From: Richard Lewis Date: Wed, 16 Oct 2024 09:26:11 +0100 Subject: chkrootkit: aliens Various improvements for the aliens test, includes contributions from: Set $HOME (accounting for -r) Quote variables, which may contain spaces do not add an extra / after ${ROOTDIR} - it already ends in a / Use POSIX-supported $(...) instead of legacy `...` windego: Use loc not which, and $egrep not plain 'grep' Use $findargs with invoations of find LOC rootkit: Output the results of the loc() function in test for LOC rootkit From: Arthur de Jong Date: Sun, 9 Jul 2017 23:11:21 +0200 Kovid: do not send signals to random processes Part of the test for the Kovid LKM rootkit involves sending a SIGCONT signal to pid 31337 This patch comments that out - this may break that test, but that seems preferable to sending signals to normal processes. From: Richard Lewis Date: Sat, 18 Feb 2023 21:14:45 +0000 Limit search for history files to -maxdepth 1 (do not search all of $HOME for .history!). And make check of .history work with -r (set $HOME to something sensible - this also prevents a duplicate / in the output when no -r is used) In sniffers-logs test, use -wholename LPD-Worm: allow multiple spaces when checking inetd line From: Francois Marier Date: Sun, 9 Jul 2017 18:42:55 +0200 BPFDoor: make the check work with -r: 1. Use -l option to grep so we print the filenames that match rather than the match itself 2. Test the files in $ROOTDIR/proc/*/stack rather than those on the host From: Richard Lewis Date: Sat, 13 Jul 2024 20:15:04 +0100 rootedir: Make the check work when -r given: use $pth not $PATH HKRK: Improve output when -r given (show correct path) Date: Sat, 13 Jul 2024 18:05:00 +0100 t0rn, Ambient - Remove unnecessary backslashes from two chkrootkit messages From: "James R. Van Zandt" Date: Sat, 6 Sep 2008 14:34:13 -0400 Improved output * Use _start before each sub-test * Use _report, _warn, _not_found, _not_tested to get consistent output --- this ensures no unwanted output when nothing is found * Use _filter and find_and_check() to let the user hide false positives via -e * Use lookfor_rootkit for tests that simply test for files/dirs existing Do not hang in an lxc container: lxc bind-mounts pts devices over /dev, but find does not notice, so find /dev -type f still finds /dev/console. The aliens test then tries to grep this and hangs. This patch passes --device=skip to grep which stops it hanging. Another alternative would be to pass '! -fstype devpts'. From: Richard Lewis Date: Fri, 29 Oct 2021 23:35:11 +0100 LPD Worm - Also redirect stderr from grep to /dev/null in vase ineyd.conf does not exist. Search /usr/bin as well aa /bin given recent linux systems replace /bin with a symlink to /usr/bin these (usrmerg) Omega: redirects stderr to /dev/null when running the check for the Omega worm. Some lxc containers (such as those used in the debian buildd debci system), have a /dev that 'contains' files from the host that cannot be read. This patch redirects stderr from the find to /dev/null to avoid messages appearing in the chkrootkit output (this is consistent with the check for the Lion Worm). From: Richard Lewis Date: Sat, 27 Nov 2021 16:29:22 +0000 Make the 'T.R.K' test capable of finding anything From: Richard Lewis Date: Sat, 27 Nov 2021 16:32:41 +0000 Before this patch the check for T.R.K was running find but redirecting both stdout and stderr to /dev/null, so nothing could ever be detected. Only stderr needs to be ignored. Suckit: Do not flag upstart or systemd init systems as suspicious Author: Giuseppe Iuculano Date: Mon Mar 23 10:08:37 2015 +0100 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740898 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901557 ssh-scanners: ssh now has a -G option (NEEDS CHECKING - THIS LOOKS WRONG SHOULDNOT CHECK ssh -G LIKE THAT?) From: Unknown Author Date: Sun, 9 Jul 2017 18:42:55 +0200 syslogk - use $echo From: Richard Lewis Date: Sat, 13 Jul 2024 18:17:16 +0100 The syslogk test had an inconsistent use of "echo 1 >" vs "echo 1>". this was fixed upstream in 0.58b but a line in the 'expertmode' output was missed. that line should only be used if -x is passed (i assume), so add 'expertmode_output' as well Without this using -r may create a file called 1 in ${ROOTDIR}/proc/ if that dir happened to exist and be writeable -- usually ROODIR is empty and /proc is not writable, but with -r it could point to a plain directory (eg: mountpount for a container) -- and in fact, skip the main sysogk check when -r is given since it needs /proc to be 'correct' suspect php files: use check_php helper to work with files containing spaces Before this patch, 1. Any non-text file contents confuse the results of the grep if they match. 2. Not file names are printed, but file contents. . This patch fixes '/usr/bin/find: head terminated by signal 13' errors and prints affected file names instead of their content. . This was contributed by (Author: Andreas Stempfhuber , Sun Jul 9 18:42:55 2017 +0200) but was refreshed in 2023 and completely rewritten in 2024 64-bit modules: The test has a stray '2' which means the call to find will always give a syntax error and never find anything. I assume this is a typo and should be deleted. Forwarded: yes (Forwarded by email: 21 Dec 2024) --- chkrootkit | 1189 +++++++++++++++++++++++++----------------------------------- 1 file changed, 494 insertions(+), 695 deletions(-) diff --git a/chkrootkit b/chkrootkit index cfd4407..126a045 100755 --- a/chkrootkit +++ b/chkrootkit @@ -488,6 +488,16 @@ lookfor_rootkit(){ aliens () { + if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a "$("${id}" -u)" = "0" -a -d "${ROOTDIR}root" ]; then + HOME="${ROOTDIR}root" + else + # HOME is set + case "$HOME" in + "$ROOTDIR"*) ;; # eg no -r and /root + /*) HOME="${ROOTDIR}${HOME#/}" ;; # -r /mnt and /root -> /mnt/root + *) HOME="${ROOTDIR}${HOME}" ;; # unlikely : HOME is relative + esac + fi if [ "${EXPERT}" = "t" ]; then ### suspicious files FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \ @@ -507,18 +517,17 @@ sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \ for i in ${FILES}; do expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null" done - [ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so" - [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. " - [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx - [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd - [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb - [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so + [ -d "${ROOTDIR}lib/.so" ] && expertmode_output "${find} ${ROOTDIR}lib/.so" + [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output "${find} '${ROOTDIR}usr/include/.. '" + [ -d "${ROOTDIR}usr/lib/.fx" ] && expertmode_output "${find} ${ROOTDIR}usr/lib/.fx" + [ -d "${ROOTDIR}var/local/.lpd" ] && expertmode_output "${find} ${ROOTDIR}var/local/.lpd" + [ -d "${ROOTDIR}dev/rd/cdb" ] && expertmode_output "${find} ${ROOTDIR}dev/rd/cdb" + [ -d "${ROOTDIR}usr/lib/lib.so1.so" ] && expertmode_output "${find} ${ROOTDIR}usr/lib/lib.so1.so" ### sniffer's logs expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \ -.linux-sniff -o -name sniff-l0g -o -name core_ -o" - expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \ --name in.pop3d" +.linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \ +-wholename ${ROOTDIR}usr/lib/in.pop3d" ### t0rn expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \ @@ -526,9 +535,9 @@ ${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \ ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn" LIBS= - [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib" - [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" - [ -d ${ROOTDIR}usr/local/lib ] && \ + [ -d "${ROOTDIR}lib" ] && LIBS="${ROOTDIR}lib" + [ -d "${ROOTDIR}usr/lib" ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" + [ -d "${ROOTDIR}usr/local/lib" ] && \ LIBS="${LIBS} ${ROOTDIR}usr/local/lib" expertmode_output "${find} ${LIBS} -name libproc.a" @@ -557,16 +566,16 @@ autod.o -o -name soundx.o 2> /dev/null" var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; do - [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}" + [ -d "${ROOTDIR}${cgidir}" ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}" done -BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ + BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" - for j in ${CGIDIR}; do - for i in ${BACKDOORS}; do - [ -f ${j}/${i} ] && echo ${j}/${i} - done - done + for j in ${CGIDIR}; do + for i in ${BACKDOORS}; do + [ -f "${j}/${i}" ] && echo "${j}/${i}" + done + done ### rsha expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \ @@ -600,9 +609,9 @@ ${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/" ### suspicious files and dirs suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk" DIR=${ROOTDIR}usr/lib - [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man" - [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib" - [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib" + [ -d "${ROOTDIR}usr/man" ] && DIR="${DIR} ${ROOTDIR}usr/man" + [ -d "${ROOTDIR}lib" ] && DIR="${DIR} ${ROOTDIR}lib" + [ -d "${ROOTDIR}usr/lib" ] && DIR="${DIR} ${ROOTDIR}usr/lib" expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'" expertmode_output "${find} ${DIR} -type d -name '.*'" expertmode_output "${find} ${DIR} -name '...*'" @@ -624,10 +633,10 @@ ${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp" ### Showtee expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \ ${ROOTDIR}usr/lib/.wormie \ -${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \ -${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ -${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \ -${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h" +${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}usr/lib/liblog.o \ +${ROOTDIR}usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ +${ROOTDIR}usr/include/file.h ${ROOTDIR}usr/include/proc.h \ +${ROOTDIR}usr/include/syslogs.h ${ROOTDIR}usr/include/chk.h" ### Optickit expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf" @@ -639,7 +648,7 @@ ${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h" ### OpenBSD rootkit v1 - if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ] + if [ \( "${SYSTEM}" != "SunOS" -a "${SYSTEM}" != "Linux" \) -a ! -f "${ROOTDIR}usr/lib/security/libgcj.security" ] then expertmode_output "${find} ${ROOTDIR}usr/lib/security" fi @@ -653,10 +662,10 @@ ${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \ ${ROOTDIR}usr/include/syslogs.h" ## HKRK rootkit - ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null + ${egrep} "\.hk" "${ROOTDIR}etc/rc.d/init.d/network" 2>/dev/null ## Suckit rootkit - expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" + expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." expertmode_output "cat ${ROOTDIR}dev/.golf" @@ -702,80 +711,80 @@ ${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb" expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3" ## rootedoor - for i in `$echo ${PATH}|tr -s ':' ' '`; do + for i in $("${echo}" "${PATH}"|tr -s ':' ' '); do expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor" done ## ENYE-LKM expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko" - ## SSJD Operation Windigo (Linux/Ebury) - ssh=`which ssh` + ## SSJD Operation Windigo (Linux/Ebury) + ssh=$(loc ssh ssh "$pth") if $ssh -V 2>&1 | ${egrep} "OpenSSH_[1-5]\.|OpenSSH_6\.[0-7]" >/dev/null; then - expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow" + expertmode_output "${ssh} -G 2>&1 | ${grep} -e illegal -e unknow" fi - ## Mumblehard backdoor/botnet - expertmode_output "cat ${ROOTDIR}/var/spool/cron/crontabs | ${egrep} var/tmp" + ## Mumblehard backdoor/botnet + expertmode_output "cat ${ROOTDIR}var/spool/cron/crontabs | ${egrep} var/tmp" ## Backdoors.Linux.Mokes.a - expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" - expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" + expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" + expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" - ## Malicious TinyDNS - expertmode_output "${ls} -l "${ROOTDIR}home/ ./root/"" + ## Malicious TinyDNS + expertmode_output "${ls} -l '${ROOTDIR}home/ ./root/'" - ## Linux/Xor.DDoS - expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" + ## Linux/Xor.DDoS + expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" expertmode_output "${find} ${ROOTDIR}etc/cron.hourly" - ## CrossRAT + ## CrossRAT expertmode_output "${find} ${ROOTDIR}usr/var ${findargs} -name mediamgrs.jar" - ## Hidden Cobra (IBM AIX) + ## Hidden Cobra (IBM AIX) expertmode_output "${find} ${ROOTDIR}tmp/.ICE-unix ${findargs} -name *.so" - - ## Rocke Monero Miner - expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" - ## PWNLNX4 - An LKM Roottkit - expertmode_output "${find} ${ROOTDIR}/opt/uOnlineBuilder64 ${ROOTDIR}/var/tmp/.1 ${ROOTDIR}/var/tmp/Linux_Server" + ## Rocke Monero Miner + expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" - ## PWNLNX6 - An LKM Roottkit - expertmode_output "${find} ${ROOTDIR}/tmp/suterusu" + ## PWNLNX4 - An LKM Roottkit + expertmode_output "${find} ${ROOTDIR}opt/uOnlineBuilder64 ${ROOTDIR}var/tmp/.1 ${ROOTDIR}var/tmp/Linux_Server" - ## Umbreon + ## PWNLNX6 - An LKM Roottkit + expertmode_output "${find} ${ROOTDIR}tmp/suterusu" + + ## Umbreon