wok-current view chkrootkit/stuff/chkrootkit.u @ rev 23671

updated stoqdrivers (0.9.8.2 -> 1.8.1)
author Hans-G?nter Theisgen
date Sun Apr 26 07:56:47 2020 +0100 (2020-04-26)
parents 5b354223d4ec
children 41a539cfe5f8
line source
1 --- chkrootkit-0.50/chkrootkit
2 +++ chkrootkit-0.50/chkrootkit
3 @@ -611,8 +611,13 @@
4 if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
5 expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
6 -size 0"
7 - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
8 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then
9 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
10 + -type l"
11 + else
12 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
13 \( -links 2 -o -type l \)"
14 + fi
15 fi
17 return 5
18 @@ -1006,7 +1011,9 @@
19 ### Suckit
20 if [ -f ${ROOTDIR}sbin/init ]; then
21 if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
22 - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \
23 + if [ ${SYSTEM} != "HP-UX" ] && \
24 + ((! ls -l ${ROOTDIR}sbin/init | ${egrep} -q "bin/busybox$" && \
25 + ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' ) || \
26 cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
27 then
28 echo "Warning: ${ROOTDIR}sbin/init INFECTED"
29 @@ -1270,7 +1277,12 @@
30 files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
31 [ ! -z "${files}" ] && \
32 echo "Warning: \`${files}' file size is zero"
33 - files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
34 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then
35 + files1='-type l'
36 + else
37 + files1='\( -links 2 -o -type l \)'
38 + fi
39 + files1=`eval ${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' $files1`
40 [ ! -z "${files1}" ] && \
41 echo "Warning: \`${files1}' is linked to another file"
42 fi
43 @@ -1680,6 +1692,9 @@
44 chk_netstat () {
45 STATUS=${NOT_INFECTED}
46 NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero"
47 + if ls -l /bin/netstat | ${egrep} -q " busybox$"; then
48 + return ${STATUS}
49 + fi
50 CMD=`loc netstat netstat $pth`
52 if [ "${EXPERT}" = "t" ]; then