"Fossies" - the Fresh Open Source Software Archive

Member "chkrootkit-0.55/chkrootkit" (9 Jun 2021, 85646 Bytes) of package /linux/misc/chkrootkit-0.55.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Bash source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "chkrootkit": 0.54_vs_0.55.

    1 #! /bin/sh
    2 # -*- Shell-script -*-
    3 
    4 # $Id: chkrootkit, v 0.55 2021/06/10
    5 CHKROOTKIT_VERSION='0.55' 
    6 
    7 # Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
    8 #          Klaus Steding-Jessen <jessen@cert.br>
    9 #
   10 # (c)1997-2021 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
   11 # All rights reserved
   12 
   13 ### workaround for some Bourne shell implementations
   14 unalias login > /dev/null 2>&1
   15 unalias ls > /dev/null 2>&1
   16 unalias netstat > /dev/null 2>&1
   17 unalias ss > /dev/null 2>&1
   18 unalias ps > /dev/null 2>&1
   19 unalias dirname > /dev/null 2>&1
   20 
   21 # Workaround for recent GNU coreutils
   22 _POSIX2_VERSION=199209
   23 export _POSIX2_VERSION
   24 
   25 KALLSYMS="/proc/kallsyms" 
   26 [ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS" 
   27 
   28 # Native commands
   29 TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \
   30 env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \
   31 killall  ldsopreload login ls lsof mail mingetty netstat named passwd pidof \
   32 pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \
   33 tcpdump top telnetd timed traceroute vdir w write"
   34 
   35 # Tools
   36 TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
   37 
   38 # Return Codes
   39 INFECTED=0
   40 NOT_INFECTED=1
   41 NOT_TESTED=2
   42 NOT_FOUND=3
   43 INFECTED_BUT_DISABLED=4
   44 
   45 # Many trojaned commands have this label
   46 GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer"
   47 
   48 ######################################################################
   49 # tools functions
   50 
   51 #
   52 # 55808.A Worm
   53 #
   54 w55808 (){
   55    W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r"
   56    STATUS=0
   57 
   58    for i in ${W55808_FILES}; do
   59       if [ -f ${i} ]; then
   60          STATUS=1
   61       fi
   62    done
   63    if [ ${STATUS} -eq 1 ] ;then
   64       echo "Warning: Possible 55808 Worm installed"
   65    else
   66       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
   67          return ${NOT_INFECTED}
   68    fi
   69 }
   70 
   71 OSX_RSPLUG (){
   72        if [ ${SYSTEM} != "Darwin" ]; then 
   73         if [ "${QUIET}" != "t" ]; then echo "not tested"; fi
   74           return 
   75        fi
   76        SAVEIFS=$IFS
   77        IFS=';'
   78        STATUS=0
   79        OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings'
   80 #       echo checking ${OSX_RSPLUG_FILES}
   81        for i in ${OSX_RSPLUG_FILES} ; do
   82                echo searching for "${i}"
   83                if [ -e "${i}" ] ; then
   84                        STATUS=1
   85                fi
   86        done
   87        IFS=$SAVEIFS
   88 
   89    if [ ${STATUS} -eq 1 ] ;then
   90       echo "Warning: OSX.RSPlug.A Trojan Horse found"
   91       return ${INFECTED}
   92    else
   93       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
   94          return ${NOT_INFECTED}
   95    fi
   96 }
   97 
   98 #
   99 # SLAPPER.{A,B,C,D} and the multi-platform variant
  100 #
  101 slapper (){
  102    SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c"
  103    SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \
  104    ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"
  105    SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 "
  106    _chk_netstat_or_ss; 
  107    OPT="-an" 
  108    [ "${netstat}" = "ss" ] && OPT="-a" 
  109    STATUS=0
  110    file_port=
  111 
  112    if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1
  113       then
  114       STATUS=1
  115       [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \
  116          $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print  $7 }' | tr -d :`
  117    fi
  118    for i in ${SLAPPER_FILES}; do
  119       if [ -f ${i} ]; then
  120      file_port="$file_port $i" 
  121          STATUS=1
  122       fi
  123    done
  124    if [ ${STATUS} -eq 1 ] ;then
  125       echo "Warning: Possible Slapper Worm installed ($file_port)"
  126    else
  127       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
  128          return ${NOT_INFECTED}
  129    fi
  130 }
  131 
  132 scalper (){
  133    SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a"
  134    SCALPER_PORT=2001
  135    OPT="-an" 
  136    _chk_netstat_or_ss; 
  137    [ "$netstat" = "ss" ] && OPT="-a" 
  138    STATUS=0
  139 
  140    if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then
  141       STATUS=1
  142    fi
  143    for i in ${SCALPER_FILES}; do
  144       if [ -f ${i} ]; then
  145          STATUS=1
  146       fi
  147    done
  148    if [ ${STATUS} -eq 1 ] ;then
  149       echo "Warning: Possible Scalper Worm installed"
  150    else
  151       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
  152          return ${NOT_INFECTED}
  153    fi
  154 }
  155 
  156 asp (){
  157     ASP_LABEL="poop"
  158     STATUS=${NOT_INFECTED}
  159     CMD=`loc asp asp $pth`
  160 
  161     if [ "${EXPERT}" = "t" ]; then
  162         expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
  163         expertmode_output "${strings} -a ${CMD}"
  164         return 5
  165     fi
  166 
  167     if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then
  168         echo "Warning: Possible Ramen Worm installed in inetd.conf"
  169         STATUS=${INFECTED}
  170     fi
  171     if [ ${CMD} = "asp"  -o ${CMD} = "${ROOTDIR}asp" ]; then
  172         if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
  173         return ${NOT_INFECTED}
  174     fi
  175     if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then
  176        # echo "INFECTED"
  177        STATUS=${INFECTED}
  178     else
  179         if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
  180         return ${NOT_INFECTED}
  181     fi
  182     return ${STATUS}
  183 }
  184 
  185 sniffer () {
  186     if [ "${ROOTDIR}" != "/" ]; then
  187       echo "not tested"
  188       return ${NOT_TESTED}
  189     fi
  190 
  191     if [ "$SYSTEM" = "SunOS" ]; then
  192        return ${NOT_TESTED}
  193     fi
  194 
  195     if [ "${EXPERT}" = "t" ]; then
  196         expertmode_output "./ifpromisc" -v
  197         return 5
  198     fi
  199     if [ ! -x ./ifpromisc ]; then
  200       echo "not tested: can't exec ./ifpromisc"
  201       return ${NOT_TESTED}
  202     else
  203       [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q
  204     fi
  205 }
  206 
  207 chkutmp() {
  208     if [ ! -x ./chkutmp -o ${mode} = "pm" ]; then
  209       echo "not tested: can't exec ./chkutmp"
  210       return ${NOT_TESTED}
  211     fi
  212     if ./chkutmp
  213     then
  214       if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi
  215     fi
  216 }
  217 
  218 z2 () {
  219     if [ ! -x ./chklastlog ]; then
  220       echo "not tested: can't exec ./chklastlog"
  221       return ${NOT_TESTED}
  222     fi
  223 
  224     WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
  225     LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
  226 
  227     if [ ! -f $WTMP -a ! -f $LASTLOG ]; then
  228        echo "not tested: not found wtmp and/or lastlog file"
  229        return ${NOT_TESTED}
  230     fi
  231 
  232     if [ "${EXPERT}" = "t" ]; then
  233         expertmode_output "./chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG}"
  234         return 5
  235     fi
  236 
  237     if ./chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG}
  238     then
  239       if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi
  240     fi
  241 }
  242 
  243 wted () {
  244     if [ ! -x ./chkwtmp ]; then
  245       echo "not tested: can't exec ./chkwtmp"
  246       return ${NOT_TESTED}
  247     fi
  248 
  249    if [ "$SYSTEM" = "SunOS" ]; then
  250        if [ ! -x ./check_wtmpx ]; then
  251           echo "not tested: can't exec ./check_wtmpx"
  252        else
  253           if [ "${EXPERT}" = "t" ]; then
  254              expertmode_output "./check_wtmpx"
  255               return 5
  256           fi
  257       if [ -f ${ROOTDIR}var/adm/wtmp ]; then
  258              if ./check_wtmpx
  259                 then
  260                 if [ "${QUIET}" != "t" ]; then \
  261                    echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi
  262              fi
  263       fi
  264        fi
  265    else
  266        WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
  267 
  268        if [ "${EXPERT}" = "t" ]; then
  269           expertmode_output "./chkwtmp -f ${WTMP}"
  270           return 5
  271        fi
  272     fi
  273 
  274     if ./chkwtmp -f ${WTMP}
  275     then
  276       if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi
  277     fi
  278 }
  279 bindshell () {
  280 PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
  281    OPT="-an" 
  282    _chk_netstat_or_ss; 
  283    [ "$netstat" = "ss" ] && OPT="-a"  
  284    PI=""
  285    if [ "${ROOTDIR}" != "/" ]; then
  286      echo "not tested"
  287      return ${NOT_TESTED}
  288    fi
  289 
  290    if [ "${EXPERT}" = "t" ]; then
  291        expertmode_output "${netstat} ${OPT}"
  292        return 5
  293    fi
  294    for P in `echo $PORT | ${sed} 's/|/ /g'`; do
  295       if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \
  296 "[.:]${P}[^0-9.:]" >/dev/null 2>&1
  297       then
  298          PI="${PI} ${P}"
  299       fi
  300    done
  301    if [ "${PI}" != "" ]
  302    then
  303       echo "INFECTED PORTS: ($PI)"
  304    else
  305       if [ "${QUIET}" != "t" ]; then echo "not infected"; fi
  306    fi
  307 }
  308 
  309 lkm ()
  310 {
  311     prog=""
  312     if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \
  313        `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
  314        [  -x ./chkproc -a "`find /proc -maxdepth 1 2>/dev/null| wc -l`" -gt 1 ] && prog="./chkproc"
  315       [  -x ./chkdirs ] && prog="$prog ./chkdirs"
  316       if [ "$prog" = "" -o ${mode} = "pm" ]; then
  317          echo "not tested: can't exec $prog"
  318          return ${NOT_TESTED}
  319       fi
  320 
  321       if [ "${EXPERT}" = "t" ]; then
  322          [ -r /proc/$KALLSYMS ] &&  ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null
  323          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
  324          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
  325          [ "$PV" = "" ] &&  PV=2
  326          [ "${SYSTEM}" = "SunOS" ] && PV=0
  327          expertmode_output "./chkproc -v -v -p $PV"
  328          return 5
  329       fi
  330 
  331       ### adore LKM
  332       [ -r /proc/$KALLSYMS ] && \