expertmode_output "${find} ${ROOTDIR}usr/share/libc.so*" - ## KINSING.A Backdoor + ## KINSING.A Backdoor expertmode_output "${find} ${ROOTDIR}tmp/kdevtmp*" - ## Syslogk LKM rootkit - ${echo} 1 >${ROOTDIR}/proc/syslogk + ## Syslogk LKM rootkit + expertmode_output "${echo} 1> ${ROOTDIR}proc/syslogk" expertmode_output "${ls} ${ROOTDIR}proc/syslogk" - ## Kovid LKM rootkit - ${kill} -SIGCONT 31337 + ## Kovid LKM rootkit + #${kill} -SIGCONT 31337 expertmode_output "${ls} ${ROOTDIR}proc/kovid" - ${kill} -SIGCONT 31337 + #${kill} -SIGCONT 31337 expertmode_output "${ls} ${ROOTDIR}proc/kovid" - ## RotaJakiro + ## RotaJakiro expertmode_output "${ls} ${ROOTDIR}bin/system-daemon" # ## Tsunami DDoS Malware expertmode_output "${ls} ${ROOTDIR}bin/a ${ROOTDIR}bin/cls" - ## Linux BPFDoor - expertmode_output "${egrep} packet_recvmsg ${ROOTDIR}proc/*/stack" + ## Linux BPFDoor + expertmode_output "${egrep} packet_recvmsg ${ROOTDIR}proc/*/stack" ## Common SSH-SCANNERS - expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2" + expertmode_output "${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2" ### shell history file check if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ + expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \ -size 0" - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ + expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \ \( -links 2 -o -type l \)" fi @@ -793,787 +802,577 @@ usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \ etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin" dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \ var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so" - files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;` - if [ "${files}" != "" ]; then - echo - echo ${files} - fi - for i in ${dir}; do - if [ -d ${ROOTDIR}${i} ]; then - echo - echo "Suspect directory ${i} FOUND! Looking for sniffer logs" - files=`${find} ${ROOTDIR}${i}` - echo - echo ${files} - fi + + # finish the 'Checking `aliens'...' line written by the main loop + [ "$QUIET" != "t" ] && echo "started" + _start "suspicious files in ${ROOTDIR}dev" + # in an lxc container, /dev/console has a device bind-mounted over it, + # so the next line tries to run egrep on /dev/console even with '-type f' + # so we need to add '--devices=skip' to grep + files=$("${find}" "${ROOTDIR}dev" -type f -exec ${egrep} --devices=skip -l "^[0-5] " {} \; 2>/dev/null) + _report "The following suspicious files were found in ${ROOTDIR}dev" "$files" + _start "known suspicious directories" + outmsg="no" + for i in ${dir}; do + if [ -d "${ROOTDIR}${i}" ]; then + f=$(_filter "${ROOTDIR}${i}/" "") + if [ -n "$f" ]; then + if [ "$outmsg" = "no" ]; then + _warn "Suspect directory $f found. Looking for sniffer logs:" + outmsg="yes" + else + # we already ended any 'Searching for...' line + echo "Suspect directory $f found. Looking for sniffer logs:" + fi + # print dir and contents + find_and_check "${ROOTDIR}${i}/" + echo + fi + fi done + [ "$outmsg" = "no" ] && _not_found + + _start "known suspicious files" + files="" for i in ${suspects}; do - if [ -f ${ROOTDIR}${i} ]; then - echo "${ROOTDIR}${i} " - files="INFECTED" - fi + if [ -f "${ROOTDIR}${i}" ]; then + files=$(_filter "${ROOTDIR}$i" "$files") + fi done - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi - fi - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for sniffer's logs, it may take a while... "; fi - files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \ - ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \ - 2>/dev/null` - if [ "${files}" = "" ] - then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo - echo ${files} - fi + _report "The following known suspicious files were found" "$files" + + _start "sniffer's logs" + files=$(set -f; find_and_check "${ROOTDIR}dev" "${ROOTDIR}tmp" "${ROOTDIR}lib" "${ROOTDIR}etc" "${ROOTDIR}var" \ + ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \)) + _report "The following potential sniffer's logs were found" "${files}" ### HiDrootkit - if [ "${QUIET}" != "t" ]; then printn \ - "Searching for HiDrootkit's default dir... "; fi - if [ -d ${ROOTDIR}var/lib/games/.k ] - then - echo "Possible HiDrootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "HiDrootkit" "" "var/lib/games/.k" ### t0rn - if [ "${QUIET}" != "t" ]; then printn\ - "Searching for t0rn's default files and dirs... "; fi - if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \ - -d ${ROOTDIR}usr/src/.puta -o -r ${ROOTDIR}lib/ldlib.tk -o \ - -d ${ROOTDIR}usr/info/.t0rn ] - then - echo "Possible t0rn rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "t0rn" "etc/ttyhash sbin/xlogin lib/ldlib.tk" \ + "usr/src/.puta usr/info/.t0rn" ### t0rn v8 - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for t0rn's v8 defaults... "; fi - [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib - [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" - [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib" - if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \ - "$SYSTEM" != "FreeBSD" ] - then - echo "Possible t0rn v8 \(or variation\) rootkit installed" + _start "t0rn v8 (or variation)" + LIBS="" + [ -d "${ROOTDIR}lib" ] && LIBS="${ROOTDIR}lib" + [ -d "${ROOTDIR}usr/lib" ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" + [ -d "${ROOTDIR}usr/local/lib" ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib" + if [ "$SYSTEM" != "FreeBSD" ]; then + files=$(set -f; find_and_check ${LIBS} ${findargs} -name libproc.a) + _report "Possible t0rn v8 (or variation) rootkit installed" "${files}" else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _not_tested fi ### Lion Worm - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for Lion Worm default files and dirs... "; fi - if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \ - -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ] - then - echo "Possible Lion worm installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Lion" "bin/in.telnetd bin/mjy" "usr/info/.torn dev/.lib" ### RSHA rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for RSHA's default files and dir... "; fi - - if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \ --o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \ --o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \ --o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \ --o -d "${ROOTDIR}etc/rc.d/rsha" \ --o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ] - then - echo "Possible RSHA's rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "RSHA" "bin/kr4p usr/bin/n3tstat usr/bin/chsh2 \ + usr/bin/slice2 usr/src/linux/arch/alpha/lib/.lib/.1proc \ + etc/rc.d/arch/alpha/lib/.lib/.1addr" "etc/rc.d/rsha \ + etc/rc.d/arch/alpha/lib/.lib" ### RH-Sharpe rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for RH-Sharpe's default files... "; fi + lookfor_rootkit "RH-Sharpe" "bin/lps usr/bin/lpstree \ + usr/bin/ltop usr/bin/lkillall usr/bin/ldu \ + usr/bin/lnetstat usr/bin/wp usr/bin/shad \ + usr/bin/vadim usr/bin/slice usr/bin/cleaner \ + usr/include/rpcsvc/du" "" - if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \ --o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \ --o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \ --o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \ --o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \ --o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ] - then - echo "Possible RH-Sharpe's rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi - - ### ark rootkit - if [ "${QUIET}" != "t" ]; then printn \ - "Searching for Ambient's rootkit (ark) default files and dirs... "; fi - - if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \ - -d ${ROOTDIR}usr/doc/"... " ]; then - echo "Possible Ambient's rootkit \(ark\) installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + ### ark rootkit - cant use lookfor_rookit as one dir has a space in it + _start "Ambient (ark) rootkit" + files="" + for dir in "${ROOTDIR}dev/ptyxx" "${ROOTDIR}usr/doc/... "; do + if [ -d "$dir" ]; then + files=$(_filter "$dir/" "$files") + fi + done + f="${ROOTDIR}usr/lib/.ark?" + if [ -e "$f" ]; then + files=$(_filter "$f" "$files") fi + _report "Possible Ambient's rootkit (ark) installed" "$files" ### suspicious files and dirs + _start "suspicious files and dirs" DIR="${ROOTDIR}usr/lib" - [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man" - [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib" + [ -d "${ROOTDIR}usr/man" ] && DIR="$DIR ${ROOTDIR}usr/man" + [ -d "${ROOTDIR}lib" ] && DIR="$DIR ${ROOTDIR}lib" - if [ "${QUIET}" != "t" ]; then printn \ - "Searching for suspicious files and dirs, it may take a while... "; fi - - files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"` - dirs=`${find} ${DIR} -type d -name ".*"` - if [ "${files}" = "" -a "${dirs}" = "" ] - then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo - echo ${files} - echo ${dirs} - fi + # matches files and directories named '...' and '.. ' but not "." or ".." + files=$("${find}" ${DIR} -name ".*" 2>/dev/null) + outmsg="" + for name in $files; do + outmsg=$(_filter "$name" "$outmsg") + done + _report "The following suspicious files and directories were found" "$outmsg" ### LPD Worm - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for LPD Worm files and dirs... "; fi + _start "LPD Worm" - if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \ - ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; - then - echo "Possible LPD worm installed" - elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \ --f ${ROOTDIR}bin/.login ]; then - echo "Possible LPD worm installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + if ${egrep} -q "^kork" "${ROOTDIR}etc/passwd" 2>/dev/null || \ + ${egrep} -q '^[[:space:]]*666[[:space:]]' "${ROOTDIR}etc/inetd.conf" 2>/dev/null; then + _warn "Possible LPD worm installed (based on contents of ${ROOTDIR}etc/passwd or ${ROOTDIR}etc/inetd.conf)\n" + elif [ -d "${ROOTDIR}dev/.kork" ] || [ -f "${ROOTDIR}bin/.ps" ] || [ -f "${ROOTDIR}usr/bin/.ps" ] || \ + [ -f "${ROOTDIR}bin/.login" ] || [ -f "${ROOTDIR}usr/bin/.login" ]; then + _warn "Possible LPD worm installed (based on files found)\n" + else + _not_found fi ### Ramem Worm - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for Ramen Worm files and dirs... "; fi - - if [ -d ${ROOTDIR}usr/src/.poop -o -f \ - ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ] - then - echo "Possible Ramen worm installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - - fi + lookfor_rootkit "Ramen Worm" "tmp/ramen.tgz etc/xinetd.d/asp" "usr/src/.poop" ### Maniac rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for Maniac files and dirs... "; fi - - files=`${find} ${ROOTDIR}usr/bin -name mailrc` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "Maniac rootkit" + files=$(set -f; find_and_check "${ROOTDIR}usr/bin" ${findargs} -name mailrc) + _report "Possible Maniac rootkit installed" "${files}" ### RK17 rookit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for RK17 files and dirs... "; fi + _start "RK17 rootkit" CGIDIR="" for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ -home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; - do - [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}" +home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; do + [ -d "${ROOTDIR}${cgidir}" ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}" done - files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \ -${find} ${ROOTDIR}sbin -name pback && \ -${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \ -${find} ${ROOTDIR}proc -name kset 2> /dev/null && \ -${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \ -2> /dev/null && \ -${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null` -BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ + files=$(set -f; find_and_check "${ROOTDIR}bin" "${ROOTDIR}usr/bin" ${findargs} '(' -name rtty -o -name squit ')') + i=$(set -f; find_and_check "${ROOTDIR}sbin" ${findargs} -name pback) + if [ -z "$files" ]; then + files="$i" + else + files="$files\n$i" + fi + i=$(set -f; find_and_check "${ROOTDIR}usr/man/man3" ${findargs} -name psid) + if [ -z "$files" ]; then + files="$i" + else + files="$files\n$i" + fi + i=$(set -f; find_and_check "${ROOTDIR}proc" ${findargs} -name kset) + if [ -z "$files" ]; then + files="$i" + else + files="$files\n$i" + fi + i=$(set -f; find_and_check "${ROOTDIR}usr/src/linux/modules" ${findargs} '(' -name autod.o -o -name sound ')') + if [ -z "$files" ]; then + files="$i" + else + files="$files\n$i" + fi + i=$(set -f; find_and_check "${ROOTDIR}usr/bin" ${findargs} '(' -name gib -o -name ct -o -name snick -o -name kfl ')') + if [ -z "$files" ]; then + files="$i" + else + files="$files\n$i" + fi + + BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" - files="" for j in ${CGIDIR}; do - for i in ${BACKDOORS}; do - [ -f ${j}/${i} ] && files="${files} ${j}/${i}" - done + for i in ${BACKDOORS}; do + if [ -f "${j}/${i}" ]; then + files=$(_filter "${j}/${i}" "$files") + fi + done done - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _report "Possible RK17 rootkit installed" "${files}" ### Ducoci rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for Ducoci rootkit... "; fi - - files=`${find} ${CGIDIR} -name last.cgi` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "Ducoci