Search
Search
Search
Search
Information
Information
Light
Dark
Open actions menu
Basic upload method
Bypass upload method
Tips!
If you encounter an error (by firewall) while uploading using both methods,
try changing extension of the file before uploading it and rename it right after.
Submit
~
sbin
File Content:
chkrootkit
#! /bin/sh # -*- Shell-script -*- # $Id: chkrootkit, v 0.55 2021/06/10 CHKROOTKIT_VERSION='0.55' # Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and # Klaus Steding-Jessen <jessen@cert.br> # # (c)1997-2021 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # All rights reserved ### workaround for some Bourne shell implementations unalias login > /dev/null 2>&1 unalias ls > /dev/null 2>&1 unalias netstat > /dev/null 2>&1 unalias ss > /dev/null 2>&1 unalias ps > /dev/null 2>&1 unalias dirname > /dev/null 2>&1 cd /usr/lib/chkrootkit # Workaround for recent GNU coreutils _POSIX2_VERSION=199209 export _POSIX2_VERSION KALLSYMS="/proc/kallsyms" [ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS" # Native commands TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \ env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \ killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \ pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ tcpdump top telnetd timed traceroute vdir w write" # Tools TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG" # Return Codes INFECTED=0 NOT_INFECTED=1 NOT_TESTED=2 NOT_FOUND=3 INFECTED_BUT_DISABLED=4 # Many trojaned commands have this label GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer" ###################################################################### # tools functions # # 55808.A Worm # w55808 (){ W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r" STATUS=0 for i in ${W55808_FILES}; do if [ -f ${i} ]; then STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warning: Possible 55808 Worm installed" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi } OSX_RSPLUG (){ if [ ${SYSTEM} != "Darwin" ]; then if [ "${QUIET}" != "t" ]; then echo "not tested"; fi return fi SAVEIFS=$IFS IFS=';' STATUS=0 OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings' # echo checking ${OSX_RSPLUG_FILES} for i in ${OSX_RSPLUG_FILES} ; do echo searching for "${i}" if [ -e "${i}" ] ; then STATUS=1 fi done IFS=$SAVEIFS if [ ${STATUS} -eq 1 ] ;then echo "Warning: OSX.RSPlug.A Trojan Horse found" return ${INFECTED} else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi } # # SLAPPER.{A,B,C,D} and the multi-platform variant # slapper (){ SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c" SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \ ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b" SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 " _chk_netstat_or_ss; OPT="-an" [ "${netstat}" = "ss" ] && OPT="-a" STATUS=0 file_port= if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1 then STATUS=1 [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \ $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :` fi for i in ${SLAPPER_FILES}; do if [ -f ${i} ]; then file_port="$file_port $i" STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warning: Possible Slapper Worm installed ($file_port)" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi } scalper (){ SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a" SCALPER_PORT=2001 OPT="-an" _chk_netstat_or_ss; [ "$netstat" = "ss" ] && OPT="-a" STATUS=0 if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then if ! [ -e /usr/sbin/ser2net ]; then STATUS=1 fi fi for i in ${SCALPER_FILES}; do if [ -f ${i} ]; then STATUS=1 fi done if [ ${STATUS} -eq 1 ] ;then echo "Warning: Possible Scalper Worm installed" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi } asp (){ ASP_LABEL="poop" STATUS=${NOT_INFECTED} CMD=`loc asp asp $pth` if [ "${EXPERT}" = "t" ]; then expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" expertmode_output "${strings} -a ${CMD}" return 5 fi if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then echo "Warning: Possible Ramen Worm installed in inetd.conf" STATUS=${INFECTED} fi if [ ${CMD} = "asp" -o ${CMD} = "${ROOTDIR}asp" ]; then if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then # echo "INFECTED" STATUS=${INFECTED} else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi return ${NOT_INFECTED} fi return ${STATUS} } sniffer () { if [ "${ROOTDIR}" != "/" ]; then if [ "${QUIET}" != "t" ]; then echo "not tested"; fi return ${NOT_TESTED} fi if [ "$SYSTEM" = "SunOS" ]; then if [ "${QUIET}" != "t" ]; then echo "not tested"; fi return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "./ifpromisc" -v return 5 fi if [ ! -x ./ifpromisc ]; then echo "not tested: can't exec ./ifpromisc" return ${NOT_TESTED} else # [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q outmsg=`[ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q` [ "$EXCLUDES_SNIF" ] && outmsg=`echo "$outmsg" | grep -Ev "$EXCLUDES_SNIF"` if [ -n "$outmsg" ]; then echo "Output from ifpromisc:" echo "$outmsg" else if [ "${QUIET}" != "t" ]; then echo "not found"; fi fi fi } chkutmp() { if [ ! -x ./chkutmp -o ${mode} = "pm" ]; then echo "not tested: can't exec ./chkutmp" return ${NOT_TESTED} fi if ./chkutmp then if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi fi } z2 () { if [ ! -x ./chklastlog ]; then echo "not tested: can't exec ./chklastlog" return ${NOT_TESTED} fi WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"` if [ ! -f $WTMP -a ! -f $LASTLOG ]; then echo "not tested: not found wtmp and/or lastlog file" return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "./chklastlog ${QUIET_ARG} -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG}" return 5 fi if ./chklastlog ${QUIET_ARG} -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG} then if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi fi } wted () { if [ ! -x ./chkwtmp ]; then echo "not tested: can't exec ./chkwtmp" return ${NOT_TESTED} fi if [ "$SYSTEM" = "SunOS" ]; then if [ ! -x ./check_wtmpx ]; then echo "not tested: can't exec ./check_wtmpx" else if [ "${EXPERT}" = "t" ]; then expertmode_output "./check_wtmpx" return 5 fi if [ -f ${ROOTDIR}var/adm/wtmp ]; then if ./check_wtmpx then if [ "${QUIET}" != "t" ]; then \ echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi fi fi fi else WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` if [ "${EXPERT}" = "t" ]; then expertmode_output "./chkwtmp -f ${WTMP}" return 5 fi if ./chkwtmp -f ${WTMP} then if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi fi fi } bindshell () { PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222" OPT="-an" _chk_netstat_or_ss; [ "$netstat" = "ss" ] && OPT="-a" PI="" if [ "${ROOTDIR}" != "/" ]; then echo "not tested" return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${netstat} ${OPT}" return 5 fi for P in `echo $PORT | ${sed} 's/|/ /g'`; do if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \ "[.:]${P}[^0-9.:]" >/dev/null 2>&1 then PI="${PI} ${P}" fi done if [ "${PI}" != "" ] then echo "INFECTED PORTS: ($PI)" else if [ "${QUIET}" != "t" ]; then echo "not