1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From: Richard Lewis <richard.lewis.debian@googlemail.com>
Date: Sun, 9 Jul 2017 18:42:55 +0200
Subject: chkrootkit: lookfor-rootkit
This is a helper function to simplify and unify tests that
simply test for files/dirs existing
Originally from: "francois@debian.org" <francois@debian.org> and
"Roger Leigh" <Roger Leigh rleigh@debian.org> (Sun, 10 Nov 2024 10:24:09 +0000)
Functionality to exclude things provided by -e provided by
richard.lewis.debian@googlemail.com in Oct 2024.
Forwarded: yes
(Forwarded by email: 21 Dec 2024)
---
chkrootkit | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/chkrootkit b/chkrootkit
index 12abf77..cfd4407 100755
--- a/chkrootkit
+++ b/chkrootkit
@@ -468,6 +468,25 @@ _not_tested(){
fi
}
+lookfor_rootkit(){
+ rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace
+ _start "$rkname rootkit"
+
+ bad="";
+ for f in $files; do
+ if [ -e "${ROOTDIR}${f}" ]; then
+ bad=$(_filter "${ROOTDIR}$f" "$bad")
+ fi
+ done
+ for d in $dirs ; do
+ if [ -d "${ROOTDIR}${d}" ]; then
+ bad=$(_filter "${ROOTDIR}${d}/" "$bad")
+ fi
+ done
+ _report "Possible $rkname rootkit installed" "$bad"
+}
+
+
aliens () {
if [ "${EXPERT}" = "t" ]; then
### suspicious files
|