rootkit" + files=$(set -f; find_and_check ${CGIDIR} ${findargs} -name last.cgi) + _report "Possible Ducoci rootkit installed" "${files}" ### Adore Worm - if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi + _start "Adore Worm" - files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \ --name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + files=$(set -f; find_and_check "${ROOTDIR}usr/lib" "${ROOTDIR}usr/bin" ${findargs} '(' -name red.tar -o \ + -name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore ')') + if [ -z "${files}" ]; then + _not_found else - echo "${files}" - files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null` - [ "${files}" != "" ] && echo ${files} + i=$(set -f; find_and_check "${ROOTDIR}usr/lib/lib" "${ROOTDIR}usr/lib/libt" ${findargs}) + if [ -n "$i" ]; then + files="$files\n${i}" + fi + _warn "Possible Adore Worm installed:\n${files}\n" fi ### ShitC Worm - if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi - - files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \ -${find} ${ROOTDIR}usr/bin -type d -name dir || \ -${find} ${ROOTDIR}usr/sbin -name in.slogind` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" + _start "ShitC Worm" + files=$(set -f; find_and_check "${ROOTDIR}bin" "${ROOTDIR}usr/bin" ${findargs} '(' -name homo -o -name frgy -o -name dy ')') + i=$(set -f; find_and_check "${ROOTDIR}usr/bin" ${findargs} -type d -name dir) + if [ -z "$files" ]; then + files="$i" + elif [ -n "$i" ]; then + files="$files\n$i" + fi # else files non-empty, i empty + i=$(set -f; find_and_check "${ROOTDIR}usr/sbin" ${findargs} -name in.slogind) + if [ -z "$files" ]; then + files="$i" + elif [ -n "$i" ]; then + files="$files\n$i" fi + _report "Possible ShitC Worm installed" "${files}" ### Omega Worm - if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi - - files=`${find} ${ROOTDIR}dev -name chr` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "Omega Worm" + files=$(set -f; find_and_check "${ROOTDIR}dev" ${findargs} -name chr) + _report "Possible Omega Worm installed" "${files}" ### China Worm (Sadmind/IIS Worm) - if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi - files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "Sadmind/IIS Worm" + files=$(set -f; find_and_check "${ROOTDIR}dev/cuc" ${findargs}) + _report "Possible Sadmin/IIS Worm installed" "${files}" ### MonKit - if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi - files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \ -2> /dev/null` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "MonKit" + files=$(set -f; find_and_check "${ROOTDIR}lib/defs" "${ROOTDIR}usr/lib/libpikapp.a" ${findargs}) + _report "Possible MonKit installed" "${files}" ### Showtee - if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi - if [ -d ${ROOTDIR}usr/lib/.egcs ] || \ - [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \ - [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \ - [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \ - [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \ - [ -f ${ROOTDIR}usr/include/chk.h ]; then - echo "Warning: Possible Showtee Rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Showtee" \ + "usr/lib/liblog.o usr/include/addr.h usr/include/cron.h usr/include/file.h usr/include/proc.h usr/include/syslogs.h usr/include/chk.h" \ + "usr/lib/.egcs usr/lib/.kinetic usr/lib/.wormie" - ### ### OpticKit - ### - if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi - files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \ -2> /dev/null` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "OpticKit" + files=$(set -f; find_and_check "${ROOTDIR}usr/bin/xchk" "${ROOTDIR}usr/bin/xsf" ${findargs}) + _report "Possible OpticKit installed" "${files}" ### T.R.K - files="" - if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi - files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "T.R.K" + files=$(set -f; find_and_check "${ROOTDIR}usr/bin" ${findargs} '(' -name xchk -o -name xsf ')') + _report "Possible T.R.K installed" "${files}" ### Mithra's Rootkit - files="" - if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi - files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "Mithra rootkit" + files=$(set -f; find_and_check "${ROOTDIR}usr/lib/locale" ${findargs} -name uboot) + _report "Possible Mithra installed" "${files}" ### OpenBSD rootkit v1 - if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then - files="" - if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi - files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null` - if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _start "OBSD rootkit v1" + if [ "${SYSTEM}" != "SunOS" ] && [ "${SYSTEM}" != "Linux" ]; then + if [ ! -f "${ROOTDIR}usr/lib/security/libgcj.security" ]; then + files=$(set -f; find_and_check "${ROOTDIR}usr/lib/security" ${findargs} ) + if [ "${files}" = "" ] || [ "${SYSTEM}" = "HP-UX" ]; then + _not_found + else + _warn "Possible OpenBSD rootkit installed:\n${files}\n" + fi + else + _not_found + fi + else + _not_tested fi ### LOC rootkit - files="" - if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi - files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null` - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _start "LOC rootkit" + files=$(set -f; find_and_check "${ROOTDIR}tmp" ${findargs} '(' -name xp -o -name kidd0.c ')') + if [ -z "${files}" ]; then + _not_found else - echo "${files}" - loc epic epic $pth + _warn "Possible LOC rootkit installed:\n${files}" + i=$(loc epic "" "$pth") + if [ -n "$i" ]; then + _filter "$i" "" + fi fi ### Romanian rootkit - files="" - if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi - for i in file.h proc.h addr.h syslogs.h; do - if [ -f ${ROOTDIR}usr/include/${i} ]; then - files="$files ${ROOTDIR}usr/include/$i" - fi - done - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + lookfor_rootkit "Romanian" "usr/include/file.h usr/include/proc.h usr/include/addr.h usr/include/syslogs.h" "" ### HKRK - if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then - if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi - if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then - echo "Warning: /etc/rc.d/init.d/network INFECTED" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + _start "HKRK rootkit" + file="${ROOTDIR}etc/rc.d/init.d/network" + if [ -f "$file" ] && ${egrep} -q "\.hk" "$file" 2>/dev/null ; then + file=$(_filter "$file" "") + if [ -n "$file" ]; then + _warn "Possible HKRK rootkit installed in ${file}\n" + else + _not_found + fi + else + _not_found fi ### Suckit - if [ -f ${ROOTDIR}sbin/init ]; then - if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \ - cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 - then - echo "Warning: ${ROOTDIR}sbin/init INFECTED" + _start "Suckit rootkit" + if [ -f "${ROOTDIR}sbin/init" ]; then + if [ "${SYSTEM}" != "HP-UX" ] && ( "${strings}" "${ROOTDIR}sbin/init" | ${egrep} '\.sniffer' || \ + ${egrep} "init." "${ROOTDIR}proc/1/maps" ) >/dev/null 2>&1 + then + # ignore false positive bug #740898 + # also ignore false positive on non-systemd init systems. See bug #901557 + if [ ! -h "${ROOTDIR}sbin/init" ] || \ + readlink -f "${ROOTDIR}sbin/init" | ${egrep} -q "/sbin/upstart$|/systemd$" 2>/dev/null; then + _not_found + else + _warn "Possible Suckit: ${ROOTDIR}sbin/init INFECTED\n" + fi else - if [ -d ${ROOTDIR}/dev/.golf ]; then - echo "Warning: Suspect directory ${ROOTDIR}dev/.golf" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + if [ -d "${ROOTDIR}dev/.golf" ]; then + _warn "Possible Suckit:\n${ROOTDIR}dev/.golf/\n" + else + _not_found + fi fi + else + _not_found fi ### Volc - if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi - if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then - echo "Warning: Possible Volc rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Volc" "usr/bin/volc usr/lib/volc" "" ### Gold2 - if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi - if [ -f ${ROOTDIR}usr/bin/ishit ] ; then - echo "Warning: Possible Gold2 rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Gold2" "usr/bin/ishit" "" ### TC2 Worm - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for TC2 Worm default files and dirs... "; fi - if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \ - -f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ] - then - echo "Possible TC2 Worm installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "TC2" "usr/sbin/initcheck usr/sbin/ldb" \ + "usr/info/.tc2k usr/bin/util" ### ANONOYING Rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for Anonoying rootkit default files and dirs... "; fi - if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then - echo "Possible anonoying rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Anonoying" "usr/sbin/mech usr/sbin/kswapd" ### ZK Rootkit - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for ZK rootkit default files and dirs... "; fi - if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then - echo "Possible ZK rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "ZK" "etc/sysconfig/console/load.zk" + ### ShKit - if [ "${QUIET}" != "t" ]; then - printn "Searching for ShKit rootkit default files and dirs... "; fi - if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then - echo "Possible ShKit rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "ShKit" "lib/security/.config etc/ld.so.hash" ### AjaKit - if [ "${QUIET}" != "t" ]; then - printn "Searching for AjaKit rootkit default files and dirs... "; fi - if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then - echo "Possible AjaKit rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "AjaKit" "" "lib/.ligh.gh dev/tux" ### zaRwT - if [ "${QUIET}" != "t" ]; then - printn "Searching for zaRwT rootkit default files and dirs... "; fi - if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then - echo "Possible zaRwT rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "zaRwT" "bin/imin bin/imout" ### Madalin rootkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for Madalin rootkit default files... "; fi - D=${ROOTDIR}usr/include - if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then - echo "Possible Madalin rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Madalin" "usr/include/icekey.h usr/include/iceconf.h usr/include/iceseed.h" "" ### Fu rootkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for Fu rootkit default files... "; fi - if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \ - -f ${ROOTDIR}usr/include/ivtype.h ]; then - echo "Possible Fu rootkit INSTALLED" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Fu" "sbin/xc bin/.lib usr/include/ivtype.h" "" - ## Kenga3 Rookit - if [ "${QUIET}" != "t" ]; then - printn "Searching for Kenga3 rotkit default files... "; fi - if [ -d "${ROOTDIR}usr/include/. ." ]; then - echo "Possible Kenga3 rootkit INSTALLED" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + ## Kenga3 Rookit - cant use lookfor_rootkit due to space + _start "Kenga3 rootkit" + files=$(set -f; find_and_check "${ROOTDIR}usr/include/. ./" ${findargs}) + _report "Possible Kenga3 rootkit installed" "$files" ### ESRK - if [ "${QUIET}" != "t" ]; then - printn "Searching for ESRK rootkit default files... "; fi - if [ -d "${ROOTDIR}usr/lib/tcl5.3" ]; then - echo "Possible ESRK rootkit INSTALLED" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit ESRK "" "usr/lib/tcl5.3" ## rootedoor - if [ "${QUIET}" != "t" ]; then - printn "Searching for rootedoor... "; fi - found=0 - for i in `$echo $PATH|tr -s ':' ' '`; do - if [ -f "${ROOTDIR}${i}/rootedoor" ]; then - echo "Possible rootedoor INSTALLED in ${ROOTDIR}${i}" - found=1 - fi + _start "rootedoor" + files="" + for i in $($echo "$pth" | tr -s ':' ' '); do + if [ -f "${i}/rootedoor" ]; then + files=$(_filter "${i}/rootedoor" "$files") + fi done - [ "${found}" = "0" ] &&\ - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _report "Possible rootedoor installed" "$files" ### ENYELKM - if [ "${QUIET}" != "t" ]; then - printn "Searching for ENYELKM rootkit default files... "; fi - if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then - echo "Possible ENYELKM rootkit installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "ENYELKM" "" "etc/.enyelkmOCULTAR.ko" ## Common SSH-SCANNERS - if [ "${QUIET}" != "t" ]; then - printn "Searching for common ssh-scanners default files... "; fi - files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`" - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _start "common ssh-scanners" + ssh=$(loc ssh ssh "$pth") + files=$(set -f; find_and_check "${ROOTDIR}tmp" "${ROOTDIR}var/tmp" ${findargs} \ + '(' -name vuln.txt -o -name ssh-scan -o -name pscan2 ')') + if [ -z "${files}" ]; then + _not_found + elif $ssh -G 2>&1 | "${grep}" usage > /dev/null; then + _not_found else - echo "${files}" + _warn "Possible ssh-scanner installed:\n${files}\n" fi - ## SSJD Operation Windigo (Linux/Ebury) - LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" - if [ "${QUIET}" != "t" ]; then - printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi - if $ssh -V 2>&1 | ${egrep} "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" >/dev/null; then - if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then - if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi - else - echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" - fi - fi - if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then - if [ "${QUIET}" != "t" ]; then - echo "not tested"; fi - else - if ${strings} -a ${ROOTDIR}${LIBKEY} | ${egrep} "libns2|libns5|libpw3|libpw5|libsbr|libslr" >/dev/null; then - echo "Possible Linux/Ebury 1.6 - Operation Windigo installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi - fi - fi - ## - ## Linux Rootkit 64 bits - if [ "${QUIET}" != "t" ]; then - printn "Searching for 64-bit Linux Rootkit ... "; fi - if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \ - ${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then - echo "Possible 64-bit Linux Rootkit" + ## SSJD Operation Windigo (Linux/Ebury) + LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" + _start "Linux/Ebury 1.4 - Operation Windigo" + if ${ssh} -V 2>&1 | ${egrep} "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" >/dev/null; then + if ${ssh} -G 2>&1 | "${grep}" -e illegal -e unknow > /dev/null; then + _not_found + else + _warn "${ssh} may be INFECTED by Linux/Ebury 1.4\n" + fi else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _not_tested fi - - if [ "${QUIET}" != "t" ]; then - printn "Searching for 64-bit Linux Rootkit modules... "; fi - files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`" - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + + _start "Linux/Ebury 1.6" + file="${ROOTDIR}${LIBKEY}" + if [ ! -f "$file" ]; then + _not_tested else - echo "${files}" - fi - + if "${strings}" -a "$file" | ${egrep} "(libns2|libns5|libpw3|libpw5|libsbr|libslr)" >/dev/null; then + file=$(_filter "$file" "") + if [ -n "$file" ]; then + _warn "Possible Linux/Ebury 1.6 - Operation Windigo installed in ${file}" + else + _not_found + fi + else + _not_found + fi + fi + + ## Linux Rootkit 64 bits + _start "64-bit Linux Rootkit" + file="${ROOTDIR}etc/rc.local" + files=$(set -f; find_and_check "${ROOTDIR}usr/local/hide/" ${findargs}) + if ${egrep} -q module_init "$file" 2>/dev/null; then + files=$(_filter "$file" "$files") + fi + _report "Possible 64-bit Linux Rootkit" "$files" + + _start "64-bit Linux Rootkit modules" + files=$(set -f; find_and_check "${ROOTDIR}lib/modules" ${findargs} -name module_init.ko) + _report "Possible 64-bit rootkit modules installed" "${files}" + ## Mumblehard backdoor/botnet - if [ "${QUIET}" != "t" ]; then - printn "Searching for Mumblehard Linux ... "; fi - if [ -e ${ROOTDIR}var/spool/cron/crontabs ]; then - cat ${ROOTDIR}var/spool/cron/crontabs/* 2>/dev/null | ${egrep} "var/tmp" - if [ $? -ne 0 ] ; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "Possible Mumblehard backdoor installed" - fi - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _start "Mumblehard" + files="" + if [ -d "${ROOTDIR}var/spool/cron/crontabs" ]; then + for f in "${ROOTDIR}var/spool/cron/crontabs"/*; do + if [ -e "$f" ] && ${egrep} -q "var/tmp" "$f" 2>/dev/null; then + files=$(_filter "$f" "$files") + fi + done fi - - ## Backdoor.Linux.Mokes.a - if [ "${QUIET}" != "t" ]; then - printn "Searching for Backdoor.Linux.Mokes.a ... "; fi - files="`${find} ${ROOTDIR}tmp/ ${findargs} -name "ss0-[0-9]*" -o -name "kk-[0-9]*" 2> /dev/null`" - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "${files}" - fi + _report "Possible Mumblehard backdoor installed" "$files" - ## Malicious TinyDNS - if [ "${QUIET}" != "t" ]; then - printn "Searching for Malicious TinyDNS ... "; fi - files="`${find} "${ROOTDIR}home/ ./" 2> /dev/null`" - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "INFECTED: Possible Malicious TinyDNS installed" - fi + ## Backdoor.Linux.Mokes.a + _start "Backdoor.Linux.Mokes.a" + files=$(set -f; find_and_check "${ROOTDIR}tmp/" ${findargs} '(' -name "ss0-[0-9]*" -o -name "kk-[0-9]*" ')') + _report "Possible Backdoor.Linux.Mokes.a installed" "${files}" - ## Linux/Xor.DDoS - if [ "${QUIET}" != "t" ]; then - printn "Searching for Linux.Xor.DDoS ... "; fi - files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`" - if [ "${files}" = "" ]; then - files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null`" - if [ "${files}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - else - echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" - echo "${files}" - fi - else - echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" - echo "${files}" - fi + ## Malicious TinyDNS + _start "Malicious TinyDNS" + files=$(set -f; find_and_check "${ROOTDIR}home/ ./" ${findargs}) + _report "Possible Malicious TinyDNS installed" "$files" - ## Linux.Proxy 1.0 - if [ "${QUIET}" != "t" ]; then - printn "Searching for Linux.Proxy.1.0 ... "; fi + ## Linux/Xor.DDoS + _start "Linux.Xor.DDoS" + files=$(set -f; find_and_check "${ROOTDIR}tmp/" ${findargs} -executable -type f) + for i in "${ROOTDIR}etc/cron.hourly/udev.sh" "${ROOTDIR}etc/cron.hourly/gcc.sh"; do + if [ -e "$i" ]; then + files=$(_filter "$i" "$files") + fi + done + _report "Possible Linux.Xor.DDoS installed" "${files}" - if ${egrep} -i mother ${ROOTDIR}etc/passwd >/dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious Linux.Proxy.10 installed" + ## Linux.Proxy 1.0 + _start "Linux.Proxy.1.0" + if ${egrep} -i mother "${ROOTDIR}etc/passwd" >/dev/null 2>&1 ; then + _warn "INFECTED: Possible Malicious Linux.Proxy.10 installed in /etc/passwd\n" else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _not_found fi - # Linux/CrossRAT - if [ "${QUIET}" != "t" ]; then - printn "Searching for CrossRAT ... "; fi - if ${ls} ${ROOTDIR}usr/var/mediamgrs.jar 2>/dev/null; then - echo "INFECTED: Possible Malicious CrossRAT installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi - ## Hidden Cobra (IBM AIX) - if [ "${QUIET}" != "t" ]; then - printn "Searching for Hidden Cobra ... "; fi - if ${ls} ${ROOTDIR}tmp/.ICE-unix/m*.so ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then - echo "INFECTED: Possible Malicious Hidden Cobra installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + # Linux/CrossRAT + _start "CrossRAT" + files=$(set -f; find_and_check "${ROOTDIR}usr/var" -maxdepth 1 ${findargs} -name "mediamgrs.jar") + _report "Possible Malicious CrossRAT installed" "$files" + + ## Hidden Cobra (IBM AIX) + _start "Hidden Cobra" + files=$(set -f; find_and_check "${ROOTDIR}tmp/.ICE-unix" -maxdepth 1 ${findargs} "(" -name "m*.so" -o -name \ + "engine.so" ")") + _report "Possible Malicious Hidden Cobra installed" "$files" ### Rocke Monero Miner - if [ "${QUIET}" != "t" ]; then - printn "Searching for Rocke Miner ... "; fi - if [ -f "${ROOTDIR}etc/ld.so.pre" -o -f "${ROOTDIR}etc/xig" ] ; then - echo "INFECTED: Possible Malicious Rocke Miner installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + lookfor_rootkit "Rocke Miner" "ld.so.pre etc/xig" "" - ## PWNLNX4 - An LKM Roottkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for PWNLNX4 lkm... "; fi - if [ -d "${ROOTDIR}/uOnlineBuilder64" -o -d "${ROOTDIR}/var/tmp/.1" -o -d "${ROOTDIR}/var/tmp/Linux_Server" ]; then - echo "INFECTED: Possible Malicious PWNLNX4 installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + ## PWNLNX4 - An LKM Rootkit + lookfor_rootkit "PWNLNX4 lkm" "" "uOnlineBuilder64 var/tmp/.1 var/tmp/Linux_Server" - ## PWNLNX6 - Another LKM Roottkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for PWNLNX6 lkm... "; fi - if [ -d "${ROOTDIR}/tmp/suterusu" ] ; then - echo "INFECTED: Possible Malicious PWNLNX6 installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + ## PWNLNX6 - Another LKM Rootkit + lookfor_rootkit "PWNLNX6 lkm" "" "tmp/suterusu" ## Umbreon Linux Rootkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for Umbreon lrk... "; fi - if ${ls} ${ROOTDIR}usr/share/libc.so.