infected"; fi fi } lkm () { prog="" if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then [ -x ./chkproc -a "`find /proc -maxdepth 1 2>/dev/null| wc -l`" -gt 1 ] && prog="./chkproc" [ -x ./chkdirs ] && prog="$prog ./chkdirs" if [ "$prog" = "" -o ${mode} = "pm" ]; then echo "not tested: can't exec $prog" return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then [ -r /proc/$KALLSYMS ] && ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` [ "$PV" = "" ] && PV=2 [ "${SYSTEM}" = "SunOS" ] && PV=0 expertmode_output "./chkproc -v -v -p $PV" return 5 fi ### adore LKM [ -r /proc/$KALLSYMS ] && \ if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then echo "Warning: Adore LKM installed" fi ### sebek LKM (Adore based) [ -r /proc/$KALLSYMS ] && \ if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then echo "Warning: Sebek LKM installed" fi ### knark LKM if [ -d /proc/knark ]; then echo "Warning: Knark LKM installed" fi F=`$ps -V 2>/dev/null | wc -w` PV=`$ps -V 2>/dev/null| $cut -d " " -f $F |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'` [ "$PV" = "" ] && PV=2 [ "${SYSTEM}" = "SunOS" ] && PV=0 if [ "${DEBUG}" = "t" ]; then ${echo} "*** PV=$PV ***" fi if ./chkproc -p ${PV}; then if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi else echo "chkproc: Warning: Possible LKM Trojan installed" fi dirs="/tmp" for i in /usr/share /usr/bin /usr/sbin /lib; do if [ "$(ls -ld $i | cut -d " " -f 2)" -gt "1" ]; then [ -d $i ] && dirs="$dirs $i" fi done if ./chkdirs $dirs; then if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi else echo "chkdirs: Warning: Possible LKM Trojan installed" fi else if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi fi } aliens () { if [ \( -z "${HOME}" -o "${HOME}" = "/" \) -a `id -u` = "0" -a -d "/root" ]; then HOME="/root" fi if [ "${EXPERT}" = "t" ]; then ### suspicious files FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \ sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \ etc/ld.so.hash" expertmode_output "${find} ${ROOTDIR}dev -type f" expertmode_output "${find} ${ROOTDIR}var/run/.tmp" expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib" expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8" expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'" expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk" expertmode_output "${find} ${ROOTDIR}usr/lib/dy0" expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277" expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/" for i in ${FILES}; do expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null" done [ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so" [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. " [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so ### sniffer's logs expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \ ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \ .linux-sniff -o -name sniff-l0g -o -name core_ -o -wholename ${ROOTDIR}usr/lib/in.httpd -o \ -wholename ${ROOTDIR}usr/lib/in.pop3d" ### t0rn expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \ ${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \ ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn" LIBS= [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib" [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" [ -d ${ROOTDIR}usr/local/lib ] && \ LIBS="${LIBS} ${ROOTDIR}usr/local/lib" expertmode_output "${find} ${LIBS} -name libproc.a" ## Lion Worm expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh 2> /dev/null" ### ark expertmode_output "${find} ${ROOTDIR}dev -name ptyxx" expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '" expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'" ### RK17 expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit" expertmode_output "${find} ${ROOTDIR}sbin -name pback" expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null" expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null" expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \ autod.o -o -name soundx.o 2> /dev/null" expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \ -name ct -o -name snick -o -name kfl" CGIDIR="" for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; do [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}" done BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" for j in ${CGIDIR}; do for i in ${BACKDOORS}; do [ -f ${j}/${i} ] && echo ${j}/${i} done done ### rsha expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \ -o -name n3tstat -o -name chsh2" expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha" expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \ ${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/" ### ShitC Worm expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \ -o -name frgy -o -name sy" expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir" expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind" ### Omega Worm expertmode_output "${find} ${ROOTDIR}dev -name chr" ### rh-sharpe expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \ -o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \ -o -name ldu -o -name lnetstat" expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du" ### Adore Worm expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \ -name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \ -o -name adore" expertmode_output "${find} ${ROOTDIR}usr/lib/lib" expertmode_output "${find} ${ROOTDIR}usr/lib/libt" ### suspicious files and dirs suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk" DIR=${ROOTDIR}usr/lib [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man" [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib" [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib" expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'" expertmode_output "${find} ${DIR} -type d -name '.*'" expertmode_output "${find} ${DIR} -name '...*'" expertmode_output "${ls} ${suspects}" ### Maniac RK expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc" ### Ramen Worm expertmode_output "${find} ${ROOTDIR}usr/src/.poop \ ${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp" ### Sadmind/IIS Worm expertmode_output "${find} ${ROOTDIR}dev/cuc" ### Monkit expertmode_output "${find} ${ROOTDIR}lib/defs" ### Showtee expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \ ${ROOTDIR}usr/lib/.wormie \ ${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \ ${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ ${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \ ${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h" ### Optickit expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf" ### T.R.K expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct" ### MithRa's Rootkit expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot" ### OpenBSD rootkit v1 if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ] then expertmode_output "${find} ${ROOTDIR}usr/lib/security" fi ### LOC rootkit expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c" ### Romanian rootkit expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \ ${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \ ${ROOTDIR}usr/include/syslogs.h" ## HKRK rootkit ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ## Suckit rootkit expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." expertmode_output "cat ${ROOTDIR}dev/.golf" ## Volc rootkit expertmode_output "${ls} ${ROOTDIR}usr/bin/volc" expertmode_output "${find} ${ROOTDIR}usr/lib/volc" ## Gold2 rootkit expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit" ## TC2 Worm expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \ ${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb" ## Anonoiyng rootkit expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd" ## ZK rootkit expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*" ## ShKit expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash" ## AjaKit expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh" expertmode_output "${find} ${ROOTDIR}dev -name tux" ## zaRwT expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout" ## Madalin rootkit expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \ -name iceconf.h -o -name iceseed.h" ## Fu rootkit expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \ ${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h" ## Kenga3 Rookit expertmode_output "${find} ${ROOTDIR}usr/include/. ." ## ESRK Rookit expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3" ## rootedoor for i in `$echo ${PATH}|tr -s ':' ' '`; do expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor" done ## ENYE-LKM expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko" ## SSJD Operation Windigo (Linux/Ebury) ssh=`which ssh` if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[0-7]" >/dev/null; then expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow" fi ## Mumblehard backdoor/botnet expertmode_output "cat ${ROOTDIR}/var/spool/cron/crontabs | egrep var/tmp" ## Backdoors.Linux.Mokes.a expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" ## Malicious TinyDNS expertmode_output "${ls} -l "${ROOTDIR}home/ ./root/"" ## Linux/Xor.DDoS expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" expertmode_output "${find} ${ROOTDIR}etc/cron.hourly" ## CrossRAT expertmode_output "${find} ${ROOTDIR}usr/var ${findargs} -name mediamgrs.jar" ## Hidden Cobra (IBM AIX) expertmode_output "${find} ${ROOTDIR}tmp/.ICE-unix ${findargs} -name *.so" ## Rocke Monero Miner expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" ## PWNLNX4 - An LKM Roottkit expertmode_output "${find} ${ROOTDIR}/opt/uOnlineBuilder64 ${ROOTDIR}/var/tmp/.1 ${ROOTDIR}/var/tmp/Linux_Server" ## PWNLNX6 - An LKM Roottkit expertmode_output "${find} ${ROOTDIR}/tmp/suterusu" ## Umbreon expertmode_output "${find} ${ROOTDIR}usr/share/libc.so*" ## KINSING.A Backdoor expertmode_output "${find} ${ROOTDIR}tmp/kdevtmp*" ## RotaJakiro expertmode_output "${ls} ${ROOTDIR}bin/system-daemon" ## Common SSH-SCANNERS expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2" ### shell history file check if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \ -size 0" expertmode_output "${find} ${ROOTDIR}${HOME} -maxdepth 1 -name .*history \ \( -links 2 -o -type l \)" fi return 5 ### expert mode ends here fi ### ### suspicious files and sniffer's logs ### suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \ usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \ tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \ usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \ etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin" dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \ var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so" # in an lxc container, /dev/console has a device bind-mounted over it, # so the next line tries to run egrep on /dev/console even with '-type f' # so we need to add '--device=skip' to grep files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} --device=skip -l "^[0-5] " {} \; 2>/dev/null` if [ "${files}" != "" ]; then echo echo ${files} fi for i in ${dir}; do if [ -d ${ROOTDIR}${i} ]; then echo echo "Suspect directory ${i} FOUND! Looking for sniffer logs" files=`${find} ${ROOTDIR}${i}` echo echo ${files} fi done for i in ${suspects}; do if [ -f ${ROOTDIR}${i} ]; then echo "${ROOTDIR}${i} " files="INFECTED" fi done if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi fi if [ "${QUIET}" != "t" ]; then \ printn "Searching for sniffer's logs, it may take a while... "; fi files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \ ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \ 2>/dev/null` if [ "${files}" = "" ] then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo echo ${files} fi lookfor_rootkit() { rkname=$1; files=$2; dirs=$3; # file/directory names cannot have whitespace if [ "${QUIET}" != "t" ]; then \ printn "Searching for rootkit $rkname's default files... "; fi bad=""; for f in $files ; do if [ -r ${ROOTDIR}${f} ]; then for exclude in $EXCLUDES; do if [ /${f} = $exclude ]; then continue 2; fi done bad="$bad ${ROOTDIR}$f"; fi done for d in $dirs ; do if [ -d ${ROOTDIR}${d} ]; then for exclude in $EXCLUDES; do if [ /${d} = $exclude ]; then continue 2; fi done bad="$bad ${ROOTDIR}$d"; fi done if [ "$bad" != "" ]; then echo "Possible $rkname rootkit installed:" echo "$bad" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi } ### HiDrootkit lookfor_rootkit "HiDrootkit" "" "var/lib/games/.k" ### t0rn lookfor_rootkit "t0rn" "etc/ttyhash sbin/xlogin lib/ldlib.tk" \ "usr/src/.puta usr/info/.t0rn" ### t0rn v8 if [ "${QUIET}" != "t" ]; then \ printn "Searching for t0rn's v8 defaults... "; fi [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib" if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \ "$SYSTEM" != "FreeBSD" ] then echo "Possible t0rn v8 (or variation) rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Lion Worm lookfor_rootkit "Lion" "bin/in.telnetd bin/mjy" "usr/info/.torn dev/.lib" ### RSHA rootkit lookfor_rootkit "RSHA" "bin/kr4p usr/bin/n3tstat usr/bin/chsh2 \ usr/bin/slice2 usr/src/linux/arch/alpha/lib/.lib/.1proc \ etc/rc.d/arch/alpha/lib/.lib/.1addr" "etc/rc.d/rsha \ etc/rc.d/arch/alpha/lib/.lib" ### RH-Sharpe rootkit lookfor_rootkit "RH-Sharpe" "bin/lps usr/bin/lpstree \ usr/bin/ltop usr/bin/lkillall usr/bin/ldu \ usr/bin/lnetstat usr/bin/wp usr/bin/shad \ usr/bin/vadim usr/bin/slice usr/bin/cleaner \ usr/include/rpcsvc/du" "" ### ark rootkit if [ "${QUIET}" != "t" ]; then printn \ "Searching for Ambient's rootkit (ark) default files and dirs... "; fi if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \ -d ${ROOTDIR}usr/doc/"... " ]; then echo "Possible Ambient's rootkit (ark) installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### suspicious files and dirs DIR="${ROOTDIR}usr/lib" [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man" [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib" if [ "${QUIET}" != "t" ]; then printn \ "Searching for suspicious files and dirs, it may take a while... "; fi # matches files and directories named '...' and '.. ' but not "." or ".." files=`${find} ${DIR} -name ".