  333       if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then
  334          echo "Warning: Adore LKM installed"
  335       fi
  336 
  337       ### sebek LKM (Adore based)
  338       [ -r /proc/$KALLSYMS ] && \
  339       if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then
  340          echo "Warning: Sebek LKM installed"
  341       fi
  342 
  343       ### knark LKM
  344       if [ -d /proc/knark ]; then
  345          echo "Warning: Knark LKM installed"
  346       fi
  347 
  348       F=`$ps -V 2>/dev/null | wc -w`
  349       PV=`$ps -V 2>/dev/null| $cut -d " " -f $F |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'`
  350       [ "$PV" = "" ] &&  PV=2
  351       [ "${SYSTEM}" = "SunOS" ] && PV=0
  352       if [ "${DEBUG}" = "t" ]; then
  353            ${echo} "*** PV=$PV ***"
  354       fi
  355       if ./chkproc -p ${PV}; then
  356          if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi
  357       else
  358          echo "chkproc: Warning: Possible LKM Trojan installed"
  359       fi
  360       dirs="/tmp"
  361       for i in /usr/share /usr/bin /usr/sbin /lib; do
  362          if [ "$(ls -ld $i | cut -d " " -f 2)" -gt "1" ]; then 
  363             [ -d $i ] && dirs="$dirs $i"
  364          fi 
  365       done
  366       if ./chkdirs $dirs;  then
  367          if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi
  368       else
  369         echo "chkdirs: Warning: Possible LKM Trojan installed"
  370       fi
  371    else
  372          if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi
  373    fi
  374 }
  375 
  376 aliens () {
  377    if [ "${EXPERT}" = "t" ]; then
  378         ### suspicious files
  379         FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \
  380 sbin/vobiscum  usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \
  381  etc/ld.so.hash"
  382 
  383         expertmode_output "${find} ${ROOTDIR}dev -type f"
  384         expertmode_output "${find} ${ROOTDIR}var/run/.tmp"
  385         expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib"
  386         expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8"
  387         expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'"
  388         expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk"
  389         expertmode_output "${find} ${ROOTDIR}usr/lib/dy0"
  390         expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277"
  391         expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/"
  392 
  393         for i in ${FILES}; do
  394            expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null"
  395         done
  396         [ -d  ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so"
  397         [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. "
  398         [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx
  399         [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd
  400         [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb
  401         [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so
  402         ### sniffer's logs
  403         expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \
  404     ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \
  405 .linux-sniff -o -name sniff-l0g -o -name core_ -o"
  406         expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \
  407 -name in.pop3d"
  408 
  409         ### t0rn
  410         expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
  411 ${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \
  412 ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn"
  413 
  414         LIBS=
  415         [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib"
  416         [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
  417         [ -d ${ROOTDIR}usr/local/lib ] && \
  418            LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
  419 
  420         expertmode_output "${find} ${LIBS} -name libproc.a"
  421 
  422         ## Lion Worm
  423         expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh
  424 2> /dev/null"
  425 
  426         ### ark
  427         expertmode_output "${find} ${ROOTDIR}dev -name ptyxx"
  428         expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '"
  429         expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'"
  430 
  431         ### RK17
  432         expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit"
  433         expertmode_output "${find} ${ROOTDIR}sbin -name pback"
  434         expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null"
  435         expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null"
  436         expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \
  437 autod.o -o -name soundx.o 2> /dev/null"
  438         expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \
  439 -name ct -o -name snick -o -name kfl"
  440 
  441         CGIDIR=""
  442         for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
  443 var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
  444 home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib;
  445         do
  446            [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}"
  447         done
  448 BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
  449 shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
  450 zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
  451    for j in ${CGIDIR}; do
  452       for i in ${BACKDOORS}; do
  453     [ -f ${j}/${i} ] && echo ${j}/${i}
  454       done
  455    done
  456 
  457         ### rsha
  458         expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \
  459 -o -name n3tstat -o -name chsh2"
  460         expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha"
  461         expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \
  462 ${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/"
  463 
  464         ### ShitC Worm
  465         expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \
  466 -o -name frgy -o -name sy"
  467         expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir"
  468         expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind"
  469 
  470         ### Omega Worm
  471         expertmode_output "${find} ${ROOTDIR}dev -name chr"
  472 
  473         ### rh-sharpe
  474         expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \
  475 -o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \
  476 -o -name ldu -o -name lnetstat"
  477         expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du"
  478 
  479         ### Adore Worm
  480         expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \
  481 -name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \
  482 -o -name adore"
  483         expertmode_output "${find} ${ROOTDIR}usr/lib/lib"
  484         expertmode_output "${find} ${ROOTDIR}usr/lib/libt"
  485 
  486         ### suspicious files and dirs
  487         suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk"
  488         DIR=${ROOTDIR}usr/lib
  489         [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man"
  490         [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib"
  491         [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib"
  492         expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'"
  493         expertmode_output "${find} ${DIR} -type d -name '.*'"
  494         expertmode_output "${find} ${DIR} -name '...*'"
  495         expertmode_output "${ls} ${suspects}"
  496 
  497         ### Maniac RK
  498         expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc"
  499 
  500         ### Ramen Worm
  501         expertmode_output "${find} ${ROOTDIR}usr/src/.poop \
  502 ${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp"
  503 
  504         ### Sadmind/IIS Worm
  505         expertmode_output "${find} ${ROOTDIR}dev/cuc"
  506 
  507         ### Monkit
  508         expertmode_output "${find} ${ROOTDIR}lib/defs"
  509 
  510         ### Showtee
  511        expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \
  512 ${ROOTDIR}usr/lib/.wormie \
  513 ${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \
  514 ${ROOTDIR}/usr/include/addr.h  ${ROOTDIR}usr/include/cron.h \
  515 ${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \
  516 ${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h"
  517 
  518        ### Optickit
  519        expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf"
  520 
  521        ### T.R.K
  522        expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct"
  523        ### MithRa's Rootkit
  524        expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot"
  525 
  526 
  527        ### OpenBSD rootkit v1
  528        if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ]
  529           then
  530           expertmode_output "${find} ${ROOTDIR}usr/lib/security"
  531        fi
  532 
  533        ### LOC rootkit
  534        expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c"
  535 
  536        ### Romanian rootkit
  537        expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \
  538 ${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \
  539 ${ROOTDIR}usr/include/syslogs.h"
  540 
  541       ## HKRK rootkit
  542       ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null
  543 
  544       ## Suckit rootkit
  545       expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" 
  546       expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."
  547       expertmode_output "cat ${ROOTDIR}dev/.golf"
  548 
  549       ## Volc rootkit
  550       expertmode_output "${ls} ${ROOTDIR}usr/bin/volc"
  551       expertmode_output "${find} ${ROOTDIR}usr/lib/volc"
  552 
  553       ## Gold2 rootkit
  554       expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit"
  555 
  556       ## TC2 Worm
  557       expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \
  558 ${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb"
  559 
  560       ## Anonoiyng rootkit
  561       expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd"
  562 
  563       ## ZK rootkit
  564       expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*"
  565 
  566       ## ShKit
  567       expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash"
  568 
  569       ## AjaKit
  570       expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh"
  571       expertmode_output "${find} ${ROOTDIR}dev -name tux"
  572 
  573       ## zaRwT
  574       expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout"
  575 
  576       ## Madalin rootkit
  577       expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \
  578 -name iceconf.h -o -name iceseed.h"
  579 
  580       ## Fu rootkit
  581       expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \
  582       ${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h"
  583 
  584       ## Kenga3 Rookit
  585       expertmode_output "${find} ${ROOTDIR}usr/include/. ."
