2516 if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 2517 then 2518 STATUS=${INFECTED} 2519 if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ 2520 ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then 2521 STATUS=${INFECTED_BUT_DISABLED} 2522 fi 2523 fi 2524 return ${STATUS} 2525} 2526 2527chk_tcpdump () { 2528 STATUS=${NOT_INFECTED} 2529 TCPDUMP_I_L="212.146.0.34:1963"; 2530 _chk_netstat_or_ss; 2531 OPT="-an" 2532 [ "${netstat}" = "ss" ] && OPT="-a" 2533 if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then 2534 STATUS=${INFECTED} 2535 fi 2536 return ${STATUS} 2537} 2538 2539chk_tcpd () { 2540 STATUS=${NOT_INFECTED} 2541 TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" 2542 CMD="" 2543 [ -r ${ROOTDIR}etc/inetd.conf ] && 2544 CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \ 2545 ${awk} '{ print $6 }'` 2546 if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1; then 2547 CMD=`loc tcpd tcpd $pth` 2548 fi 2549 [ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth` 2550 2551 [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND}; 2552 2553 if [ "${EXPERT}" = "t" ]; then 2554 expertmode_output "${strings} -a ${CMD}" 2555 return 5 2556 fi 2557 2558 if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 2559 then 2560 STATUS=${INFECTED} 2561 fi 2562 return ${STATUS} 2563} 2564 2565chk_sshd () { 2566 STATUS=${NOT_INFECTED} 2567 SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk" 2568 getCMD 'sshd' 2569 2570 if [ ${?} -ne 0 ]; then 2571 return ${NOT_FOUND} 2572 fi 2573 2574 if [ "${EXPERT}" = "t" ]; then 2575 expertmode_output "${strings} -a ${CMD}" 2576 return 5 2577 fi 2578 2579 if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ 2580 > /dev/null 2>&1 2581 then 2582 STATUS=${INFECTED} 2583 if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then 2584 STATUS=${INFECTED_BUT_DISABLED} 2585 fi 2586 fi 2587 return ${STATUS} 2588} 2589 2590chk_su () { 2591 STATUS=${NOT_INFECTED} 2592 SU_INFECTED_LABEL="satori|vejeta|conf\.inv" 2593 CMD=`loc su su $pth` 2594 2595 if [ "${EXPERT}" = "t" ]; then 2596 expertmode_output "${strings} -a ${CMD}" 2597 return 5 2598 fi 2599 2600 if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 2601 then 2602 STATUS=${INFECTED} 2603 fi 2604 return ${STATUS} 2605} 2606 2607chk_fingerd () { 2608 STATUS=${NOT_INFECTED} 2609 FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}" 2610 CMD=`loc fingerd fingerd $pth` 2611 2612 if [ ${?} -ne 0 ]; then 2613 CMD=`loc in.fingerd in.fingerd $pth` 2614 if [ ${?} -ne 0 ]; then 2615 return ${NOT_FOUND} 2616 fi 2617 fi 2618 2619 if [ "${EXPERT}" = "t" ]; then 2620 expertmode_output "${strings} -a ${CMD}" 2621 return 5 2622 fi 2623 2624 if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ 2625> /dev/null 2>&1 2626 then 2627 STATUS=${INFECTED} 2628 fi 2629 return ${STATUS} 2630} 2631 2632 2633chk_inetdconf () { 2634 STATUS=${NOT_INFECTED} 2635 SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash" 2636 2637 if [ -r ${ROOTDIR}etc/shells ]; then 2638 SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`"; 2639 fi 2640 2641 if [ -r ${ROOTDIR}etc/inetd.conf ]; then 2642 for CHK_SHELL in ${SHELLS}; do 2643 cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null 2644 if [ ${?