*"` if [ "${files}" = "" ] then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else outmsg="" if [ -n "${EXCLUDES}" ]; then for name in $files; do for exclude in $EXCLUDES; do if [ $name = $exclude ]; then continue 2; fi done outmsg="$outmsg$name\n" done else outmsg="${files}\n" fi if [ ! -z "$outmsg" ]; then echo "The following suspicious files and directories were found:" echo "$outmsg" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi fi ### LPD Worm if [ "${QUIET}" != "t" ]; then \ printn "Searching for LPD Worm files and dirs... "; fi if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \ ${egrep} '^[[:space:]]*666[[:space:]]' ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; then echo "Possible LPD worm installed" elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \ -f ${ROOTDIR}bin/.login ]; then echo "Possible LPD worm installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Ramem Worm if [ "${QUIET}" != "t" ]; then \ printn "Searching for Ramen Worm files and dirs... "; fi if [ -d ${ROOTDIR}usr/src/.poop -o -f \ ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ] then echo "Possible Ramen worm installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Maniac rootkit if [ "${QUIET}" != "t" ]; then \ printn "Searching for Maniac files and dirs... "; fi files=`${find} ${ROOTDIR}usr/bin -name mailrc` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### RK17 rookit if [ "${QUIET}" != "t" ]; then \ printn "Searching for RK17 files and dirs... "; fi CGIDIR="" for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; do [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}" done files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \ ${find} ${ROOTDIR}sbin -name pback && \ ${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \ ${find} ${ROOTDIR}proc -name kset 2> /dev/null && \ ${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \ 2> /dev/null && \ ${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null` BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" files="" for j in ${CGIDIR}; do for i in ${BACKDOORS}; do [ -f ${j}/${i} ] && files="${files} ${j}/${i}" done done if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### Ducoci rootkit if [ "${QUIET}" != "t" ]; then \ printn "Searching for Ducoci rootkit... "; fi files=`${find} ${CGIDIR} -name last.cgi` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### Adore Worm if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \ -name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null` [ "${files}" != "" ] && echo ${files} fi ### ShitC Worm if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \ ${find} ${ROOTDIR}usr/bin -type d -name dir || \ ${find} ${ROOTDIR}usr/sbin -name in.slogind` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### Omega Worm if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi files=`${find} ${ROOTDIR}dev -name chr 2>/dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### China Worm (Sadmind/IIS Worm) if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### MonKit if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \ 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### Showtee if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi if [ -d ${ROOTDIR}usr/lib/.egcs ] || \ [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \ [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \ [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \ [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \ [ -f ${ROOTDIR}usr/include/chk.h ]; then echo "Warning: Possible Showtee Rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ### OpticKit ### if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \ 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### T.R.K files="" if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf 2>/dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### Mithra's Rootkit files="" if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### OpenBSD rootkit v1 if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then files="" files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null` if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### LOC rootkit files="" if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null` if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" echo `loc epic epic $pth` fi ### Romanian rootkit files="" if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi for i in file.h proc.h addr.h syslogs.h; do if [ -f ${ROOTDIR}usr/include/${i} ]; then files="$files ${ROOTDIR}usr/include/$i" fi done if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ### HKRK if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then echo "Warning: /etc/rc.d/init.d/network INFECTED" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Suckit if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi if [ -f ${ROOTDIR}sbin/init ]; then if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \ cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1 then # ignore false positive bug #740898 # also ignore false positive on non-systemd init systems. See bug #901557 [ ! -h ${ROOTDIR}sbin/init ] || readlink -f ${ROOTDIR}sbin/init|${egrep} -q "/sbin/upstart$|/systemd$" if [ $? -eq 0 ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "Warning: ${ROOTDIR}sbin/init INFECTED" fi else if [ -d ${ROOTDIR}/dev/.golf ]; then echo "Warning: Suspect directory ${ROOTDIR}dev/.golf" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi fi else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Volc if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then echo "Warning: Possible Volc rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Gold2 if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi if [ -f ${ROOTDIR}usr/bin/ishit ] ; then echo "Warning: Possible Gold2 rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### TC2 Worm if [ "${QUIET}" != "t" ]; then \ printn "Searching for TC2 Worm default files and dirs... "; fi if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \ -f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ] then echo "Possible TC2 Worm installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ANONOYING Rootkit if [ "${QUIET}" != "t" ]; then \ printn "Searching for Anonoying rootkit default files and dirs... "; fi if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then echo "Possible anonoying rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ZK Rootkit if [ "${QUIET}" != "t" ]; then \ printn "Searching for ZK rootkit default files and dirs... "; fi if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then echo "Possible ZK rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ShKit if [ "${QUIET}" != "t" ]; then printn "Searching for ShKit rootkit default files and dirs... "; fi if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then echo "Possible ShKit rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### AjaKit if [ "${QUIET}" != "t" ]; then printn "Searching for AjaKit rootkit default files and dirs... "; fi if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then echo "Possible AjaKit rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### zaRwT if [ "${QUIET}" != "t" ]; then printn "Searching for zaRwT rootkit default files and dirs... "; fi if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then echo "Possible zaRwT rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Madalin rootkit if [ "${QUIET}" != "t" ]; then printn "Searching for Madalin rootkit default files... "; fi D=${ROOTDIR}usr/include if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then echo "Possible Madalin rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Fu rootkit if [ "${QUIET}" != "t" ]; then printn "Searching for Fu rootkit default files... "; fi if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \ -f ${ROOTDIR}usr/include/ivtype.h ]; then echo "Possible Fu rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ESRK if [ "${QUIET}" != "t" ]; then printn "Searching for ESRK rootkit default files... "; fi if [ -d "${ROOTDIR}/usr/lib/tcl5.3" ]; then echo "Possible ESRK rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## rootedoor if [ "${QUIET}" != "t" ]; then printn "Searching for rootedoor... "; fi found=0 for i in `$echo $PATH|tr -s ':' ' '`; do if [ -f "${ROOTDIR}${i}/rootedoor" ]; then echo "Possible rootedoor installed in ${ROOTDIR}${i}" found=1 fi done [ "${found}" = "0" ] &&\ if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi ### ENYELKM if [ "${QUIET}" != "t" ]; then printn "Searching for ENYELKM rootkit default files... "; fi if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then echo "Possible ENYELKM rootkit installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## Common SSH-SCANNERS if [ "${QUIET}" != "t" ]; then printn "Searching for common ssh-scanners default files... "; fi files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`" if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi elif $ssh -G 2>&1 | grep usage > /dev/null; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ## SSJD Operation Windigo (Linux/Ebury) LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" if [ "${QUIET}" != "t" ]; then printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" >/dev/null; then if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" fi fi if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then if [ "${QUIET}" != "t" ]; then echo "not tested"; fi else if ${strings} -a ${ROOTDIR}${LIBKEY} | egrep "libns2|libns5|libpw3|libpw5|libsbr|libslr" >/dev/null; then echo "Possible Linux/Ebury 1.6 - Operation Windigo installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi fi ## ## Linux Rootkit 64 bits if [ "${QUIET}" != "t" ]; then printn "Searching for 64-bit Linux Rootkit ... "; fi if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \ ${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then echo "Possible 64-bit Linux Rootkit" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi if [ "${QUIET}" != "t" ]; then printn "Searching for 64-bit Linux Rootkit modules... "; fi files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`" if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ## Mumblehard backdoor/botnet if [ "${QUIET}" != "t" ]; then printn "Searching for Mumblehard Linux ... "; fi if [ -e ${ROOTDIR}var/spool/cron/crontabs ]; then cat ${ROOTDIR}var/spool/cron/crontabs/* 2>/dev/null | egrep "var/tmp" if [ $? -ne 0 ] ; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "Possible Mumblehard backdoor installed" fi else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## Backdoor.Linux.Mokes.a if [ "${QUIET}" != "t" ]; then printn "Searching for Backdoor.Linux.Mokes.a ... "; fi files="`${find} ${ROOTDIR}tmp/ ${findargs} -name "ss0-[0-9]*" -o -name "kk-[0-9]*" 2> /dev/null`" if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "${files}" fi ## Malicious TinyDNS if [ "${QUIET}" != "t" ]; then printn "Searching for Malicious TinyDNS ... "; fi files="`${find} "${ROOTDIR}home/ ./" 2> /dev/null`" if [ "${files}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "INFECTED: Possible Malicious TinyDNS installed" fi ## Linux/Xor.DDoS if [ "${QUIET}" != "t" ]; then printn "Searching for Linux.Xor.DDoS ... "; fi files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`" if [ "${files}" = "" ]; then files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`" files="$files $($ls ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)" if [ "${files}" = " " ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" fi else echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" echo "${files}" fi ## Linux.Proxy 1.0 if [ "${QUIET}" != "t" ]; then printn "Searching for Linux.Proxy.1.0 ... "; fi if ${egrep} -i mother ${ROOTDIR}etc/passwd >/dev/null 2>&1 ; then echo "INFECTED: Possible Malicious Linux.Proxy.10 installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi # Linux/CrossRAT if [ "${QUIET}" != "t" ]; then printn "Searching for CrossRAT ... "; fi if ${ls} ${ROOTDIR}usr/var/mediamgrs.jar 2>/dev/null; then echo "INFECTED: Possible Malicious CrossRAT installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## Hidden Cobra (IBM AIX) if [ "${QUIET}" != "t" ]; then printn "Searching for Hidden Cobra ... "; fi if ${ls} ${ROOTDIR}tmp/.ICE-unix/m*.so ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then echo "INFECTED: Possible Malicious Hidden Cobra installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### Rocke Monero Miner if [ "${QUIET}" != "t" ]; then printn "Searching for Rocke Miner ... "; fi if [ -f "${ROOTDIR}etc/ld.so.pre" -o -f "${ROOTDIR}etc/xig" ] ; then echo "INFECTED: Possible Malicious Rocke Miner installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## PWNLNX4 - An LKM Roottkit if [ "${QUIET}" != "t" ]; then printn "Searching for PWNLNX4 lkm... "; fi if [ -d "${ROOTDIR}/uOnlineBuilder64" -o -d "${ROOTDIR}/var/tmp/.1" -o -d "${ROOTDIR}/var/tmp/Linux_Server" ]; then echo "INFECTED: Possible Malicious PWNLNX4 installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## PWNLNX6 - Another LKM Roottkit if [ "${QUIET}" != "t" ]; then printn "Searching for PWNLNX6 lkm... "; fi if [ -d "${ROOTDIR}/tmp/suterusu" ] ; then echo "INFECTED: Possible Malicious PWNLNX6 installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## Umbreon Linux Rootkit if [ "${QUIET}" != "t" ]; then printn "Searching for Umbreon lrk... "; fi if ${ls} ${ROOTDIR}usr/share/libc.so.* > /dev/null 2>&1 ; then echo "INFECTED: Possible Malicious UMBREON LRK installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## KINSING.A Backdoor if [ "${QUIET}" != "t" ]; then printn "Searching for Kinsing.a backdoor... "; fi if ${ls} "${ROOTDIR}tmp/kdevtmpfsi" > /dev/null 2>&1 ; then echo "INFECTED: Possible Malicious KINSING.A Backdoor installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ## RotaJakiro Backdoor if [ "${QUIET}" != "t" ]; then printn "Searching for RotaJakiro backdoor... "; fi if ${ls} "${ROOTDIR}bin/systemd-daemon" > /dev/null 2>&1 ; then echo "INFECTED: Possible Malicious JOTAJAKIRO Backdoor installed" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi ### ### Suspects PHP files ### if [ "${QUIET}" != "t" ]; then printn "Searching for suspect PHP files... "; fi files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`" if [ `echo abc | _head -1` = "abc" ]; then fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -n 1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`" else fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec sh -c 'head -1 "$1" 2> /dev/null | grep -q "^#!.