  586 
  587       ## ESRK Rookit
  588       expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3"
  589 
  590       ## rootedoor
  591       for i in `$echo ${PATH}|tr -s ':' ' '`; do
  592          expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor"
  593       done
  594       ## ENYE-LKM
  595       expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko"
  596 
  597       ## SSJD Operation Windigo  (Linux/Ebury) 
  598       ssh=`which ssh` 
  599       if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[0-7]" >/dev/null; then
  600          expertmode_output "${ssh} -G 2>&1  | grep -e illegal -e unknow" 
  601       fi
  602 
  603       ## Mumblehard backdoor/botnet 
  604       expertmode_output "cat ${ROOTDIR}/var/spool/cron/crontabs | egrep var/tmp"
  605 
  606       ## Backdoors.Linux.Mokes.a
  607       expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" 
  608       expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" 
  609 
  610       ## Malicious TinyDNS 
  611       expertmode_output "${ls} -l "${ROOTDIR}home/ ./root/""
  612 
  613       ## Linux/Xor.DDoS 
  614       expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" 
  615       expertmode_output "${find} ${ROOTDIR}etc/cron.hourly"
  616 
  617       ## CrossRAT 
  618       expertmode_output "${find} ${ROOTDIR}usr/var ${findargs} -name mediamgrs.jar"
  619 
  620       ## Hidden Cobra  (IBM AIX) 
  621       expertmode_output "${find} ${ROOTDIR}tmp/.ICE-unix ${findargs} -name *.so"
  622       
  623       ## Rocke Monero Miner 
  624       expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" 
  625 
  626       ## PWNLNX4 - An LKM Roottkit 
  627       expertmode_output "${find} ${ROOTDIR}/opt/uOnlineBuilder64 ${ROOTDIR}/var/tmp/.1 ${ROOTDIR}/var/tmp/Linux_Server"
  628 
  629       ## PWNLNX6 - An LKM Roottkit 
  630       expertmode_output "${find} ${ROOTDIR}/tmp/suterusu"
  631 
  632       ## Umbreon 
  633       expertmode_output "${find} ${ROOTDIR}usr/share/libc.so*"
  634 
  635       ## KINSING.A Backdoor 
  636       expertmode_output "${find} ${ROOTDIR}tmp/kdevtmp*"
  637 
  638       ## RotaJakiro 
  639       expertmode_output "${ls} ${ROOTDIR}bin/system-daemon"
  640 
  641       ## Common SSH-SCANNERS
  642       expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2"
  643 
  644       ### shell history file check
  645       if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
  646       expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
  647  -size 0"
  648       expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \
  649  \( -links 2 -o -type l \)"
  650       fi
  651 
  652       return 5
  653    ### expert mode ends here
  654    fi
  655 
  656    ###
  657    ### suspicious files and sniffer's logs
  658    ###
  659    suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \
  660 usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \
  661 tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \
  662 usr/sbin/in.telnet sbin/vobiscum  usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \
  663 etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin"
  664    dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \
  665    var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so"
  666    files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`
  667    if [ "${files}" != "" ]; then
  668       echo
  669       echo ${files}
  670    fi
  671    for i in ${dir}; do
  672       if [ -d ${ROOTDIR}${i} ]; then
  673          echo
  674          echo "Suspect directory ${i} FOUND! Looking for sniffer logs"
  675             files=`${find} ${ROOTDIR}${i}`
  676          echo
  677          echo ${files}
  678       fi
  679    done
  680    for i in ${suspects}; do
  681       if [ -f ${ROOTDIR}${i} ]; then
  682          echo "${ROOTDIR}${i} "
  683          files="INFECTED"
  684       fi
  685    done
  686    if [ "${files}" = "" ]; then
  687         if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi
  688    fi
  689    if [ "${QUIET}" != "t" ]; then \
  690       printn "Searching for sniffer's logs, it may take a while... "; fi
  691    files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \
  692    ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \
  693    2>/dev/null`
  694    if [ "${files}" = "" ]
  695    then
  696       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  697    else
  698       echo
  699       echo ${files}
  700    fi
  701 
  702    ### HiDrootkit
  703    if [ "${QUIET}" != "t" ]; then printn \
  704       "Searching for HiDrootkit's default dir... "; fi
  705    if [ -d ${ROOTDIR}var/lib/games/.k ]
  706    then
  707       echo "Possible HiDrootkit installed"
  708    else
  709       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  710    fi
  711 
  712    ### t0rn
  713    if [ "${QUIET}" != "t" ]; then printn\
  714       "Searching for t0rn's default files and dirs... "; fi
  715    if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \
  716         -d ${ROOTDIR}usr/src/.puta  -o -r ${ROOTDIR}lib/ldlib.tk -o \
  717         -d ${ROOTDIR}usr/info/.t0rn ]
  718    then
  719       echo "Possible t0rn rootkit installed"
  720    else
  721       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  722    fi
  723 
  724    ### t0rn v8
  725    if [ "${QUIET}" != "t" ]; then \
  726       printn "Searching for t0rn's v8 defaults... "; fi
  727    [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib
  728    [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib"
  729    [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib"
  730    if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \
  731        "$SYSTEM" != "FreeBSD" ]
  732    then
  733       echo "Possible t0rn v8 \(or variation\) rootkit installed"
  734    else
  735       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  736    fi
  737 
  738    ### Lion Worm
  739    if [ "${QUIET}" != "t" ]; then \
  740       printn "Searching for Lion Worm default files and dirs... "; fi
  741    if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \
  742         -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ]
  743    then
  744          echo "Possible Lion worm installed"
  745    else
  746       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  747    fi
  748 
  749    ### RSHA rootkit
  750    if [ "${QUIET}" != "t" ]; then \
  751       printn "Searching for RSHA's default files and dir... "; fi
  752 
  753    if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \
  754 -o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \
  755 -o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \
  756 -o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \
  757 -o -d "${ROOTDIR}etc/rc.d/rsha" \
  758 -o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ]
  759    then
  760       echo "Possible RSHA's rootkit installed"
  761    else
  762       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  763    fi
  764 
  765    ### RH-Sharpe rootkit
  766    if [ "${QUIET}" != "t" ]; then \
  767       printn "Searching for RH-Sharpe's default files... "; fi
  768 
  769    if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \
  770 -o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \
  771 -o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \
  772 -o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \
  773 -o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \
  774 -o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ]
  775    then
  776       echo "Possible RH-Sharpe's rootkit installed"
  777    else
  778       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  779    fi
  780 
  781    ### ark rootkit
  782    if [ "${QUIET}" != "t" ]; then printn \
  783       "Searching for Ambient's rootkit (ark) default files and dirs... "; fi
  784 
  785    if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \
  786         -d ${ROOTDIR}usr/doc/"... " ]; then
  787       echo "Possible Ambient's rootkit \(ark\) installed"
  788    else
  789       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  790    fi
  791 
  792    ### suspicious files and dirs
  793    DIR="${ROOTDIR}usr/lib"
  794    [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man"
  795    [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib"
  796 
  797    if [ "${QUIET}" != "t" ]; then printn \
  798       "Searching for suspicious files and dirs, it may take a while... "; fi
  799 
  800    files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"`
  801    dirs=`${find} ${DIR} -type d -name ".*"`
  802    if [ "${files}" = "" -a "${dirs}" = "" ]
  803       then
  804       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  805    else
  806       echo
  807       echo ${files}
  808       echo ${dirs}
  809    fi
  810 
  811    ### LPD Worm
  812    if [ "${QUIET}" != "t" ]; then \
  813       printn "Searching for LPD Worm files and dirs... "; fi
  814 
  815    if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1  || \
  816  ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
  817       then
  818          echo "Possible LPD worm installed"
  819       elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o  \
  820 -f ${ROOTDIR}bin/.login ]; then
  821       echo "Possible LPD worm installed"
  822       else
  823       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  824    fi
  825 
  826    ### Ramem Worm
  827    if [ "${QUIET}" != "t" ]; then \
  828       printn "Searching for Ramen Worm files and dirs... "; fi
  829 
  830    if [ -d ${ROOTDIR}usr/src/.poop -o -f \
  831         ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ]
  832    then
  833       echo "Possible Ramen worm installed"
  834    else
  835       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  836 
  837    fi
  838 
  839    ### Maniac rootkit
  840    if [ "${QUIET}" != "t" ]; then \
  841       printn "Searching for Maniac files and dirs... "; fi
  842 
  843    files=`${find} ${ROOTDIR}usr/bin -name mailrc`
  844    if [ "${files}" = "" ]; then
  845       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  846    else
  847      echo "${files}"
  848    fi
  849 
  850    ### RK17 rookit
  851    if [ "${QUIET}" != "t" ]; then \
  852       printn "Searching for RK17 files and dirs... "; fi
  853 
  854    CGIDIR=""
  855    for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
  856 var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
  857 home/httpd/cgi-bin usr/local/apache2  usr/local/www usr/lib;
  858    do
  859         [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
  860    done
  861    files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \
  862 ${find} ${ROOTDIR}sbin -name pback && \
  863 ${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \
  864 ${find} ${ROOTDIR}proc -name kset 2> /dev/null && \
  865 ${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \
  866 2> /dev/null && \
  867 ${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl  2> /dev/null`
  868 BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \
  869 shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \
  870 zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php"
  871    files=""
  872    for j in ${CGIDIR}; do
  873       for i in ${BACKDOORS}; do
  874     [ -f ${j}/${i} ] && files="${files} ${j}/${i}"
  875       done
  876    done
  877    if [ "${files}" = ""  ]; then
  878      if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  879    else
  880      echo "${files}"
  881    fi
  882 
  883    ### Ducoci rootkit
  884    if [ "${QUIET}" != "t" ]; then \
  885       printn "Searching for Ducoci rootkit... "; fi
  886 
  887    files=`${find} ${CGIDIR} -name last.cgi`
  888    if [ "${files}" = ""  ]; then
  889       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  890    else
  891      echo "${files}"
  892    fi
  893 
  894    ### Adore Worm
  895    if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi
  896 
  897    files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \
  898 -name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore`
  899    if [ "${files}" = "" ]; then
  900       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  901    else
  902      echo "${files}"
  903      files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null`
  904      [ "${files}" != "" ] && echo ${files}
  905    fi
  906 
  907    ### ShitC Worm
  908    if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi
  909 
  910    files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \
  911 ${find} ${ROOTDIR}usr/bin -type d -name dir || \
  912 ${find} ${ROOTDIR}usr/sbin -name in.slogind`
  913    if [ "${files}" = "" ]; then
  914       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  915    else
  916      echo "${files}"
  917    fi
  918 
  919    ### Omega Worm
  920    if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi
  921 
  922    files=`${find} ${ROOTDIR}dev -name chr`
  923    if [ "${files}" = "" ]; then
  924       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  925    else
  926      echo "${files}"
  927    fi
  928 
  929    ### China Worm (Sadmind/IIS Worm)
  930    if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi
  931    files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null`
  932    if [ "${files}" = "" ]; then
  933       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  934    else
  935      echo "${files}"
  936    fi
  937 
  938    ### MonKit
  939    if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi
  940    files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \
  941 2> /dev/null`
  942    if [ "${files}" = "" ]; then
  943       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  944    else
  945      echo "${files}"
  946    fi
  947 
  948    ### Showtee
  949    if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi
  950    if [ -d ${ROOTDIR}usr/lib/.egcs ] || \
  951       [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \
  952       [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \
  953       [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \
  954       [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \
  955       [ -f ${ROOTDIR}usr/include/chk.h ]; then
  956          echo "Warning: Possible Showtee Rootkit installed"
  957       else
  958       if  [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  959    fi
  960 
  961    ###
  962    ### OpticKit
  963    ###
  964    if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi
  965    files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \
  966 2> /dev/null`
  967    if [ "${files}" = "" ]; then
  968       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  969    else
  970      echo "${files}"
  971    fi
  972 
  973    ### T.R.K
  974    files=""
  975    if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi
  976    files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1`
  977    if [ "${files}" = "" ]; then
  978       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  979    else
  980      echo "${files}"
  981    fi
  982 
  983    ### Mithra's Rootkit
  984    files=""
  985    if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi
  986    files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null`
  987    if [ "${files}" = "" ]; then
  988       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  989    else
  990      echo "${files}"
  991    fi
  992 
  993    ### OpenBSD rootkit v1
  994    if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then
  995       files=""
  996       if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi
  997       files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null`
  998       if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then
  999          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1000       else
 1001         echo "${files}"
 1002       fi
 1003    fi
 1004 
 1005    ### LOC rootkit
 1006    files=""
 1007    if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi
 1008    files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null`
 1009    if [ "${files}" = "" ]; then
 1010       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1011    else
 1012      echo "${files}"
 1013      loc epic epic $pth
 1014    fi
 1015 
 1016    ### Romanian rootkit
 1017    files=""
 1018    if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi
 1019    for i in file.h proc.h addr.h syslogs.h; do
 1020       if [ -f ${ROOTDIR}usr/include/${i} ]; then
 1021          files="$files ${ROOTDIR}usr/include/$i"
 1022       fi
 1023    done
 1024    if [ "${files}" = "" ]; then
 1025       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1026    else
 1027       echo "${files}"
 1028    fi
 1029 
 1030    ### HKRK
 1031    if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then
 1032       if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi
 1033       if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then
 1034         echo "Warning: /etc/rc.d/init.d/network INFECTED"
 1035       else
 1036          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1037       fi
 1038    fi
 1039 
 1040    ### Suckit
 1041    if [ -f ${ROOTDIR}sbin/init ]; then
 1042       if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi
 1043       if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'   || \
 1044           cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1
 1045         then
 1046         echo "Warning: ${ROOTDIR}sbin/init INFECTED"
 1047       else
 1048          if [ -d ${ROOTDIR}/dev/.golf ]; then
 1049             echo "Warning: Suspect directory ${ROOTDIR}dev/.golf"
 1050      else
 1051             if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1052      fi
 1053       fi
 1054    fi
 1055 
 1056    ### Volc
 1057    if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi
 1058    if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then
 1059       echo "Warning: Possible Volc rootkit installed"
 1060    else
 1061       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1062    fi
 1063 
 1064    ### Gold2
 1065    if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi
 1066    if [ -f ${ROOTDIR}usr/bin/ishit ] ; then
 1067       echo "Warning: Possible Gold2 rootkit installed"
 1068    else
 1069       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1070    fi
 1071 
 1072    ### TC2 Worm
 1073    if [ "${QUIET}" != "t" ]; then \
 1074       printn "Searching for TC2 Worm default files and dirs... "; fi
 1075    if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \
 1076         -f ${ROOTDIR}usr/sbin/initcheck  -o -f ${ROOTDIR}usr/sbin/ldb ]
 1077    then
 1078          echo "Possible TC2 Worm installed"
 1079    else
 1080       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1081    fi
 1082 
 1083    ### ANONOYING Rootkit
 1084    if [ "${QUIET}" != "t" ]; then \
 1085       printn "Searching for Anonoying rootkit default files and dirs... "; fi
 1086    if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then
 1087          echo "Possible anonoying rootkit installed"
 1088    else
 1089       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1090    fi
 1091 
 1092    ### ZK Rootkit
 1093    if [ "${QUIET}" != "t" ]; then \
 1094       printn "Searching for ZK rootkit default files and dirs... "; fi
 1095    if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then
 1096          echo "Possible ZK rootkit installed"
 1097    else
 1098       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1099    fi
 1100    ### ShKit
 1101    if [ "${QUIET}" != "t" ]; then
 1102       printn "Searching for ShKit rootkit default files and dirs... "; fi
 1103    if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then
 1104          echo "Possible ShKit rootkit installed"
 1105    else
 1106       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1107    fi
 1108 
 1109    ### AjaKit
 1110    if [ "${QUIET}" != "t" ]; then
 1111       printn "Searching for AjaKit rootkit default files and dirs... "; fi
 1112       if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then
 1113          echo "Possible AjaKit rootkit installed"
 1114    else
 1115       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1116    fi
 1117 
 1118    ### zaRwT
 1119    if [ "${QUIET}" != "t" ]; then
 1120       printn "Searching for zaRwT rootkit default files and dirs... "; fi
 1121       if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then
 1122          echo "Possible zaRwT rootkit installed"
 1123    else
 1124       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1125    fi
 1126 
 1127    ### Madalin rootkit
 1128    if [ "${QUIET}" != "t" ]; then
 1129       printn "Searching for Madalin rootkit default files... "; fi
 1130    D=${ROOTDIR}usr/include
 1131    if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then
 1132        echo "Possible Madalin rootkit installed"
 1133    else
 1134       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1135    fi
 1136 
 1137    ### Fu rootkit
 1138    if [ "${QUIET}" != "t" ]; then
 1139       printn "Searching for Fu rootkit default files... "; fi
 1140    if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \
 1141         -f ${ROOTDIR}usr/include/ivtype.h ]; then
 1142       echo "Possible Fu rootkit installed"
 1143    else