} -ne 1 ]; then 2645 if [ "${EXPERT}" = "t" ]; then 2646 echo "Backdoor shell record(s) in /etc/inetd.conf: " 2647 cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" 2648 fi 2649 STATUS=${INFECTED} 2650 fi 2651 done 2652 return ${STATUS} 2653 else 2654 return ${NOT_FOUND} 2655 fi 2656 2657} 2658 2659chk_telnetd () { 2660 STATUS=${NOT_INFECTED} 2661 TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]' 2662 CMD=`loc telnetd telnetd $pth` 2663 2664 if [ ${?} -ne 0 ]; then 2665 CMD=`loc in.telnetd in.telnetd $pth` 2666 if [ ${?} -ne 0 ]; then 2667 return ${NOT_FOUND} 2668 fi 2669 fi 2670 2671 if [ "${EXPERT}" = "t" ]; then 2672 expertmode_output "${strings} -a ${CMD}" 2673 return 5 2674 fi 2675 2676 if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ 2677 >/dev/null 2>&1 2678 then 2679 STATUS=${INFECTED} 2680 fi 2681 return ${STATUS} 2682} 2683 2684printn () { 2685 if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then 2686 ${echo} -n "$1" 2687 else 2688 ${echo} "${1}\c" 2689 fi 2690} 2691 2692# main 2693# 2694 2695 2696### using regexps, as the `-w' option to grep/egrep is not portable. 2697L_REGEXP='(^|[^A-Za-z0-9_])' 2698R_REGEXP='([^A-Za-z0-9_]|$)' 2699 2700### default ROOTDIR is "/" 2701ROOTDIR='/' 2702mode="rt" 2703 2704while : 2705do 2706 case $1 in 2707 -r) [ -z "$2" ] && exit 1; 2708 shift 2709 mode="pm" 2710 ROOTDIR=$1;; 2711 -p) [ -z "$2" ] && exit 1; 2712 shift 2713 CHKRKPATH=$1;; 2714 2715 -d) DEBUG=t;; 2716 2717 -x) EXPERT=t;; 2718 2719 -q) QUIET=t;; 2720 2721 -V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}" 2722 exit 1;; 2723 2724 -l) echo >&2 "$0: tests: ${TOOLS} ${TROJAN}" 2725 exit 1;; 2726 2727 -n) tnfs;; 2728 2729 -h | -*) echo >&2 "Usage: $0 [options] [test ...] 2730Options: 2731 -h show this help and exit 2732 -V show version information and exit 2733 -l show available tests and exit 2734 -d debug 2735 -q quiet mode 2736 -x expert mode 2737 -r dir use dir as the root directory 2738 -p dir1:dir2:dirN path for the external commands used by chkrootkit 2739 -n skip NFS mounted dirs" 2740 exit 1;; 2741 *) break 2742 esac 2743 2744 shift 2745done 2746 2747### check the external commands needed 2748 2749cmdlist=" 2750awk 2751cut 2752echo 2753egrep 2754find 2755head 2756id 2757ls 2758ps 2759sed 2760strings 2761uname 2762" 2763 2764### PATH used by loc 2765pth=`echo $PATH | sed -e "s/:/ /g"` 2766pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ." 2767 2768### external command's PATH 2769if [ "${CHKRKPATH}" = "" ]; then 2770 chkrkpth=${pth} 2771else 2772 ### use the path provided with the -p option 2773 chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"` 2774fi 2775echo=echo 2776for file in $cmdlist; do 2777 xxx=`loc $file $file $chkrkpth` 2778 eval $file=$xxx 2779 case "$xxx" in 2780 /* | ./* | ../*) 2781 2782 if [ ! -x "${xxx}" ] 2783 then 2784 echo >&2 "chkrootkit: can't exec \`$xxx'." 