README.chklastlog | 4 2 + 2 - 0 !
README.chkwtmp | 2 1 + 1 - 0 !
check_wtmpx.c | 4 2 + 2 - 0 !
chklastlog.c | 4 2 + 2 - 0 !
chkutmp.c | 2 1 + 1 - 0 !
chkwtmp.c | 2 1 + 1 - 0 !
6 files changed, 9 insertions(+), 9 deletions(-)

 debian-specific: read logs from /var/log instead of /var/adm

 Unclear if this should be upstreamed, some of these paths may be Debian-specific
 Dates from 2017 or earlier.
 Affects various files

Last-Updated: 2021-10-10

Makefile | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

 makefile: debian-specific: remove explicit use of 'strip' from the
 upstream Makefile

 debhelper will automatically strip everything when we build the package.
 This is a Debian-specific modification - upstream unlikely to want this.

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436626

Makefile | 20 11 + 9 - 0 !
1 file changed, 11 insertions(+), 9 deletions(-)

 makefile

 1) Honor preprocesor and linker flags added at compile time by debhelper.
   Thanks to Lukas Schwaighofer for suggesting some improvements.
   Dates from 2017 or earlier

chkdirs.c | 274 126 + 148 - 0 !
1 file changed, 126 insertions(+), 148 deletions(-)

 chkdirs: simplify, fix compiler issues, spelling mistake,
 and return value
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

1. fix return logic

chklastlog.c | 357 180 + 177 - 0 !
1 file changed, 180 insertions(+), 177 deletions(-)

 chklastlog
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

  1. Make chklastlog support -q

chkproc.c | 709 443 + 266 - 0 !
1 file changed, 443 insertions(+), 266 deletions(-)

 chkproc

1. Fix race condition where processes that start/exit between checking
/proc and ps(1) output are flagged as hidden.  This was first written
by Adrian Bridgett <adrian@smop.co.uk> in Fri, 24 Jul 2020 14:59:35
+0200. (Except for a single-line change to set pv to 3, which was from
Giuseppe Iuculano <giuseppe@iuculano.it> Date: Sun, 9 Jul 2017
18:42:55 +0200 -- this is kept, as it seems a suitable default for all
platforms, but in fact chkrootkit explicitly sets pv anyway)

2. Comment out code that sends signals to individual processes. This
is very risky as it is most likely to result in non-rootkits being
killed or resuming. It does slightly reduce functionality -- ideally
such a feature would be done in a separate process to keep
chkproc. This was contributed by Francois Marier <francois@debian.org>
with a date: Mon, 21 Apr 2008 11:17:03 +0000. (This is merged into
this patch to make it easier to maintain).

3. Fix various compilation errors and warnings. These were originally contributed
by =?utf-8?q?Christian_G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: on Fri, 24 Jul 2020 16:08:40 +0200.
Mainly:
a) ignore return value from fgets in readline
b) use size_t not int in readline, dodgy_process
c) use ssize_t in dodgy_process
d) declare ps_cmds and commands that use it as 'const'
(This is merged into this patch to make it easier to maintain).

chkutmp.c | 51 25 + 26 - 0 !
1 file changed, 25 insertions(+), 26 deletions(-)

 chkutmp

Last-Updated: 2024-11-06

Various, minor, patches to improve chkutmp.

0) Improve output -- the message needs 'was' not 'were' because "The tty" is singular

chkwtmp.c | 41 19 + 22 - 0 !
1 file changed, 19 insertions(+), 22 deletions(-)

 chkwtmp

Minor fixes to avoid compiler warnings and overflows.

a) use strncpy not memcopy when setting wtmpfile

check_wtmpx.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 check_wtmpx: do not silently do nothing on unsupported platforms

ifpromisc.c | 215 115 + 100 - 0 !
1 file changed, 115 insertions(+), 100 deletions(-)

 ifpromisc
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Improvements for ifpromisc:

1. Better output
     * if a 'packet sniffer' is detected, its pid is output as well as the name
	   (has_packet_socket returns a struct packet_info or NULL to enable this
	    include dirent.h and sys/stat.h, make packet_info->inode be an ino_t and add a pid
		in read_proc_net_packegt, make inode be a long not an int,
		in walk_prcess: do not call perror if we get ENOENT, and save the pid)
     * instead of PF_PACKET the output is "PACKET_SNIFFER"

strings.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 strings-static

Fix compiler warnings in strings.c:
a) printmeindex should be of type size_t not int
b) do not set printmeindex to zero when printing last string

check_if_debian | 37 37 + 0 - 0 !
1 file changed, 37 insertions(+)

 check_if_debian

New helper to check whether reported files are from Debian packahes,
using dpkg-query This is safe to use on non-Debian systems (it will do
nothing unless dpkg-query is found)

check_php | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 check_php

Add a helper to check whether files are php scripts, this is needed
for the check of files in /tmp -- that test uses 'find', but we can't
safely run a shell pipeline on the results unless we use a helper,
given that files in /tmp are likely to have unusual characters in
their names

Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071377

README | 27 27 + 0 - 0 !
1 file changed, 27 insertions(+)

 readme

Update README to mention -e and attitude to false positives

chkrootkit | 262 159 + 103 - 0 !
1 file changed, 159 insertions(+), 103 deletions(-)

 chkrootkit: top-level

Improvements for chkrootkit: top-level only:
a) Reindent, remove trialing spaces, use $(...) not `...`, quote variables, ensure global variables like $QUIET are defined

chkrootkit | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 chkrootkit: w55808

Improve output

chkrootkit | 36 18 + 18 - 0 !
1 file changed, 18 insertions(+), 18 deletions(-)

 chkrootkit: osx_rsplug

chkrootkit | 31 15 + 16 - 0 !
1 file changed, 15 insertions(+), 16 deletions(-)

 chkrootkit: slapper

Use OPT="-an" with ss and netstat

Redirect stderr to /dev/null on every command in a pipeline, not just
the last one (this is helpful for non-root users on eg android, where
netstat is not accessible)

Improve output

chkrootkit | 22 12 + 10 - 0 !
1 file changed, 12 insertions(+), 10 deletions(-)

 chkrootkit: scalper

 Add exception for ser2net in scalper()

chkrootkit | 16 8 + 8 - 0 !
1 file changed, 8 insertions(+), 8 deletions(-)

 chkrootkit: asp

chkrootkit | 28 22 + 6 - 0 !
1 file changed, 22 insertions(+), 6 deletions(-)

 chkrootkit: sniffer

filter ifpromisc output (using -s option)

Other minor cleanups from Richard Lewis <richard.lewis.debian@googlemail.com>
 Do not issue a 'WARNING' if sniffer/ifpromisc finds nothing
 Date: Sat, 8 Jun 2024 20:26:05 +0100

Last-Updated: 2024-06-08

chkrootkit | 23 17 + 6 - 0 !
1 file changed, 17 insertions(+), 6 deletions(-)

 chkrootkit: chkutmp

Debian has moved to a 64-but version of time_t which means
/var/run/utmp no longer exists.

This patch skips the chkutmp() check if there is no file to check
(only on Linux)

Also better messages if things are skipped - distibguish between
skipping because -r is given and not being able to find the helper

chkrootkit | 24 13 + 11 - 0 !
1 file changed, 13 insertions(+), 11 deletions(-)

 chkrootkit: z2

Improve z2 test. Skip chkproc if -r is given, since it checks /proc and running processes

Ensure chklastlog can work with -r: Do not add a second copy of ROOTDIR to $WTMP and $LASTLOG

chkrootkit | 67 40 + 27 - 0 !
1 file changed, 40 insertions(+), 27 deletions(-)

 chkrootkit: wted

skip if no wtmp files -- on recent Linux, these will not exist because
wtmp was rewritten incompatibly to make time_t 64-bit: skip this test
in such a circumstance.

chkrootkit | 24 11 + 13 - 0 !
1 file changed, 11 insertions(+), 13 deletions(-)

 chkrootkit: bindshell

make $PORT space separated - avoids need for sed
Avoid calling grep twice

chkrootkit | 138 77 + 61 - 0 !
1 file changed, 77 insertions(+), 61 deletions(-)

 chkrootkit: lkm

chkutmp and chkproc call 'ps', and per the comments in chkutmp this assumes
that this is safe. this patch adds the directory passed by -p to patH before calling those tools
so that a known good ps can be used if it is available.