 1144       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1145    fi
 1146 
 1147    ### ESRK
 1148    if [ "${QUIET}" != "t" ]; then
 1149       printn "Searching for ESRK rootkit default files... "; fi
 1150    if [ -d "${ROOTDIR}usr/lib/tcl5.3" ]; then
 1151       echo "Possible ESRK rootkit installed"
 1152    else
 1153       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1154    fi
 1155 
 1156    ## rootedoor
 1157    if [ "${QUIET}" != "t" ]; then
 1158       printn "Searching for rootedoor... "; fi
 1159    found=0
 1160    for i in `$echo $PATH|tr -s ':' ' '`; do
 1161       if [ -f "${ROOTDIR}${i}/rootedoor" ]; then
 1162          echo "Possible rootedoor installed in ${ROOTDIR}${i}"
 1163      found=1
 1164       fi
 1165    done
 1166    [ "${found}" = "0"  ] &&\
 1167    if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1168 
 1169    ### ENYELKM
 1170    if [ "${QUIET}" != "t" ]; then
 1171       printn "Searching for ENYELKM rootkit default files... "; fi
 1172    if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then
 1173       echo "Possible ENYELKM rootkit installed"
 1174    else
 1175       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1176    fi
 1177 
 1178    ## Common SSH-SCANNERS
 1179    if [ "${QUIET}" != "t" ]; then
 1180       printn "Searching for common ssh-scanners default files... "; fi
 1181    files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`"
 1182    if [ "${files}" = "" ]; then
 1183       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1184    else
 1185      echo "${files}"
 1186    fi
 1187 
 1188    ## SSJD Operation Windigo  (Linux/Ebury) 
 1189    LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" 
 1190    if [ "${QUIET}" != "t" ]; then
 1191       printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi
 1192    if $ssh -V 2>&1 | egrep "OpenSSH_[1-5]\.|OpenSSH_6\.[-0-7]" >/dev/null; then
 1193       if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then 
 1194          if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi
 1195       else
 1196          echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" 
 1197       fi
 1198    fi
 1199    if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then 
 1200       if [ "${QUIET}" != "t" ]; then 
 1201          echo "not tested"; fi
 1202    else
 1203       if ${strings} -a ${ROOTDIR}${LIBKEY} | egrep "libns2|libns5|libpw3|libpw5|libsbr|libslr" >/dev/null; then 
 1204          echo "Possible Linux/Ebury 1.6 - Operation Windigo installed"
 1205       else
 1206          if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi
 1207       fi
 1208    fi    
 1209    ##
 1210    ## Linux Rootkit 64 bits 
 1211    if [ "${QUIET}" != "t" ]; then
 1212       printn "Searching for 64-bit Linux Rootkit ... "; fi
 1213    if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \
 1214       ${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then
 1215       echo "Possible 64-bit Linux Rootkit"
 1216    else
 1217       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1218    fi
 1219    
 1220    if [ "${QUIET}" != "t" ]; then
 1221       printn "Searching for 64-bit Linux Rootkit modules... "; fi
 1222    files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`"
 1223    if [ "${files}" = "" ]; then
 1224       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1225    else
 1226      echo "${files}"
 1227    fi  
 1228   
 1229    ## Mumblehard backdoor/botnet
 1230    if [ "${QUIET}" != "t" ]; then
 1231       printn "Searching for Mumblehard Linux ... "; fi
 1232    if [ -e ${ROOTDIR}var/spool/cron/crontabs ]; then 
 1233       cat ${ROOTDIR}var/spool/cron/crontabs/* 2>/dev/null | egrep "var/tmp"  
 1234       if [ $? -ne 0 ] ; then 
 1235          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1236       else 
 1237          echo "Possible Mumblehard backdoor installed"
 1238       fi
 1239    else 
 1240       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1241    fi
 1242    
 1243    ## Backdoor.Linux.Mokes.a 
 1244    if [ "${QUIET}" != "t" ]; then
 1245       printn "Searching for Backdoor.Linux.Mokes.a ... "; fi
 1246    files="`${find} ${ROOTDIR}tmp/ ${findargs} -name "ss0-[0-9]*" -o -name "kk-[0-9]*"   2> /dev/null`"
 1247    if [ "${files}" = "" ]; then
 1248       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1249    else
 1250      echo "${files}"
 1251    fi  
 1252 
 1253    ## Malicious TinyDNS 
 1254    if [ "${QUIET}" != "t" ]; then
 1255       printn "Searching for Malicious TinyDNS ... "; fi
 1256    files="`${find} "${ROOTDIR}home/ ./" 2> /dev/null`"
 1257    if [ "${files}" = "" ]; then 
 1258       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1259    else
 1260       echo "INFECTED: Possible Malicious TinyDNS installed"
 1261    fi      
 1262 
 1263    ## Linux/Xor.DDoS 
 1264    if [ "${QUIET}" != "t" ]; then
 1265       printn "Searching for Linux.Xor.DDoS ... "; fi
 1266    files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`"
 1267    if [ "${files}" = "" ]; then
 1268       files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`"
 1269       files="$files $($ls ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)" 
 1270       if [ "${files}" = " " ]; then 
 1271          if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1272       else
 1273          echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
 1274       fi
 1275    else
 1276      echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed"
 1277      echo "${files}"
 1278    fi  
 1279 
 1280    ## Linux.Proxy 1.0 
 1281    if [ "${QUIET}" != "t" ]; then
 1282       printn "Searching for Linux.Proxy.1.0 ... "; fi
 1283 
 1284    if ${egrep} -i mother ${ROOTDIR}etc/passwd >/dev/null 2>&1 ; then 
 1285       echo "INFECTED: Possible Malicious Linux.Proxy.10 installed"
 1286    else
 1287       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1288    fi
 1289 
 1290    # Linux/CrossRAT 
 1291    if [ "${QUIET}" != "t" ]; then
 1292       printn "Searching for CrossRAT ... "; fi
 1293    if ${ls} ${ROOTDIR}usr/var/mediamgrs.jar 2>/dev/null; then 
 1294       echo "INFECTED: Possible Malicious CrossRAT installed"
 1295    else
 1296       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1297    fi
 1298    ## Hidden Cobra (IBM AIX) 
 1299    if [ "${QUIET}" != "t" ]; then
 1300       printn "Searching for Hidden Cobra ... "; fi
 1301    if ${ls} ${ROOTDIR}tmp/.ICE-unix/m*.so ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then 
 1302       echo "INFECTED: Possible Malicious Hidden Cobra installed"
 1303    else
 1304       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1305    fi  
 1306 
 1307    ### Rocke Monero Miner
 1308    if [ "${QUIET}" != "t" ]; then
 1309       printn "Searching for Rocke Miner ... "; fi
 1310    if [ -f "${ROOTDIR}etc/ld.so.pre" -o -f "${ROOTDIR}etc/xig" ] ; then 
 1311       echo "INFECTED: Possible Malicious Rocke Miner installed"
 1312    else
 1313       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1314    fi  
 1315 
 1316    ## PWNLNX4 - An LKM Roottkit 
 1317    if [ "${QUIET}" != "t" ]; then
 1318       printn "Searching for PWNLNX4 lkm... "; fi
 1319    if [ -d "${ROOTDIR}/uOnlineBuilder64" -o -d "${ROOTDIR}/var/tmp/.1" -o -d "${ROOTDIR}/var/tmp/Linux_Server" ]; then 
 1320       echo "INFECTED: Possible Malicious PWNLNX4 installed"
 1321    else
 1322       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1323    fi
 1324 
 1325    ## PWNLNX6 - Another LKM Roottkit 
 1326    if [ "${QUIET}" != "t" ]; then
 1327       printn "Searching for PWNLNX6 lkm... "; fi
 1328    if [ -d "${ROOTDIR}/tmp/suterusu" ] ; then 
 1329       echo "INFECTED: Possible Malicious PWNLNX6 installed"
 1330    else
 1331       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1332    fi
 1333 
 1334    ## Umbreon Linux Rootkit
 1335    if [ "${QUIET}" != "t" ]; then
 1336       printn "Searching for Umbreon lrk... "; fi
 1337    if  ${ls} ${ROOTDIR}usr/share/libc.so.* > /dev/null 2>&1 ; then
 1338       echo "INFECTED: Possible Malicious UMBREON LRK installed"
 1339    else
 1340       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1341    fi
 1342 
 1343    ## KINSING.A Backdoor 
 1344    if [ "${QUIET}" != "t" ]; then
 1345       printn "Searching for Kinsing.a backdoor... "; fi
 1346    if  ${ls} "${ROOTDIR}tmp/kdevtmpfsi" > /dev/null 2>&1 ; then
 1347       echo "INFECTED: Possible Malicious KINSING.A Backdoor installed"
 1348    else
 1349       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1350    fi
 1351 
 1352    ## RotaJakiro Backdoor 
 1353    if [ "${QUIET}" != "t" ]; then
 1354       printn "Searching for RotaJakiro backdoor... "; fi
 1355    if  ${ls} "${ROOTDIR}bin/systemd-daemon" > /dev/null 2>&1 ; then
 1356       echo "INFECTED: Possible Malicious JOTAJAKIRO Backdoor installed"
 1357    else
 1358       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1359    fi
 1360 
 1361    ###
 1362    ### Suspects PHP files
 1363    ###
 1364    if [ "${QUIET}" != "t" ]; then
 1365       printn "Searching for suspect PHP files... "; fi
 1366       files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`"
 1367 if [ `echo abc | _head -1` = "abc" ]; then
 1368       fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`"
 1369 else
 1370       fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`"
 1371 fi
 1372    if [ "${files}" = "" -a "${fileshead}" = "" ]; then
 1373       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1374    else
 1375      echo
 1376      echo "${files}"
 1377      echo "${fileshead}"
 1378    fi
 1379 
 1380    ###
 1381    ### shell history anomalies
 1382    ###
 1383    if [ "${QUIET}" != "t" ]; then \
 1384       printn "Searching for anomalies in shell history files... "; fi
 1385    files=""
 1386    if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
 1387       files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0`
 1388       [ ! -z "${files}" ] && \
 1389         echo "Warning: \`${files}' file size is zero"
 1390       files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)`
 1391       [ ! -z "${files1}" ] && \
 1392         echo "Warning: \`${files1}' is linked to another file"
 1393    fi
 1394    if [ -z "${files}" -a -z "${files1}" ]; then
 1395       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
 1396    fi
 1397 }
 1398 
 1399 ######################################################################
 1400 # util functions
 1401 
 1402 # our which(1)
 1403 loc () {
 1404     ### usage: loc filename filename_to_return_if_nothing_was_found path
 1405     thing=$1
 1406     shift
 1407     dflt=$1
 1408     shift
 1409     for dir in $*; do
 1410             case "$thing" in
 1411             .)