*php" && echo "$1"' {} {} \;`" fi if [ "${files}" = "" -a "${fileshead}" = "" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else echo echo "${files}" echo "${fileshead}" fi ### ### shell history anomalies ### if [ "${QUIET}" != "t" ]; then \ printn "Searching for anomalies in shell history files... "; fi files="" if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then files=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' -size 0` [ ! -z "${files}" ] && \ echo "Warning: \`${files}' file size is zero" files1=`${find} ${ROOTDIR}${HOME} -maxdepth 1 -name '.*history' \( -links 2 -o -type l \)` [ ! -z "${files1}" ] && \ echo "Warning: \`${files1}' is linked to another file" fi if [ -z "${files}" -a -z "${files1}" ]; then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi fi } ###################################################################### # util functions # our which(1) loc () { ### usage: loc filename filename_to_return_if_nothing_was_found path thing=$1 shift dflt=$1 shift for dir in $*; do case "$thing" in .) if test -d $dir/$thing; then echo $dir exit 0 fi ;; *) for thisthing in $dir/$thing; do : done if test -f $thisthing; then echo $thisthing exit 0 fi ;; esac done if [ "${ROOTDIR}" = "/" ]; then echo ${dflt} else echo "${ROOTDIR}${dflt}" fi exit 1 } getCMD() { RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \ ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \ ${awk} '{ print $5 }'` if [ -n "${RUNNING}" ]; then for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth` do CMD="${i}" if [ -r "${i}" ] then return 0 fi done fi return 1 } expertmode_output() { echo "###" echo "### Output of: $1" echo "###" eval $1 2>&1 # cat <<EOF #`$1 2>&1` #EOF return 0 } tnfs () { ## Check if -fstype nfs works findargs="" if find /etc -maxdepth 0 >/dev/null 2>&1; then find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \ findargs=" -fstype nfs -prune " # findargs=" -fstype nfs -prune -o " elif find /etc -prune > /dev/null 2>&1; then find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \ findargs=" -fstype nfs -prune " # findargs=" -fstype nfs -prune -o " fi } ###################################################################### # trojan functions chk_chfn () { STATUS=${NOT_INFECTED} CMD=`loc chfn chfn $pth` [ ${?} -ne 0 ] && return ${NOT_FOUND} if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi;; FreeBSD) [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2 if [ `${strings} -a ${CMD} | \ ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then STATUS=${INFECTED} fi;; esac return ${STATUS} } chk_chsh () { STATUS=${NOT_INFECTED} CMD=`loc chsh chsh $pth` [ ${?} -ne 0 ] && return ${NOT_FOUND} REDHAT_PAM_LABEL="*NOT*" GENERIC_ROOTKIT_FEDORA=${GENERIC_ROOTKIT_LABEL} if [ -f /etc/system-release ]; then v="0"`${egrep} -i fedora /etc/system-release | cut -d " " -f 3` if [ "$v" -gt "32" ]; then GENERIC_ROOTKIT_FEDORA="bash|elite$|vejeta|\.ark|iroffer" fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_FEDORA}" \ >/dev/null 2>&1 then if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ >/dev/null 2>&1 then : else STATUS=${INFECTED} fi fi;; FreeBSD) [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2 if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then STATUS=${INFECTED} fi;; esac return ${STATUS} } chk_login () { STATUS=${NOT_INFECTED} CMD=`loc login login $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if [ "$SYSTEM" = "SunOS" ]; then TROJED_L_L="porcao|/bin/xstat" if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then return ${INFECTED} else return ${NOT_TESTED} fi fi GENERAL="^root$" TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola" ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` if [ ${ret} -gt 0 ]; then case ${ret} in 1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 || $1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \ STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \ "OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; *) STATUS=${INFECTED};; esac fi if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null then STATUS=${INFECTED} fi return ${STATUS} } chk_passwd () { STATUS=${NOT_INFECTED} CMD=`loc passwd passwd $pth` if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then CMD="${ROOTDIR}usr/bin/passwd" fi if [ ! -r "${CMD}" ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" fi if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \ = "HP-UX" ] then return ${NOT_TESTED} fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_inetd () { STATUS=${NOT_INFECTED} getCMD 'inetd' if [ ! -r ${CMD} -o ${CMD} = '/' ] then return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_syslogd () { STATUS=${NOT_INFECTED} SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h" CMD=`loc syslogd syslogd $pth` if [ ! -r ${CMD} ] then return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_hdparm () { STATUS=${NOT_INFECTED} HDPARM_INFECTED_LABEL="/dev/ida" CMD=`loc hdparm hdparm $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_gpm () { STATUS=${NOT_INFECTED} GPM_INFECTED_LABEL="mingetty" CMD=`loc gpm gpm $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_mingetty () { STATUS=${NOT_INFECTED} MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto" CMD=`loc mingetty mingetty $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_sendmail () { STATUS=${NOT_INFECTED} SENDMAIL_INFECTED_LABEL="fuck" CMD=`loc sendmail sendmail $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_ls () { STATUS=${NOT_INFECTED} LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h" CMD=`loc ls ls $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_du () { STATUS=${NOT_INFECTED} DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h" CMD=`loc du du $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_named () { STATUS=${NOT_INFECTED} NAMED_I_L="blah|bye" CMD=`loc named named $pth` if [ ! -r "${CMD}" ]; then CMD=`loc in.named in.named $pth` if [ ! -r "${CMD}" ]; then return ${NOT_FOUND} fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_netstat () { STATUS=${NOT_INFECTED} NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero" CMD=`loc netstat netstat $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_ps () { STATUS=${NOT_INFECTED} PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\ /dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so" CMD=`loc ps ps $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_pstree () { STATUS=${NOT_INFECTED} PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h" CMD=`loc pstree pstree $pth` if [ ! -r "${CMD}" ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_crontab () { STATUS=${NOT_INFECTED} CRONTAB_I_L="crontab.