To support -p commands in $cmdlist are meant to be called only as
$cmd, but there were several places where this was not done: so replace cut with $cut, etc

Move test for existence of chkdirs and chkproc later so that other subtests can still
run if neither is present

Make it clearer which command produced output

Allow chkdirs to be used with -r (and better message if it is
skipped).  There is no need to combine the eligibility checks for
chkproc and chkdirs -- test them independently. The setting if PV is
onky needed for chkproc

there is no need to skip chkdirs on SunOS (just set PV=0), and the check of the
FreeBSD versionn did not make sense


Cope with the case where none of the dirs to be checked exists (the ls
| tr pipeline is broken in that case, and ls | tr is pretty pointless
anyway: just use chkdir if the dir exists. This supports running
chkrootkit on termux, where none of the directories exist)

chkrootkit | 36 36 + 0 - 0 !
1 file changed, 36 insertions(+)

 chkrootkit: helper functions for reporting results

chkrootkit | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

 chkrootkit: lookfor-rootkit

This is a helper function to simplify and unify tests that
simply test for files/dirs existing

chkrootkit | 1189 494 + 695 - 0 !
1 file changed, 494 insertions(+), 695 deletions(-)

 chkrootkit: aliens

chkrootkit | 23 13 + 10 - 0 !
1 file changed, 13 insertions(+), 10 deletions(-)

 chkrootkit: chk_chfn

chkrootkit | 39 21 + 18 - 0 !
1 file changed, 21 insertions(+), 18 deletions(-)

 chkrootkit: chk_chsh

chkrootkit | 51 32 + 19 - 0 !
1 file changed, 32 insertions(+), 19 deletions(-)

 chkrootkit: chk_login

Remove stray ']'
Redirection of stderr should be after redirection of stdout, not before

chkrootkit | 19 11 + 8 - 0 !
1 file changed, 11 insertions(+), 8 deletions(-)

 chkrootkit: chk_passwd

chkrootkit | 12 5 + 7 - 0 !
1 file changed, 5 insertions(+), 7 deletions(-)

 chkrootkit: chk_inetd

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_syslog

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_hdparm

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_gpm

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_mingetty

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_sendmail

chkrootkit | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 chkrootkit: chk_ls

chkrootkit | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 chkrootkit: chk_du

chkrootkit | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 chkrootkit: chk_named

chkrootkit | 14 10 + 4 - 0 !
1 file changed, 10 insertions(+), 4 deletions(-)

 chkrootkit: chk_netstat

chkrootkit | 9 6 + 3 - 0 !
1 file changed, 6 insertions(+), 3 deletions(-)

 chkrootkit: chk_ps

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_pstree

chkrootkit | 35 24 + 11 - 0 !
1 file changed, 24 insertions(+), 11 deletions(-)

 chkrootkit: chk_crontab

chkrootkit | 12 5 + 7 - 0 !
1 file changed, 5 insertions(+), 7 deletions(-)

 chkrootkit: chk_top

chkrootkit | 11 5 + 6 - 0 !
1 file changed, 5 insertions(+), 6 deletions(-)

 chkrootkit: chk_pidof

chkrootkit | 12 5 + 7 - 0 !
1 file changed, 5 insertions(+), 7 deletions(-)

 chkrootkit: chk_killall

chkrootkit | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 chkrootkit: chk_ldsopreload

Pass paths with better quoting

NB: this test is not actually doing anything - seems to be missing a
grep after strings-static? (this is an upstream issue, but the fix is
unclear)

chkrootkit | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 chkrootkit: chk_basename

chkrootkit | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 chkrootkit: chk_dirname

chkrootkit | 12 5 + 7 - 0 !
1 file changed, 5 insertions(+), 7 deletions(-)

 chkrootkit: chk_traceroute

chkrootkit | 14 6 + 8 - 0 !
1 file changed, 6 insertions(+), 8 deletions(-)

 chkrootkit: chk_rpcinfo

chkrootkit | 19 11 + 8 - 0 !
1 file changed, 11 insertions(+), 8 deletions(-)

 chkrootkit: chk_date

Redirect output of grep to /dev/null

chkrootkit | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 chkrootkit: chk_echo

chkrootkit | 11 7 + 4 - 0 !
1 file changed, 7 insertions(+), 4 deletions(-)

 chkrootkit: chk_env

chkrootkit | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 chkrootkit: chk_timed

chkrootkit | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 chkrootkit: chk_identd

chkrootkit | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 chkrootkit: chk_init