 1412             if test -d $dir/$thing; then
 1413                     echo $dir
 1414                     exit 0
 1415             fi
 1416             ;;
 1417             *)
 1418             for thisthing in $dir/$thing; do
 1419                     :
 1420             done
 1421             if test -f $thisthing; then
 1422                     echo $thisthing
 1423                     exit 0
 1424             fi
 1425             ;;
 1426             esac
 1427     done
 1428     if [ "${ROOTDIR}" = "/" ]; then
 1429       echo ${dflt}
 1430     else
 1431       echo "${ROOTDIR}${dflt}"
 1432     fi
 1433     exit 1
 1434 }
 1435 
 1436 getCMD() {
 1437    RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \
 1438             ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \
 1439             ${awk} '{ print $5 }'`
 1440 
 1441    for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
 1442    do
 1443       CMD="${i}"
 1444       if [ -r "${i}" ]
 1445         then
 1446         return 0
 1447       fi
 1448    done
 1449    return 1
 1450 }
 1451 
 1452 expertmode_output() {
 1453     echo "###"
 1454     echo "### Output of: $1"
 1455     echo "###"
 1456     eval $1 2>&1
 1457 #    cat <<EOF
 1458 #`$1 2>&1`
 1459 #EOF
 1460     return 0
 1461 }
 1462 
 1463 tnfs ()
 1464 {
 1465    ## Check if -fstype nfs works
 1466    findargs=""
 1467    if find /etc -maxdepth 0 >/dev/null 2>&1; then
 1468         find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \
 1469            findargs="! -fstype nfs "
 1470    elif find /etc -prune > /dev/null 2>&1; then
 1471         find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \
 1472            findargs="! -fstype nfs "
 1473    fi
 1474 }
 1475 
 1476 ######################################################################
 1477 # trojan functions
 1478 
 1479 chk_chfn () {
 1480     STATUS=${NOT_INFECTED}
 1481     CMD=`loc chfn chfn $pth`
 1482     [ ${?} -ne 0 ] &&  return ${NOT_FOUND}
 1483 
 1484     if [ "${EXPERT}" = "t" ]; then
 1485         expertmode_output "${strings} -a ${CMD}"
 1486         return 5
 1487     fi
 1488 
 1489     case "${SYSTEM}" in
 1490        Linux)
 1491           if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
 1492              >/dev/null 2>&1
 1493           then
 1494              STATUS=${INFECTED}
 1495           fi;;
 1496        FreeBSD)
 1497           [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2
 1498           if [ `${strings} -a ${CMD} | \
 1499                 ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
 1500           then
 1501              STATUS=${INFECTED}
 1502           fi;;
 1503     esac
 1504     return ${STATUS}
 1505 }
 1506 
 1507 chk_chsh () {
 1508     STATUS=${NOT_INFECTED}
 1509     CMD=`loc chsh chsh $pth`
 1510     [ ${?} -ne 0 ] && return ${NOT_FOUND}
 1511 
 1512     REDHAT_PAM_LABEL="*NOT*"
 1513     GENERIC_ROOTKIT_FEDORA=${GENERIC_ROOTKIT_LABEL} 
 1514     if [ -f  /etc/system-release ]; then 
 1515        v="0"`${egrep} -i fedora /etc/system-release | cut -d " " -f 3`
 1516        if [ "$v" -gt "32" ]; then 
 1517           GENERIC_ROOTKIT_FEDORA="bash|elite$|vejeta|\.ark|iroffer"
 1518        fi  
 1519     fi
 1520 
 1521     if [ "${EXPERT}" = "t" ]; then
 1522         expertmode_output "${strings} -a ${CMD}"
 1523         return 5
 1524     fi
 1525 
 1526     case "${SYSTEM}" in
 1527        Linux)
 1528           if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_FEDORA}" \
 1529           >/dev/null 2>&1
 1530              then
 1531              if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \
 1532              >/dev/null 2>&1
 1533                 then
 1534                 :
 1535              else
 1536                 STATUS=${INFECTED}
 1537              fi
 1538           fi;;
 1539        FreeBSD)
 1540           [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2
 1541           if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
 1542              then
 1543              STATUS=${INFECTED}
 1544           fi;;
 1545     esac
 1546     return ${STATUS}
 1547 }
 1548 
 1549 chk_login () {
 1550     STATUS=${NOT_INFECTED}
 1551     CMD=`loc login login $pth`
 1552 
 1553     if [ "${EXPERT}" = "t" ]; then
 1554         expertmode_output "${strings} -a ${CMD}"
 1555         return 5
 1556     fi
 1557 
 1558     if [ "$SYSTEM" = "SunOS" ]; then
 1559       TROJED_L_L="porcao|/bin/xstat"
 1560       if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then
 1561           return ${INFECTED}
 1562        else
 1563           return ${NOT_TESTED}
 1564        fi
 1565     fi
 1566     GENERAL="^root$"
 1567     TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola"
 1568     ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`
 1569     if [ ${ret} -gt 0 ]; then
 1570         case ${ret} in
 1571         1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 ||
 1572 $1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \
 1573              STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
 1574         2) [ "${SYSTEM}" = "FreeBSD"  -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \
 1575 "OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
 1576         6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};;
 1577         *) STATUS=${INFECTED};;
 1578         esac
 1579     fi
 1580     if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null
 1581        then
 1582         STATUS=${INFECTED}
 1583     fi
 1584     return ${STATUS}
 1585 }
 1586 
 1587 chk_passwd () {
 1588     STATUS=${NOT_INFECTED}
 1589     CMD=`loc passwd passwd $pth`
 1590 
 1591     if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then
 1592        CMD="${ROOTDIR}usr/bin/passwd"
 1593     fi
 1594 
 1595     if [ "${EXPERT}" = "t" ]; then
 1596        expertmode_output "${strings} -a ${CMD}"
 1597     fi
 1598 
 1599     if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \
 1600         = "HP-UX" ]
 1601     then
 1602        return ${NOT_TESTED}
 1603     fi
 1604     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \
 1605     >/dev/null 2>&1
 1606     then
 1607        STATUS=${INFECTED}
 1608     fi
 1609     return ${STATUS}
 1610 }
 1611 
 1612 chk_inetd () {
 1613     STATUS=${NOT_INFECTED}
 1614     getCMD 'inetd'
 1615 
 1616     if [ ! -r ${CMD} -o ${CMD} = '/' ]
 1617     then
 1618        return ${NOT_TESTED}
 1619     fi
 1620 
 1621     if [ "${EXPERT}" = "t" ]; then
 1622         expertmode_output "${strings} -a ${CMD}"
 1623         return 5
 1624     fi
 1625 
 1626     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
 1627     >/dev/null 2>&1
 1628     then
 1629        STATUS=${INFECTED}
 1630     fi
 1631     return ${STATUS}
 1632 }
 1633 
 1634 chk_syslogd () {
 1635     STATUS=${NOT_INFECTED}
 1636 SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h"
 1637     CMD=`loc syslogd syslogd $pth`
 1638 
 1639     if [ ! -r ${CMD} ]
 1640     then
 1641        return ${NOT_TESTED}
 1642     fi
 1643 
 1644     if [ "${EXPERT}" = "t" ]; then
 1645         expertmode_output "${strings} -a ${CMD}"
 1646         return 5
 1647     fi
 1648 
 1649     if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1
 1650     then
 1651        STATUS=${INFECTED}
 1652     fi
 1653     return ${STATUS}
 1654 }
 1655 
 1656 chk_hdparm () {
 1657     STATUS=${NOT_INFECTED}
 1658     HDPARM_INFECTED_LABEL="/dev/ida"
 1659     CMD=`loc hdparm hdparm $pth`
 1660     if [ ! -r ${CMD} ]
 1661     then
 1662        return ${NOT_FOUND}
 1663     fi
 1664 
 1665     if [ "${EXPERT}" = "t" ]; then
 1666         expertmode_output "${strings} -a ${CMD}"
 1667         return 5
 1668     fi
 1669 
 1670     if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \
 1671        >/dev/null 2>&1
 1672     then
 1673        STATUS=${INFECTED}
 1674     fi
 1675     return ${STATUS}
 1676 }
 1677 
