Package: chkrootkit
Version: 0.48-5
Severity: normal
The -e option doesn't work as documented, since it doesn't apply to
files associated with specific rootkits. Attached is a patch showing
one way of fixing this. There are two caveats:
1) It applies only to the RH-Sharpe rootkit check. That's enough to
show the method, and enables me to use "-e /usr/bin/slice" to
eliminate the false positive with the slice package. However, the
author may have a better method.
2) My space delimited list of filenames doesn't allow for filenames
with whitespace (e.g. the directory "/usr/doc/... " in the ark
rootkit).
Note that my method also addresses #126160, since the rootkit
filenames are written out.
- Jim Van Zandt
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'oldstable'), (500, 'testing'), (500,
'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.25 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages chkrootkit depends on:
ii binutils 2.18.1~cvs20080103-7 The GNU assembler, linker and bina
ii debconf [debconf-2. 1.5.23 Debian configuration management sy
ii libc6 2.7-13 GNU C Library: Shared libraries
ii net-tools 1.60-19 The NET-3 networking toolkit
ii procps 1:3.2.7-9 /proc file system utilities
chkrootkit recommends no packages.
chkrootkit suggests no packages.
-- debconf information:
* chkrootkit/run_daily: true
* chkrootkit/run_daily_opts: -q
* chkrootkit/diff_mode: false
--- chkrootkit-old 2008-09-05 22:22:36.000000000 -0400
+++ chkrootkit 2008-09-06 13:46:20.000000000 -0400
@@ -697,20 +697,42 @@
fi
### RH-Sharpe rootkit
+
+lookfor_rootkit() {
+ rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
if [ "${QUIET}" != "t" ]; then \
- printn "Searching for RH-Sharpe's default files... "; fi
+ printn "Searching for rootkit $rkname default files... "; fi
- if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \
--o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \
--o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \
--o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \
--o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \
--o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ]
- then
- echo "Possible RH-Sharpe's rootkit installed"
+ bad="";
+ for f in $files ; do
+ if [ -r ${ROOTDIR}${f} ]; then
+ for exclude in $EXCLUDES; do
+ if [ /${f} = $exclude ]; then continue 2; fi
+ done
+ bad="$bad $f";
+ fi
+ done
+ for d in $dirs ; do
+ if [ -d ${ROOTDIR}${d} ]; then
+ for exclude in $EXCLUDES; do
+ if [ /${d} = $exclude ]; then continue 2; fi
+ done
+ bad="$bad $d";
+ fi
+ done
+ if [ "$bad" != "" ]; then
+ echo "Possible $rkname rootkit installed:"
+ echo "$bad"
else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
fi
+}
+
+ lookfor_rootkit "RH-Sharpe's" "bin/lps usr/bin/lpstree \
+ usr/bin/ltop usr/bin/lkillall usr/bin/ldu \
+ usr/bin/lnetstat usr/bin/wp usr/bin/shad \
+ usr/bin/vadim usr/bin/slice usr/bin/cleaner \
+ usr/include/rpcsvc/du" ""
### ark rootkit
if [ "${QUIET}" != "t" ]; then printn \
