wok-next annotate chkrootkit/stuff/chkrootkit.u @ rev 17055
qt4: copied to added "qt4-base", ln -s sources, modified
author | Xander Ziiryanoff <psychomaniak@xakep.ru> |
---|---|
date | Thu Aug 21 03:34:29 2014 +0200 (2014-08-21) |
parents | |
children | 53abdfcf11d4 |
rev | line source |
---|---|
pascal@1343 | 1 --- chkrootkit-0.48/chkrootkit |
pascal@1343 | 2 +++ chkrootkit-0.48/chkrootkit |
pascal@1343 | 3 @@ -562,8 +562,13 @@ |
pascal@1343 | 4 if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then |
pascal@1343 | 5 expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 6 -size 0" |
pascal@1343 | 7 - expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 8 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then |
pascal@1343 | 9 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 10 + -type l" |
pascal@1343 | 11 + else |
pascal@1343 | 12 + expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ |
pascal@1343 | 13 \( -links 2 -o -type l \)" |
pascal@1343 | 14 + fi |
pascal@1343 | 15 fi |
pascal@1343 | 16 |
pascal@1343 | 17 return 5 |
pascal@1343 | 18 @@ -957,7 +962,9 @@ |
pascal@1343 | 19 ### Suckit |
pascal@1343 | 20 if [ -f ${ROOTDIR}sbin/init ]; then |
pascal@1343 | 21 if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi |
pascal@1343 | 22 - if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME || \ |
pascal@1343 | 23 + if [ ${SYSTEM} != "HP-UX" ] && \ |
pascal@1343 | 24 + ((! ls -l ${ROOTDIR}sbin/init | ${egrep} -q "bin/busybox$" && \ |
pascal@1343 | 25 + ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME) || \ |
pascal@1343 | 26 cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 |
pascal@1343 | 27 then |
pascal@1343 | 28 echo "Warning: ${ROOTDIR}sbin/init INFECTED" |
pascal@1343 | 29 @@ -1127,7 +1134,12 @@ |
pascal@1343 | 30 files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` |
pascal@1343 | 31 [ ! -z "${files}" ] && \ |
pascal@1343 | 32 echo "Warning: \`${files}' file size is zero" |
pascal@1343 | 33 - files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` |
pascal@1343 | 34 + if ls -l ${ROOTDIR}/usr/bin/find | ${egrep} -q 'bin/busybox$'; then |
pascal@1343 | 35 + files1='-type l' |
pascal@1343 | 36 + else |
pascal@1343 | 37 + files1='\( -links 2 -o -type l \)' |
pascal@1343 | 38 + fi |
pascal@1343 | 39 + files1=`eval ${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' $files1` |
pascal@1343 | 40 [ ! -z "${files1}" ] && \ |
pascal@1343 | 41 echo "Warning: \`${files}' is linked to another file" |
pascal@1343 | 42 fi |
pascal@1343 | 43 @@ -1537,6 +1549,9 @@ |
pascal@1343 | 44 chk_netstat () { |
pascal@1343 | 45 STATUS=${NOT_INFECTED} |
pascal@1343 | 46 NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero" |
pascal@1343 | 47 + if ls -l /bin/netstat | ${egrep} -q " busybox$"; then |
pascal@1343 | 48 + return ${STATUS} |
pascal@1343 | 49 + fi |
pascal@1343 | 50 CMD=`loc netstat netstat $pth` |
pascal@1343 | 51 |
pascal@1343 | 52 if [ "${EXPERT}" = "t" ]; then |