 1678 chk_gpm () {
 1679     STATUS=${NOT_INFECTED}
 1680     GPM_INFECTED_LABEL="mingetty"
 1681     CMD=`loc gpm gpm $pth`
 1682     if [ ! -r ${CMD} ]
 1683     then
 1684        return ${NOT_FOUND}
 1685     fi
 1686 
 1687     if [ "${EXPERT}" = "t" ]; then
 1688         expertmode_output "${strings} -a ${CMD}"
 1689         return 5
 1690     fi
 1691 
 1692     if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \
 1693        >/dev/null 2>&1
 1694     then
 1695        STATUS=${INFECTED}
 1696     fi
 1697     return ${STATUS}
 1698 }
 1699 
 1700 chk_mingetty () {
 1701     STATUS=${NOT_INFECTED}
 1702     MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto"
 1703     CMD=`loc mingetty mingetty $pth`
 1704     if [ ! -r ${CMD} ]
 1705     then
 1706        return ${NOT_FOUND}
 1707     fi
 1708 
 1709     if [ "${EXPERT}" = "t" ]; then
 1710         expertmode_output "${strings} -a ${CMD}"
 1711         return 5
 1712     fi
 1713 
 1714     if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \
 1715        >/dev/null 2>&1
 1716     then
 1717        STATUS=${INFECTED}
 1718     fi
 1719     return ${STATUS}
 1720 }
 1721 
 1722 chk_sendmail () {
 1723     STATUS=${NOT_INFECTED}
 1724     SENDMAIL_INFECTED_LABEL="fuck"
 1725     CMD=`loc sendmail sendmail $pth`
 1726     if [ ! -r ${CMD} ]
 1727     then
 1728        return ${NOT_FOUND}
 1729     fi
 1730 
 1731     if [ "${EXPERT}" = "t" ]; then
 1732         expertmode_output "${strings} -a ${CMD}"
 1733         return 5
 1734     fi
 1735 
 1736     if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \
 1737        >/dev/null 2>&1
 1738     then
 1739        STATUS=${INFECTED}
 1740     fi
 1741     return ${STATUS}
 1742 }
 1743 
 1744 chk_ls () {
 1745     STATUS=${NOT_INFECTED}
 1746 LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h"
 1747     CMD=`loc ls ls $pth`
 1748 
 1749     if [ "${EXPERT}" = "t" ]; then
 1750         expertmode_output "${strings} -a ${CMD}"
 1751         return 5
 1752     fi
 1753 
 1754     if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1
 1755     then
 1756        STATUS=${INFECTED}
 1757     fi
 1758     return ${STATUS}
 1759 }
 1760 
 1761 chk_du () {
 1762     STATUS=${NOT_INFECTED}
 1763     DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h"
 1764     CMD=`loc du du $pth`
 1765 
 1766     if [ "${EXPERT}" = "t" ]; then
 1767         expertmode_output "${strings} -a ${CMD}"
 1768         return 5
 1769     fi
 1770 
 1771     if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1
 1772     then
 1773        STATUS=${INFECTED}
 1774     fi
 1775     return ${STATUS}
 1776 }
 1777 
 1778 chk_named () {
 1779     STATUS=${NOT_INFECTED}
 1780     NAMED_I_L="blah|bye"
 1781     CMD=`loc named named $pth`
 1782 
 1783     if [ ! -r "${CMD}" ]; then
 1784        CMD=`loc in.named in.named $pth`
 1785        if [ ! -r "${CMD}" ]; then
 1786           return ${NOT_FOUND}
 1787        fi
 1788     fi
 1789 
 1790     if [ "${EXPERT}" = "t" ]; then
 1791         expertmode_output "${strings} -a ${CMD}"
 1792         return 5
 1793     fi
 1794 
 1795     if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \
 1796     >/dev/null 2>&1
 1797     then
 1798        STATUS=${INFECTED}
 1799     fi
 1800     return ${STATUS}
 1801 }
 1802 
 1803 chk_netstat () {
 1804     STATUS=${NOT_INFECTED}
 1805 NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero"
 1806     CMD=`loc netstat netstat $pth`
 1807 
 1808     if [ "${EXPERT}" = "t" ]; then
 1809         expertmode_output "${strings} -a ${CMD}"
 1810         return 5
 1811     fi
 1812 
 1813     if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \
 1814     >/dev/null 2>&1
 1815     then
 1816        STATUS=${INFECTED}
 1817     fi
 1818     return ${STATUS}
 1819 }
 1820 
 1821 chk_ps () {
 1822    STATUS=${NOT_INFECTED}
 1823 PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
 1824 /dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so"
 1825    CMD=`loc ps ps $pth`
 1826 
 1827     if [ "${EXPERT}" = "t" ]; then
 1828         expertmode_output "${strings} -a ${CMD}"
 1829         return 5
 1830     fi
 1831 
 1832     if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1
 1833     then
 1834        STATUS=${INFECTED}
 1835     fi
 1836     return ${STATUS}
 1837 }
 1838 
 1839 chk_pstree () {
 1840     STATUS=${NOT_INFECTED}
 1841     PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h"
 1842 
 1843     CMD=`loc pstree pstree $pth`
 1844     if [ ! -r "${CMD}" ]
 1845     then
 1846        return ${NOT_FOUND}
 1847     fi
 1848 
 1849     if [ "${EXPERT}" = "t" ]; then
 1850         expertmode_output "${strings} -a ${CMD}"
 1851         return 5
 1852     fi
 1853 
 1854     if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1
 1855     then
 1856        STATUS=${INFECTED}
 1857     fi
 1858     return ${STATUS}
 1859 }
 1860 
 1861 chk_crontab () {
 1862     STATUS=${NOT_INFECTED}
 1863     CRONTAB_I_L="crontab.*666"
 1864 
 1865     CMD=`loc crontab crontab $pth`
 1866 
 1867     if [ ! -r ${CMD} ]
 1868        then
 1869         return ${NOT_FOUND}
 1870     fi
 1871 
 1872     if [ "${EXPERT}" = "t" ]; then
 1873         expertmode_output "${CMD} -l -u nobody"
 1874         return 5
 1875     fi
 1876     # slackware's crontab have a bug
 1877     if  ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then
 1878         ${echo} "Warning: crontab for nobody found, possible Lupper.Worm... "
 1879     if ${CMD} -l -u nobody 2>/dev/null  | ${egrep} $CRONTAB_I_L >/dev/null 2>&1
 1880        then
 1881            STATUS=${INFECTED}
 1882     fi
 1883     fi
 1884     return ${STATUS}
 1885 }
 1886 
 1887 chk_top () {
 1888     STATUS=${NOT_INFECTED}
 1889     TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit"
 1890 
 1891     CMD=`loc top top $pth`
 1892 
 1893     if [ ! -r ${CMD} ]
 1894        then
 1895         return ${NOT_FOUND}
 1896     fi
 1897 
 1898     if [ "${EXPERT}" = "t" ]; then
 1899         expertmode_output "${strings} -a ${CMD}"
 1900         return 5
 1901     fi
 1902 
 1903     if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
 1904     then
 1905        STATUS=${INFECTED}
 1906     fi
 1907     return ${STATUS}
 1908 }
 1909 
 1910 chk_pidof () {
 1911     STATUS=${NOT_INFECTED}
 1912     TOP_INFECTED_LABEL="/dev/pty[pqrs]"
 1913     CMD=`loc pidof pidof $pth`
 1914 
 1915     if [ "${?}" -ne 0 ]
 1916     then
 1917         return ${NOT_FOUND}
 1918     fi
 1919 
 1920     if [ "${EXPERT}" = "t" ]; then
 1921         expertmode_output "${strings} -a ${CMD}"
 1922         return 5
 1923     fi
 1924 
 1925     if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
 1926     then
 1927        STATUS=${INFECTED}
 1928     fi
 1929     return ${STATUS}
 1930 }
 1931 
 1932 chk_killall () {
 1933     STATUS=${NOT_INFECTED}
 1934     TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h"
 1935     CMD=`loc killall killall $pth`
 1936 
 1937     if [ "${?}" -ne 0 ]
 1938        then
 1939         return ${NOT_FOUND}
 1940     fi
 1941 
 1942     if [ "${EXPERT}" = "t" ]; then
 1943         expertmode_output "${strings} -a ${CMD}"
 1944         return 5
 1945     fi
 1946 
 1947     if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
 1948     then
 1949        STATUS=${INFECTED}
 1950     fi
 1951     return ${STATUS}
 1952 }
 1953 
 1954 chk_ldsopreload() {
 1955    STATUS=${NOT_INFECTED}
 1956    CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a"
 1957 
 1958    if [ "${SYSTEM}" = "Linux" ]
 1959    then
 1960       if [ ! -x ./strings-static ]; then
 1961         printn "can't exec ./strings-static, "
 1962         return ${NOT_TESTED}
 1963       fi
 1964 
 1965       if [ "${EXPERT}" = "t" ]; then
 1966           expertmode_output "./strings-static -a ${CMD}"
 1967           return 5
 1968       fi
 1969 
 1970       ### strings must be a statically linked binary.
