1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150
|
Author: Francois Marier <francois@debian.org>
Description: collection of all other changes to upstream source which haven't
been identified yet
Index: chkrootkit/chkrootkit
===================================================================
--- chkrootkit.orig/chkrootkit
+++ chkrootkit/chkrootkit
@@ -263,12 +263,12 @@ wted () {
expertmode_output "./chkwtmp -f ${WTMP}"
return 5
fi
- fi
- if ./chkwtmp -f ${WTMP}
- then
- if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
- fi
+ if ./chkwtmp -f ${WTMP}
+ then
+ if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
+ fi
+ fi
}
bindshell () {
PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
@@ -363,6 +363,9 @@ lkm ()
}
aliens () {
+ if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d "/root" ]; then
+ HOME="/root"
+ fi
if [ "${EXPERT}" = "t" ]; then
### suspicious files
FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
@@ -391,9 +394,8 @@ sbin/vobiscum usr/sbin/jcd usr/sbin/atd
### sniffer's logs
expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
-.linux-sniff -o -name sniff-l0g -o -name core_ -o"
- expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \
--name in.pop3d"
+.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \
+-wholename ${ROOTDIR}usr/lib/in.pop3d"
### t0rn
expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
@@ -591,9 +593,9 @@ ${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}u
### shell history file check
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
+ expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
-size 0"
- expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
+ expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \
\( -links 2 -o -type l \)"
fi
@@ -764,7 +766,7 @@ etc/ld.so.hash sbin/init.zk usr/lib/in.h
printn "Searching for LPD Worm files and dirs... "; fi
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
- ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
+ ${egrep} '^[[:space:]]*666[[:space:]]' ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
then
echo "Possible LPD worm installed"
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
@@ -1098,7 +1100,7 @@ ${find} ${ROOTDIR}usr/sbin -name in.slog
### ESRK
if [ "${QUIET}" != "t" ]; then
printn "Searching for ESRK rootkit default files... "; fi
- if [ -d "${ROOTDIR}usr/lib/tcl5.3" ]; then
+ if [ -d "${ROOTDIR}/usr/lib/tcl5.3" ]; then
echo "Possible ESRK rootkit installed"
else
if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
@@ -1192,10 +1194,10 @@ fi
printn "Searching for anomalies in shell history files... "; fi
files=""
if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
- files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
+ files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' -size 0`
[ ! -z "${files}" ] && \
echo "Warning: \`${files}' file size is zero"
- files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
+ files1=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' \( -links 2 -o -type l \)`
[ ! -z "${files1}" ] && \
echo "Warning: \`${files1}' is linked to another file"
fi
@@ -1247,14 +1249,16 @@ getCMD() {
${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \
${awk} '{ print $5 }'`
- for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
- do
- CMD="${i}"
- if [ -r "${i}" ]
- then
- return 0
- fi
- done
+ if [ -n "${RUNNING}" ]; then
+ for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
+ do
+ CMD="${i}"
+ if [ -r "${i}" ]
+ then
+ return 0
+ fi
+ done
+ fi
return 1
}
@@ -1275,10 +1279,10 @@ tnfs ()
findargs=""
if find /etc -maxdepth 0 >/dev/null 2>&1; then
find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs=" -fstype nfs -prune -o "
elif find /etc -prune > /dev/null 2>&1; then
find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
- findargs="! -fstype nfs "
+ findargs=" -fstype nfs -prune -o "
fi
}
@@ -2498,7 +2502,7 @@ chk_tcpd () {
fi
[ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth`
- [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};
+ [ "tcpd" = "${CMD}" -o ! -f "${CMD}" ] && return ${NOT_FOUND};
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
Index: chkrootkit/chkproc.c
===================================================================
--- chkrootkit.orig/chkproc.c
+++ chkrootkit/chkproc.c
@@ -358,7 +358,7 @@ int main(int argc, char **argv)
printf("You have % 5d process hidden for ps command\n", retps);
#if defined(__linux__)
kill(1, 100); /* Check for SIGINVISIBLE Adore signal */
- if (kill (1, SIGXFSZ) < 0 && errno == 3)
+ if (kill (1, SIGXFSZ) == -1 && errno == 3)
{
printf("SIGINVISIBLE Adore found\n");
retdir+= errno;
|