wok-6.x annotate chkrootkit/stuff/chkrootkit.u @ rev 24956
updated nano and nano-doc (4.8 -> 6.2)
author | Hans-G?nter Theisgen |
---|---|
date | Sat Apr 23 16:35:24 2022 +0100 (2022-04-23) |
parents | 5b354223d4ec |
children | 41a539cfe5f8 |
rev | line source |
---|---|
pascal@18140 | 1 --- chkrootkit-0.50/chkrootkit |
pascal@18140 | 2 +++ chkrootkit-0.50/chkrootkit |
pascal@20419 | 3 @@ -611,8 +611,13 @@ |
pascal@1343 | 4 if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then |
pascal@1343 | 5 expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 6 -size 0" |
pascal@1343 | 7 - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 8 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then |
pascal@1343 | 9 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 10 + -type l" |
pascal@1343 | 11 + else |
pascal@1343 | 12 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 13 \( -links 2 -o -type l \)" |
pascal@1343 | 14 + fi |
pascal@1343 | 15 fi |
pascal@1343 | 16 |
pascal@1343 | 17 return 5 |
pascal@20419 | 18 @@ -1006,7 +1011,9 @@ |
pascal@1343 | 19 ### Suckit |
pascal@1343 | 20 if [ -f ${ROOTDIR}sbin/init ]; then |
pascal@1343 | 21 if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi |
pascal@20419 | 22 - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \ |
pascal@1343 | 23 + if [ ${SYSTEM} != "HP-UX" ] && \ |
pascal@1343 | 24 + ((! ls -l ${ROOTDIR}sbin/init | ${egrep} -q "bin/busybox$" && \ |
pascal@20419 | 25 + ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' ) || \ |
pascal@1343 | 26 cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 |
pascal@1343 | 27 then |
pascal@1343 | 28 echo "Warning: ${ROOTDIR}sbin/init INFECTED" |
pascal@20420 | 29 @@ -1270,7 +1277,12 @@ |
pascal@1343 | 30 files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` |
pascal@1343 | 31 [ ! -z "${files}" ] && \ |
pascal@1343 | 32 echo "Warning: \`${files}' file size is zero" |
pascal@1343 | 33 - files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` |
pascal@1343 | 34 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then |
pascal@1343 | 35 + files1='-type l' |
pascal@1343 | 36 + else |
pascal@1343 | 37 + files1='\( -links 2 -o -type l \)' |
pascal@1343 | 38 + fi |
pascal@1343 | 39 + files1=`eval ${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' $files1` |
pascal@1343 | 40 [ ! -z "${files1}" ] && \ |
pascal@18140 | 41 echo "Warning: \`${files1}' is linked to another file" |
pascal@1343 | 42 fi |
pascal@20420 | 43 @@ -1680,6 +1692,9 @@ |
pascal@1343 | 44 chk_netstat () { |
pascal@1343 | 45 STATUS=${NOT_INFECTED} |
pascal@1343 | 46 NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero" |
pascal@1343 | 47 + if ls -l /bin/netstat | ${egrep} -q " busybox$"; then |
pascal@1343 | 48 + return ${STATUS} |
pascal@1343 | 49 + fi |
pascal@1343 | 50 CMD=`loc netstat netstat $pth` |
pascal@1343 | 51 |
pascal@1343 | 52 if [ "${EXPERT}" = "t" ]; then |