*666" CMD=`loc crontab crontab $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${CMD} -l -u nobody" return 5 fi # slackware's crontab have a bug if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then ${echo} "Warning: crontab for nobody found, possible Lupper.Worm... " if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1 then STATUS=${INFECTED} fi fi return ${STATUS} } chk_top () { STATUS=${NOT_INFECTED} TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit" CMD=`loc top top $pth` if [ ! -r ${CMD} ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_pidof () { STATUS=${NOT_INFECTED} TOP_INFECTED_LABEL="/dev/pty[pqrs]" CMD=`loc pidof pidof $pth` if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_killall () { STATUS=${NOT_INFECTED} TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h" CMD=`loc killall killall $pth` if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_ldsopreload() { STATUS=${NOT_INFECTED} CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a" if [ "${SYSTEM}" = "Linux" ] then if [ ! -x ./strings-static ]; then printn "can't exec ./strings-static, " return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "./strings-static -a ${CMD}" return 5 fi ### strings must be a statically linked binary. if ./strings-static -a ${CMD} > /dev/null 2>&1 then STATUS=${INFECTED} fi else STATUS=${NOT_TESTED} fi return ${STATUS} } chk_basename () { STATUS=${NOT_INFECTED} CMD=`loc basename basename $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi [ "$SYSTEM" != "OSF1" ] && { if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi } return ${STATUS} } chk_dirname () { STATUS=${NOT_INFECTED} CMD=`loc dirname dirname $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_traceroute () { STATUS=${NOT_INFECTED} CMD=`loc traceroute traceroute $pth` if [ ! -r "${CMD}" ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_rpcinfo () { STATUS=${NOT_INFECTED} CMD=`loc rpcinfo rpcinfo $pth` if [ ! -r "${CMD}" ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_date () { STATUS=${NOT_INFECTED} S_L="/bin/.*sh" CMD=`loc date date $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi [ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] && { N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ ${egrep} -c "$S_L"` if [ ${N} -ne 2 -a ${N} -ne 0 ]; then STATUS=${INFECTED} fi } || { if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1 then STATUS=${INFECTED} fi } if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_echo () { STATUS=${NOT_INFECTED} CMD=`loc echo echo $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_env () { STATUS=${NOT_INFECTED} CMD=`loc env env $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_timed () { STATUS=${NOT_INFECTED} CMD=`loc timed timed $pth` if [ ${?} -ne 0 ]; then CMD=`loc in.timed in.timed $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_identd () { STATUS=${NOT_INFECTED} CMD=`loc in.identd in.identd $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_init () { STATUS=${NOT_INFECTED} INIT_INFECTED_LABEL="UPX" CMD=`loc init init $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_pop2 () { STATUS=${NOT_INFECTED} CMD=`loc in.pop2d in.pop2d $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_pop3 () { STATUS=${NOT_INFECTED} CMD=`loc in.pop3d in.pop3d $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_write () { STATUS=${NOT_INFECTED} CMD=`loc write write $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark" if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if [ ! -f "${CMD}" ]; then STATUS=${NOT_FOUND} return ${STATUS} fi if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_w () { STATUS=${NOT_INFECTED} CMD=`loc w w $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi W_INFECTED_LABEL="uname -a" if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_vdir () { STATUS=${NOT_INFECTED} CMD=`loc vdir vdir $pth` VDIR_INFECTED_LABEL="/lib/volc" if [ ! -r ${CMD} ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_tar () { STATUS=${NOT_INFECTED} CMD=`loc tar tar $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${ls} -l ${CMD}" return 5 fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } rexedcs () { STATUS=${NOT_INFECTED} CMD=`loc in.rexedcs in.rexedcs $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi STATUS=${INFECTED} echo "INFECTED: $CMD" return ${STATUS} } chk_mail () { STATUS=${NOT_INFECTED} CMD=`loc mail mail $pth` if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi [ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED MAIL_INFECTED_LABEL="sh -i" if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_biff () { STATUS=${NOT_INFECTED} CMD=`loc biff biff $pth` if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_egrep () { STATUS=${NOT_INFECTED} EGREP_INFECTED_LABEL="blah" CMD=`loc egrep egrep $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_grep () { STATUS=${NOT_INFECTED} GREP_INFECTED_LABEL="givemer" CMD=`loc grep grep $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_find () { STATUS=${NOT_INFECTED} FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h" CMD=`loc find find $pth` if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_rlogind () { STATUS=${NOT_INFECTED} RLOGIN_INFECTED_LABEL="p1r0c4|r00t" CMD=`loc in.rlogind in.rlogind $pth` if [ ! -x "${CMD}" ]; then CMD=`loc rlogind rlogind $pth` if [ ! -x "${CMD}" ]; then return ${NOT_FOUND} fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_lsof () { STATUS=${NOT_INFECTED} LSOF_INFECTED_LABEL="^/prof" CMD=`loc lsof lsof $pth` if [ ! -x "${CMD}" ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_amd () { STATUS=${NOT_INFECTED} AMD_INFECTED_LABEL="blah" CMD=`loc amd amd $pth` if [ ! -x "${CMD}" ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_slogin () { STATUS=${NOT_INFECTED} SLOGIN_INFECTED_LABEL="homo" CMD=`loc slogin slogin $pth` if [ ! -x "${CMD}" ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_cron () { STATUS=${NOT_INFECTED} CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0" CMD=`loc cron cron $pth` if [ "${?}" -ne 0 ]; then CMD=`loc crond crond $pth` fi if [ "${?}" -ne 0 ] then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_ifconfig () { STATUS=${INFECTED} CMD=`loc ifconfig ifconfig $pth` if [ "${?}" -ne 0 ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi IFCONFIG_NOT_INFECTED_LABEL="PROMISC" IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null" if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${NOT_INFECTED} fi if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_rshd () { STATUS=${NOT_INFECTED} case "${SYSTEM}" in Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";; FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";; *) CMD=`loc rshd rshd $pth`;; esac if [ ! -x ${CMD} ] ;then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi RSHD_INFECTED_LABEL="HISTFILE" if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then STATUS=${INFECTED_BUT_DISABLED} fi fi return ${STATUS} } chk_tcpdump () { STATUS=${NOT_INFECTED} TCPDUMP_I_L="212.146.0.34:1963"; _chk_netstat_or_ss; OPT="-an" [ "${netstat}" = "ss" ] && OPT="-a" if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then STATUS=${INFECTED} fi return ${STATUS} } chk_tcpd () { STATUS=${NOT_INFECTED} TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" CMD="" [ -r ${ROOTDIR}etc/inetd.conf ] && CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \ ${awk} '{ print $6 }'` if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1; then CMD=`loc tcpd tcpd $pth` fi [ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth` [ "tcpd" = "${CMD}" -o ! -f "${CMD}" ] && return ${NOT_FOUND}; if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_sshd () { STATUS=${NOT_INFECTED} SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk" getCMD 'sshd' if [ ! -s ${CMD} ]; then return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a "${CMD}" | ${egrep} "${SSHD2_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then STATUS=${INFECTED_BUT_DISABLED} fi fi return ${STATUS} } chk_su () { STATUS=${NOT_INFECTED} SU_INFECTED_LABEL="satori|vejeta|conf\.inv" CMD=`loc su su $pth` if [ "${?