2785 exit 1 2786 fi 2787 ;; 2788 *) 2789 echo >&2 "chkrootkit: can't find \`$file'." 2790 exit 1 2791 ;; 2792 esac 2793done 2794 2795 2796SYSTEM=`${uname} -s` 2797VERSION=`${uname} -r` 2798if [ "${SYSTEM}" != "DragonFly" -a ${SYSTEM} != "OpenBSD" ] ; then 2799 V=4.4 2800else 2801 V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'` 2802fi 2803 2804# head command 2805_head() 2806{ 2807 if `$echo a | $head -n 1 >/dev/null 2>&1` ; then 2808 $head -n `echo $1 | tr -d "-"` 2809 else 2810 $head $1 2811 fi 2812} 2813# ps command 2814ps_cmd="ax" 2815if [ "$SYSTEM" = "SunOS" ]; then 2816 if [ "${CHKRKPATH}" = "" ]; then 2817 if [ -x /usr/ucb/ps ]; then 2818 ps="/usr/ucb/ps" 2819 else 2820 ps_cmd="-fe" 2821 fi 2822 else 2823 ### -p is in place: use `-fe' as ps options 2824 ps_cmd="-fe" 2825 fi 2826fi 2827# Check if ps command is ok 2828if ${ps} ax >/dev/null 2>&1 ; then 2829 ps_cmd="ax" 2830else 2831 ps_cmd="-fe" 2832fi 2833 2834if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then 2835 echo "$0 needs root privileges" 2836 exit 1 2837fi 2838 2839if [ $# -gt 0 ] 2840then 2841 ### perform only tests supplied as arguments 2842 for arg in $* 2843 do 2844 ### check if is a valid test name 2845 if echo "${TROJAN} ${TOOLS}"| \ 2846 ${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1 2847 then 2848 echo >&2 "$0: \`$arg': not a known test" 2849 exit 1 2850 fi 2851 done 2852 LIST=$* 2853else 2854 ### this is the default: perform all tests 2855 LIST="${TROJAN} ${TOOLS}" 2856fi 2857 2858if [ "${DEBUG}" = "t" ]; then 2859 set -x 2860fi 2861 2862if [ "${ROOTDIR}" != "/" ]; then 2863 2864 ### remove trailing `/' 2865 ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'` 2866 2867 for dir in ${pth} 2868 do 2869 if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1 2870 then 2871 newpth="${newpth} ${ROOTDIR}${dir}" 2872 else 2873 newpth="${newpth} ${ROOTDIR}/${dir}" 2874 fi 2875 done 2876 pth=${newpth} 2877 ROOTDIR="${ROOTDIR}/" 2878fi 2879 2880if [ "${QUIET}" != "t" ]; then 2881 echo "ROOTDIR is \`${ROOTDIR}'" 2882fi 2883 2884# 2885# NETSTAT OR SS 2886# 2887_chk_netstat_or_ss() 2888{ 2889 netstat="netstat" 2890 CMD=`loc ss ss $pth` 2891 [ ${?} -eq 0 ] && netstat="ss" 2892} 2893 2894for cmd in ${LIST} 2895do 2896 2897 if echo "${TROJAN}" | \ 2898 ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1 2899 then 2900 if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then 2901 printn "Checking \`${cmd}'... " 2902 fi 2903 chk_${cmd} 2904 STATUS=$? 2905 2906 ### quiet mode 2907 if [ "${QUIET}" = "t" ]; then 2908 ### show only INFECTED status 2909 if [ ${STATUS} -eq 0 ]; then 2910 echo "Checking \`${cmd}'... INFECTED" 2911 fi 2912 continue 2913 fi 2914 2915 case $STATUS in 2916 0) echo "INFECTED";; 2917 1) echo "not infected";; 2918 2) echo "not tested";; 2919 3) echo "not found";; 2920 4) echo "infected but disabled";; 2921 5) ;; ### expert mode 2922 esac 2923 else 2924 ### external tool 2925 if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then 2926 printn "Checking \`$cmd'... " 2927 fi 2928 ${cmd} 2929 2930 fi 2931done 2932 2933### chkrootkit ends here. 2934