1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
Author: Francois Marier <francois@debian.org>, Roger Leigh <Roger Leigh rleigh@debian.org>
Description: add the ability to exclude specific files/directories from the checks,
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/README
+++ b/README
@@ -123,6 +123,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs
@@ -181,6 +183,31 @@
# ./chkrootkit -r /mnt
+ Sometimes the test for dot files in system directories will report
+ false positives for legitimate files. It has been argued that while
+ chkrootkit could be made to ignore these false positives, that might
+ result in attackers deliberately using those names in order to avoid
+ detection. For that reason chkrootkit does not exclude any false
+ positives by default. However, many people use chkrootkit as a
+ daily cron job, and having these false positives means that the
+ administrator gets daily emails reporting these files. This probably
+ would result in the administrator:
+ A) not checking those files each time they were reported, which
+ means than an attacker could still use those names to avoid
+ detection
+ B) getting into the habit of deleting the reports without looking
+ closely at them, which means they are more likely to miss a real
+ problem
+ Because the above would result in less security, there is support for
+ excluding files, using the -e flag, for example:
+
+ # ./chkrootkit -e '/run/.ramfs'
+
+ WARNING: by using this option you are giving attackers a way to avoid
+ detection! Make absolutely sure that these are truly false positives
+ and do a periodic check of any excluded files to make sure they are
+ still the legitimate files you think they are.
+
7. Output Messages
------------------
--- a/chkrootkit
+++ b/chkrootkit
@@ -669,27 +669,43 @@
echo ${files}
fi
- ### HiDrootkit
- if [ "${QUIET}" != "t" ]; then printn \
- "Searching for HiDrootkit's default dir... "; fi
- if [ -d ${ROOTDIR}var/lib/games/.k ]
- then
- echo "Possible HiDrootkit installed"
+lookfor_rootkit() {
+ rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
+ if [ "${QUIET}" != "t" ]; then \
+ printn "Searching for rootkit $rkname's default files... "; fi
+
+ bad="";
+ for f in $files ; do
+ if [ -r ${ROOTDIR}${f} ]; then
+ for exclude in $EXCLUDES; do
+ if [ /${f} = $exclude ]; then continue 2; fi
+ done
+ bad="$bad ${ROOTDIR}$f";
+ fi
+ done
+ for d in $dirs ; do
+ if [ -d ${ROOTDIR}${d} ]; then
+ for exclude in $EXCLUDES; do
+ if [ /${d} = $exclude ]; then continue 2; fi
+ done
+ bad="$bad ${ROOTDIR}$d";
+ fi
+ done
+ if [ "$bad" != "" ]; then
+ echo "Possible $rkname rootkit installed:"
+ echo "$bad"
else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
+ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
fi
+}
+
+ ### HiDrootkit
+
+ lookfor_rootkit "HiDrootkit" "" "var/lib/games/.k"
### t0rn
- if [ "${QUIET}" != "t" ]; then printn\
- "Searching for t0rn's default files and dirs... "; fi
- if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \
- -d ${ROOTDIR}usr/src/.puta -o -r ${ROOTDIR}lib/ldlib.tk -o \
- -d ${ROOTDIR}usr/info/.t0rn ]
- then
- echo "Possible t0rn rootkit installed"
- else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
- fi
+ lookfor_rootkit "t0rn" "etc/ttyhash sbin/xlogin lib/ldlib.tk" \
+ "usr/src/.puta usr/info/.t0rn"
### t0rn v8
if [ "${QUIET}" != "t" ]; then \
@@ -706,47 +722,20 @@
fi
### Lion Worm
- if [ "${QUIET}" != "t" ]; then \
- printn "Searching for Lion Worm default files and dirs... "; fi
- if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \
- -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ]
- then
- echo "Possible Lion worm installed"
- else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
- fi
+ lookfor_rootkit "Lion" "bin/in.telnetd bin/mjy" "usr/info/.torn dev/.lib"
### RSHA rootkit
- if [ "${QUIET}" != "t" ]; then \
- printn "Searching for RSHA's default files and dir... "; fi
-
- if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \
--o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \
--o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \
--o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \
--o -d "${ROOTDIR}etc/rc.d/rsha" \
--o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ]
- then
- echo "Possible RSHA's rootkit installed"
- else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
- fi
+ lookfor_rootkit "RSHA" "bin/kr4p usr/bin/n3tstat usr/bin/chsh2 \
+ usr/bin/slice2 usr/src/linux/arch/alpha/lib/.lib/.1proc \
+ etc/rc.d/arch/alpha/lib/.lib/.1addr" "etc/rc.d/rsha \
+ etc/rc.d/arch/alpha/lib/.lib"
### RH-Sharpe rootkit
- if [ "${QUIET}" != "t" ]; then \
- printn "Searching for RH-Sharpe's default files... "; fi
-
- if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \
--o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \
--o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \
--o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \
--o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \
--o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ]
- then
- echo "Possible RH-Sharpe's rootkit installed"
- else
- if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
- fi
+ lookfor_rootkit "RH-Sharpe" "bin/lps usr/bin/lpstree \
+ usr/bin/ltop usr/bin/lkillall usr/bin/ldu \
+ usr/bin/lnetstat usr/bin/wp usr/bin/shad \
+ usr/bin/vadim usr/bin/slice usr/bin/cleaner \
+ usr/include/rpcsvc/du" ""
### ark rootkit
if [ "${QUIET}" != "t" ]; then printn \
@@ -777,8 +766,24 @@
printn "The following suspicious files and directories were found:"
fi
echo
- echo ${files}
- echo ${dirs}
+
+ if [ -n "${EXCLUDES}" ]; then
+ for name in $files; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ for name in $dirs; do
+ for exclude in $EXCLUDES; do
+ if [ $name = $exclude ]; then continue 2; fi
+ done
+ echo $name
+ done
+ else
+ echo ${files}
+ echo ${dirs}
+ fi
fi
### LPD Worm
@@ -2777,6 +2782,9 @@
-x) EXPERT=t;;
+ -e) shift
+ EXCLUDES="$1 $EXCLUDES";;
+
-q) QUIET=t
QUIET_ARG="-q"
;;
@@ -2797,6 +2805,8 @@
-d debug
-q quiet mode
-x expert mode
+ -e exclude known false positive files/dirs, quoted,
+ space separated, READ WARNING IN README
-r dir use dir as the root directory
-p dir1:dir2:dirN path for the external commands used by chkrootkit
-n skip NFS mounted dirs"
|