* > /dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious UMBREON LRK installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + _start "Umbreon lrk" + files=$(set -f; find_and_check "${ROOTDIR}usr/share" -maxdepth 1 ${findargs} -name 'libc.so.*' ) + _report "Possible Malicious UMBREON LRK installed" "$files" - ## KINSING.A Backdoor - if [ "${QUIET}" != "t" ]; then - printn "Searching for Kinsing.a backdoor... "; fi - if ${ls} "${ROOTDIR}tmp/kdevtmpfsi" > /dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious KINSING.A Backdoor installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + ## KINSING.A Backdoor + lookfor_rootkit "Kinsing.a backdoor" "tmp/kdevtmpfsi" "" - ## RotaJakiro Backdoor - if [ "${QUIET}" != "t" ]; then - printn "Searching for RotaJakiro backdoor... "; fi - if ${ls} "${ROOTDIR}bin/systemd-daemon" > /dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious JOTAJAKIRO Backdoor installed" - else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi - fi + ## RotaJakiro Backdoor + lookfor_rootkit "RotaJakiro backdoor" "bin/systemd-daemon" "" - ## Syslogk LKM rootkit - if [ "${QUIET}" != "t" ]; then - printn "Searching for Syslogk LKM rootkit... "; fi - (${echo} 1> "${ROOTDIR}proc/syslogk") >/dev/null 2>&1 - if ${ls} "${ROOTDIR}proc/syslogk" > /dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious Syslogk LKM rootkit installed" + ## Syslogk LKM rootkit + _start "Syslogk LKM rootkit" + if [ "$mode" = "pm" ]; then + _not_tested else - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + ("${echo}" 1> "${ROOTDIR}proc/syslogk") >/dev/null 2>&1 + if "${ls}" "${ROOTDIR}proc/syslogk" >/dev/null 2>&1; then + _warn "Possible Malicious Syslogk LKM rootkit installed: /proc/syslogk\n" + else + _not_found + fi fi - ## Kovid LKM rootkit + ## Kovid LKM rootkit f="" - if [ "${QUIET}" != "t" ]; then - printn "Searching for Kovid LKM rootkit... "; fi - for i in 1 2; do - ${kill} -SIGCONT 31337 2>/dev/null - if ${ls} "${ROOTDIR}proc/kovid" > /dev/null 2>&1 ; then - echo "INFECTED: Possible Malicious Kovid LKM rootkit installed" - f="Kovid" - fi + _start "Kovid LKM rootkit" + for i in 1 2; do + #${kill} -SIGCONT 31337 2>/dev/null # commented out as potentially dangerous + if "${ls}" "${ROOTDIR}proc/kovid" > /dev/null 2>&1 ; then + if [ -z "$f" ]; then + _warn "INFECTED: Possible Malicious Kovid LKM rootkit installed: ${ROOTDIR}proc/kovid\n" + f="Kovid" + fi + fi done - [ "${f}" = "" -a "${QUIET}" != "t" ] && echo "nothing found" - - ## Tsunami DDoS Malware - if [ "${QUIET}" != "t" ]; then - printn "Searching for Tsunami DDoS Malware.. "; fi - [ -f "${ROOTDIR}bin/a" -o -f "${ROOTDIR}bin/cls" -o -f "${ROOTDIR}bin/clean" ] && - echo "INFECTED: Possible Tsunami DDoS Malware installed" || - { - [ "${QUIET}" != "t" ] && echo "nothing found" - } + if [ "${f}" = "" ]; then + _not_tested + # warn "Kovid test is semi-disabled: to properly test run '$kill -SIGCONT 31337' and re-run" + fi - ## Linux BPF Door - if [ "${QUIET}" != "t" ]; then - printn "Searching for Linux BPF Door.. "; fi - ${egrep} packet_recvmsg /proc/*/stack >/dev/null 2>&1 && - echo "INFECTED: Possible Linux BPFDoor Malware installed" || - { - [ "${QUIET}" != "t" ] && echo "nothing found" - } + lookfor_rootkit "Tsunami DDoS Malware" "bin/a bin/cls bin/clean" "" - ## - ### Suspects PHP files - ### - if [ "${QUIET}" != "t" ]; then - printn "Searching for suspect PHP files... "; fi - files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`" -if [ `echo abc | _head -1` = "abc" ]; then - fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" -else - fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" -fi - if [ "${files}" = "" -a "${fileshead}" = "" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _start "Linux BPF Door" + files=$(${egrep} -l packet_recvmsg "${ROOTDIR}"proc/*/stack 2>/dev/null) + _report "Possible Linux BPFDoor Malware installed" "$files" + + ### Suspect PHP files + _start "suspect PHP files" + files=$(set -f; "${find}" "${ROOTDIR}tmp" "${ROOTDIR}var/tmp" ${findargs} -name '*.php' 2>/dev/null) + fileshead=$(set -f; "${find}" "${ROOTDIR}tmp" "${ROOTDIR}var/tmp" ${findargs} -type f -print0 2>/dev/null | PATH="$path_for_tools" "${xargs}" -0 -I@ ./check_php @) + if [ -z "$files" ]; then + files="$fileshead" else - echo - echo "${files}" - echo "${fileshead}" + if [ -n "$fileshead" ]; then + files="$files\n$fileshead" + fi fi + _report "The following suspicious PHP files were found" "${files}" - ### ### shell history anomalies - ### - if [ "${QUIET}" != "t" ]; then \ - printn "Searching for anomalies in shell history files... "; fi - files="" - if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then - files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` - [ ! -z "${files}" ] && \ - echo "Warning: \`${files}' file size is zero" - files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` - [ ! -z "${files1}" ] && \ - echo "Warning: \`${files1}' is linked to another file" + _start "zero-size shell history files in $HOME" + if [ -d "$HOME" ]; then + files=$(set -f; find_and_check "$HOME" -maxdepth 1 ${findargs} -name '.*history' -size 0) + _report "Zero-size history files" "$files" + else + _warn "No \$HOME: $HOME" fi - if [ -z "${files}" -a -z "${files1}" ]; then - if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + _start "hardlinked shell history files in $HOME" + if [ -d "$HOME" ]; then + files=$(set -f; find_and_check "$HOME" -maxdepth 1 ${findargs} -name '.*history' \( -links 2 -o -type l \)) + _report "shell history files hardlinked to another file" "$files" + else + _warn "No \$HOME: $HOME" fi + [ "$QUIET" != "t" ] && printn "Checking \`aliens'..." + [ "$QUIET" != "t" ] && echo "finished" } ######################################################################