}" -ne 0 ] then if [ "${QUIET}" != "t" ]; then echo "not found"; fi return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_fingerd () { STATUS=${NOT_INFECTED} FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}" CMD=`loc fingerd fingerd $pth` if [ ${?} -ne 0 ]; then CMD=`loc in.fingerd in.fingerd $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } chk_inetdconf () { STATUS=${NOT_INFECTED} SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash" if [ -r ${ROOTDIR}etc/shells ]; then SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`"; fi if [ -r ${ROOTDIR}etc/inetd.conf ]; then for CHK_SHELL in ${SHELLS}; do cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null if [ ${?} -ne 1 ]; then if [ "${EXPERT}" = "t" ]; then echo "Backdoor shell record(s) in /etc/inetd.conf: " cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" fi STATUS=${INFECTED} fi done return ${STATUS} else return ${NOT_FOUND} fi } chk_telnetd () { STATUS=${NOT_INFECTED} TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]' CMD=`loc telnetd telnetd $pth` if [ ${?} -ne 0 ]; then CMD=`loc in.telnetd in.telnetd $pth` if [ ${?} -ne 0 ]; then return ${NOT_FOUND} fi fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" return 5 fi if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi return ${STATUS} } printn () { printf="use printf" printf_fmt="%-60s" if [ ! "$PRINTF_BIN" ]; then # This is first time call to use. Check environment and # define this global. PRINTF_BIN=`which printf 2> /dev/null` # Set to dummy, if not found [ ! "$PRINTF_BIN" ] && PRINTF_BIN="not exists" # We're done, and won't enter this if-case any more fi # Some messages are continued, so don't use printf case "$1" in *exec*|*bogus*) printf="" ;; esac if [ "$PRINTF_BIN" ] && [ "$printf" ]; then $PRINTF_BIN "$printf_fmt" "$1" else if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then ${echo} -n "$1" else ${echo} "${1}\c" fi fi } # main # ### using regexps, as the `-w' option to grep/egrep is not portable. L_REGEXP='(^|[^A-Za-z0-9_])' R_REGEXP='([^A-Za-z0-9_]|$)' ### default ROOTDIR is "/" ROOTDIR='/' mode="rt" while : do case $1 in -r) [ -z "$2" ] && exit 1; shift mode="pm" ROOTDIR=$1;; -p) [ -z "$2" ] && exit 1; shift CHKRKPATH=$1;; -d) DEBUG=t;; -x) EXPERT=t;; -e) shift EXCLUDES="$1 $EXCLUDES";; -s) shift EXCLUDES_SNIF="$1";; -q) QUIET=t QUIET_ARG="-q" ;; -V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}" exit 1;; -l) echo >&2 "$0: tests: ${TOOLS} ${TROJAN}" exit 1;; -n) tnfs;; -h | -*) echo >&2 "Usage: $0 [options] [test ...] Options: -h show this help and exit -V show version information and exit -l show available tests and exit -d debug -q quiet mode -x expert mode -e 'FILE1 FILE2' exclude files/dirs from results. Must be followed by a space-separated list of files/dirs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first. -s REGEXP filter results of sniffer test through 'grep -Ev REGEXP' to exclude expected PACKET_SNIFFERs. Read /usr/share/doc/chkrootkit/README.FALSE-POSITIVES first. -r DIR use DIR as the root directory -p DIR1:DIR2:DIRN path for the external commands used by chkrootkit -n skip NFS mounted dirs" exit 1;; *) break esac shift done ### check the external commands needed cmdlist=" awk cut echo egrep find head id ls ps sed strings uname " ### PATH used by loc pth=`echo $PATH | sed -e "s/:/ /g"` pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ." ### external command's PATH if [ "${CHKRKPATH}" = "" ]; then chkrkpth=${pth} else ### use the path provided with the -p option chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"` fi echo=echo for file in $cmdlist; do xxx=`loc $file $file $chkrkpth` eval $file=$xxx case "$xxx" in /* | ./* | ../*) if [ ! -x "${xxx}" ] then echo >&2 "chkrootkit: can't exec \`$xxx'." exit 1 fi ;; *) echo >&2 "chkrootkit: can't find \`$file'." exit 1 ;; esac done SYSTEM=`${uname} -s` VERSION=`${uname} -r` if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then V=4.4 else V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'` fi # head command _head() { if `$echo a | $head -n 1 >/dev/null 2>&1` ; then $head -n `echo $1 | tr -d "-"` else $head $1 fi } # ps command ps_cmd="ax" if [ "$SYSTEM" = "SunOS" ]; then if [ "${CHKRKPATH}" = "" ]; then if [ -x /usr/ucb/ps ]; then ps="/usr/ucb/ps" else ps_cmd="-fe" fi else ### -p is in place: use `-fe' as ps options ps_cmd="-fe" fi fi # Check if ps command is ok if ${ps} ax >/dev/null 2>&1 ; then ps_cmd="ax" else ps_cmd="-fe" fi if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then echo "$0 needs root privileges" exit 1 fi if [ $# -gt 0 ] then ### perform only tests supplied as arguments for arg in $* do ### check if is a valid test name if echo "${TROJAN} ${TOOLS}"| \ ${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1 then echo >&2 "$0: \`$arg': not a known test" exit 1 fi done LIST=$* else ### this is the default: perform all tests LIST="${TROJAN} ${TOOLS}" fi if [ "${DEBUG}" = "t" ]; then set -x fi if [ "${ROOTDIR}" != "/" ]; then ### remove trailing `/' ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'` for dir in ${pth} do if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1 then newpth="${newpth} ${ROOTDIR}${dir}" else newpth="${newpth} ${ROOTDIR}/${dir}" fi done pth=${newpth} ROOTDIR="${ROOTDIR}/" fi if [ "${QUIET}" != "t" ]; then echo "ROOTDIR is \`${ROOTDIR}'" fi # # NETSTAT OR SS # _chk_netstat_or_ss() { netstat="netstat" CMD=`loc ss ss $pth` [ ${?} -eq 0 ] && netstat="ss" } for cmd in ${LIST} do if echo "${TROJAN}" | \ ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1 then if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then printn "Checking \`${cmd}'... " fi chk_${cmd} STATUS=$? ### quiet mode if [ "${QUIET}" = "t" ]; then ### show only INFECTED status if [ ${STATUS} -eq 0 ]; then echo "Checking \`${cmd}'... INFECTED" fi continue fi case $STATUS in 0) echo "INFECTED";; 1) echo "not infected";; 2) echo "not tested";; 3) echo "not found";; 4) echo "infected but disabled";; 5) ;; ### expert mode esac else ### external tool if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then printn "Checking \`$cmd'... " fi ${cmd} fi done exit 0 ### chkrootkit ends here.
Edit
Rename
Chmod
Delete
