From: Richard Lewis <richard.lewis.debian@googlemail.com>
Date: Sun, 9 Jul 2017 18:42:55 +0200
Subject: chkrootkit: lookfor-rootkit

This is a helper function to simplify and unify tests that
simply test for files/dirs existing

Originally from: "francois@debian.org" <francois@debian.org> and
"Roger Leigh" <Roger Leigh rleigh@debian.org> (Sun, 10 Nov 2024 10:24:09 +0000)

Functionality to exclude things provided by -e provided by
 richard.lewis.debian@googlemail.com in Oct 2024.

Forwarded: yes
(Forwarded by email: 21 Dec 2024)
---
 chkrootkit | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/chkrootkit b/chkrootkit
index 12abf77..cfd4407 100755
--- a/chkrootkit
+++ b/chkrootkit
@@ -468,6 +468,25 @@ _not_tested(){
 		fi
 }
 
+lookfor_rootkit(){
+   rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
+   _start "$rkname rootkit"
+
+   bad="";
+   for f in $files; do
+       if [ -e "${ROOTDIR}${f}" ]; then
+           bad=$(_filter "${ROOTDIR}$f" "$bad")
+       fi
+   done
+   for d in $dirs ; do
+       if [ -d "${ROOTDIR}${d}" ]; then
+           bad=$(_filter "${ROOTDIR}${d}/" "$bad")
+       fi
+   done
+   _report "Possible $rkname rootkit installed" "$bad"
+}
+
+
 aliens () {
    if [ "${EXPERT}" = "t" ]; then
         ### suspicious files