 1971       if ./strings-static -a ${CMD} > /dev/null 2>&1
 1972       then
 1973          STATUS=${INFECTED}
 1974       fi
 1975    else
 1976      STATUS=${NOT_TESTED}
 1977    fi
 1978    return ${STATUS}
 1979 }
 1980 
 1981 chk_basename () {
 1982    STATUS=${NOT_INFECTED}
 1983    CMD=`loc basename basename $pth`
 1984 
 1985    if [ "${EXPERT}" = "t" ]; then
 1986        expertmode_output "${strings} -a ${CMD}"
 1987        expertmode_output "${ls} -l ${CMD}"
 1988        return 5
 1989    fi
 1990    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 1991    then
 1992        STATUS=${INFECTED}
 1993    fi
 1994 
 1995    [ "$SYSTEM" != "OSF1" ] &&
 1996    {
 1997       if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 1998       then
 1999          STATUS=${INFECTED}
 2000       fi
 2001    }
 2002    return ${STATUS}
 2003 }
 2004 
 2005 chk_dirname () {
 2006     STATUS=${NOT_INFECTED}
 2007     CMD=`loc dirname dirname $pth`
 2008 
 2009     if [ "${EXPERT}" = "t" ]; then
 2010         expertmode_output "${strings} -a ${CMD}"
 2011         expertmode_output "${ls} -l ${CMD}"
 2012         return 5
 2013     fi
 2014     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2015     then
 2016         STATUS=${INFECTED}
 2017     fi
 2018     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2019     then
 2020         STATUS=${INFECTED}
 2021     fi
 2022     return ${STATUS}
 2023 }
 2024 
 2025 chk_traceroute () {
 2026     STATUS=${NOT_INFECTED}
 2027     CMD=`loc traceroute traceroute $pth`
 2028 
 2029     if [ ! -r "${CMD}" ]
 2030     then
 2031        return ${NOT_FOUND}
 2032     fi
 2033 
 2034     if [ "${EXPERT}" = "t" ]; then
 2035         expertmode_output "${strings} -a ${CMD}"
 2036         return 5
 2037     fi
 2038 
 2039     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2040     then
 2041         STATUS=${INFECTED}
 2042     fi
 2043     return ${STATUS}
 2044 }
 2045 
 2046 chk_rpcinfo () {
 2047     STATUS=${NOT_INFECTED}
 2048     CMD=`loc rpcinfo rpcinfo $pth`
 2049 
 2050     if [ ! -r "${CMD}" ]
 2051     then
 2052        return ${NOT_FOUND}
 2053     fi
 2054 
 2055     if [ "${EXPERT}" = "t" ]; then
 2056         expertmode_output "${strings} -a ${CMD}"
 2057         expertmode_output "${ls} -l ${CMD}"
 2058         return 5
 2059     fi
 2060 
 2061     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2062     then
 2063         STATUS=${INFECTED}
 2064     fi
 2065     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2066     then
 2067         STATUS=${INFECTED}
 2068     fi
 2069     return ${STATUS}
 2070 }
 2071 
 2072 chk_date () {
 2073     STATUS=${NOT_INFECTED}
 2074     S_L="/bin/.*sh"
 2075     CMD=`loc date date $pth`
 2076 
 2077     if [ "${EXPERT}" = "t" ]; then
 2078         expertmode_output "${strings} -a ${CMD}"
 2079         expertmode_output "${ls} -l ${CMD}"
 2080         return 5
 2081     fi
 2082     [ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] &&
 2083     {
 2084        N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \
 2085           ${egrep} -c "$S_L"`
 2086        if [ ${N} -ne 2 -a ${N} -ne 0 ]; then
 2087           STATUS=${INFECTED}
 2088        fi
 2089     } ||
 2090     {
 2091        if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1
 2092           then
 2093           STATUS=${INFECTED}
 2094        fi
 2095     }
 2096     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2097     then
 2098         STATUS=${INFECTED}
 2099     fi
 2100     return ${STATUS}
 2101 }
 2102 
 2103 chk_echo () {
 2104     STATUS=${NOT_INFECTED}
 2105     CMD=`loc echo echo $pth`
 2106 
 2107     if [ "${EXPERT}" = "t" ]; then
 2108         expertmode_output "${strings} -a ${CMD}"
 2109         expertmode_output "${ls} -l ${CMD}"
 2110         return 5
 2111     fi
 2112 
 2113     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2114     then
 2115         STATUS=${INFECTED}
 2116     fi
 2117     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2118     then
 2119         STATUS=${INFECTED}
 2120     fi
 2121     return ${STATUS}
 2122 }
 2123 
 2124 chk_env () {
 2125     STATUS=${NOT_INFECTED}
 2126     CMD=`loc env env $pth`
 2127 
 2128     if [ "${EXPERT}" = "t" ]; then
 2129         expertmode_output "${strings} -a ${CMD}"
 2130         expertmode_output "${ls} -l ${CMD}"
 2131         return 5
 2132     fi
 2133 
 2134     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2135     then
 2136         STATUS=${INFECTED}
 2137     fi
 2138     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2139     then
 2140         STATUS=${INFECTED}
 2141     fi
 2142 
 2143     return ${STATUS}
 2144 }
 2145 
 2146 chk_timed () {
 2147     STATUS=${NOT_INFECTED}
 2148     CMD=`loc timed timed $pth`
 2149     if [ ${?} -ne 0 ]; then
 2150        CMD=`loc in.timed in.timed $pth`
 2151        if [ ${?} -ne 0 ]; then
 2152           return ${NOT_FOUND}
 2153        fi
 2154     fi
 2155     if [ "${EXPERT}" = "t" ]; then
 2156         expertmode_output "${strings} -a ${CMD}"
 2157         return 5
 2158     fi
 2159 
 2160     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2161     then
 2162         STATUS=${INFECTED}
 2163     fi
 2164     return ${STATUS}
 2165 }
 2166 
 2167 chk_identd () {
 2168     STATUS=${NOT_INFECTED}
 2169     CMD=`loc in.identd in.identd $pth`
 2170     if [ ${?} -ne 0 ]; then
 2171        return ${NOT_FOUND}
 2172     fi
 2173     if [ "${EXPERT}" = "t" ]; then
 2174         expertmode_output "${strings} -a ${CMD}"
 2175         return 5
 2176     fi
 2177 
 2178     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2179     then
 2180         STATUS=${INFECTED}
 2181     fi
 2182     return ${STATUS}
 2183 }
 2184 
 2185 chk_init () {
 2186     STATUS=${NOT_INFECTED}
 2187     INIT_INFECTED_LABEL="UPX"
 2188     CMD=`loc init init $pth`
 2189     if [ ${?} -ne 0 ]; then
 2190        return ${NOT_FOUND}
 2191     fi
 2192     if [ "${EXPERT}" = "t" ]; then
 2193         expertmode_output "${strings} -a ${CMD}"
 2194         return 5
 2195     fi
 2196 
 2197     if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1
 2198     then
 2199         STATUS=${INFECTED}
 2200     fi
 2201     return ${STATUS}
 2202 }
 2203 
 2204 chk_pop2 () {
 2205     STATUS=${NOT_INFECTED}
 2206     CMD=`loc in.pop2d in.pop2d $pth`
 2207     if [ ${?} -ne 0 ]; then
 2208        return ${NOT_FOUND}
 2209     fi
 2210     if [ "${EXPERT}" = "t" ]; then
 2211         expertmode_output "${strings} -a ${CMD}"
 2212         return 5
 2213     fi
 2214 
 2215     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2216     then
 2217         STATUS=${INFECTED}
 2218     fi
 2219     return ${STATUS}
 2220 }
 2221 
 2222 chk_pop3 () {
 2223     STATUS=${NOT_INFECTED}
 2224     CMD=`loc in.pop3d in.pop3d $pth`
 2225     if [ ${?} -ne 0 ]; then
 2226         return ${NOT_FOUND}
 2227     fi
 2228     if [ "${EXPERT}" = "t" ]; then
 2229         expertmode_output "${strings} -a ${CMD}"
 2230         return 5
 2231     fi
 2232 
 2233     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2234     then
 2235         STATUS=${INFECTED}
 2236     fi
 2237     return ${STATUS}
 2238 }
 2239 
 2240 chk_write () {
 2241     STATUS=${NOT_INFECTED}
 2242     CMD=`loc write write $pth`
 2243     WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"
 2244     if [ "${EXPERT}" = "t" ]; then
 2245         expertmode_output "${strings} -a ${CMD}"
 2246         expertmode_output "${ls} -l ${CMD}"
 2247         return 5
 2248     fi
 2249     if [ ! -f "${CMD}" ]; then 
 2250        STATUS=${NOT_FOUND} 
 2251        return ${STATUS}
 2252     fi
 2253     if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1
 2254     then
 2255         STATUS=${INFECTED}
 2256     fi
 2257     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2258     then
 2259         STATUS=${INFECTED}
 2260     fi
 2261     return ${STATUS}
 2262 }
 2263 
 2264 chk_w () {
 2265     STATUS=${NOT_INFECTED}
 2266     CMD=`loc w w $pth`
 2267     W_INFECTED_LABEL="uname -a"
 2268 
 2269     if [ "${EXPERT}" = "t" ]; then
 2270         expertmode_output "${strings} -a ${CMD}"
 2271         expertmode_output "${ls} -l ${CMD}"
 2272         return 5
 2273     fi
 2274     if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1
 2275     then
 2276         STATUS=${INFECTED}
 2277     fi
 2278     return ${STATUS}
 2279 }
 2280 
 2281 chk_vdir () {
 2282     STATUS=${NOT_INFECTED}
 2283     CMD=`loc vdir vdir $pth`
 2284     VDIR_INFECTED_LABEL="/lib/volc"
 2285     if [ ! -r ${CMD} ]; then
 2286         return ${NOT_FOUND}
 2287     fi
 2288 
 2289     if [ "${EXPERT}" = "t" ]; then
 2290         expertmode_output "${strings} -a ${CMD}"
 2291         expertmode_output "${ls} -l ${CMD}"
 2292         return 5
 2293     fi
 2294     if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1
 2295     then
 2296         STATUS=${INFECTED}
 2297     fi
 2298     return ${STATUS}
 2299 }
 2300 
 2301 chk_tar () {
 2302     STATUS=${NOT_INFECTED}
 2303     CMD=`loc tar tar $pth`
 2304 
 2305     if [ "${EXPERT}" = "t" ]; then
 2306         expertmode_output "${ls} -l ${CMD}"
 2307         return 5
 2308     fi
 2309     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2310     then
 2311         STATUS=${INFECTED}
 2312     fi
 2313     return ${STATUS}
 2314 }
 2315 
 2316 rexedcs () {
 2317     STATUS=${NOT_INFECTED}
 2318     CMD=`loc in.rexedcs in.rexedcs $pth`
 2319     if [ "${?}" -ne 0 ]
 2320        then
 2321         if [ "${QUIET}" != "t" ]; then echo "not found"; fi
 2322         return ${NOT_FOUND}
 2323     fi
 2324 
 2325     if [ "${EXPERT}" = "t" ]; then
 2326         expertmode_output "${strings} -a ${CMD}"
 2327         return 5
 2328     fi
 2329     STATUS=${INFECTED}
 2330     return ${STATUS}
 2331 }
 2332 
 2333 chk_mail () {
 2334     STATUS=${NOT_INFECTED}
 2335     CMD=`loc mail mail $pth`
 2336     if [ "${?}" -ne 0 ]
 2337        then
 2338         return ${NOT_FOUND}
 2339     fi
 2340 
 2341     [ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED
 2342 
 2343     MAIL_INFECTED_LABEL="sh -i"
 2344 
 2345     if [ "${EXPERT}" = "t" ]; then
 2346         expertmode_output "${strings} -a ${CMD}"
 2347         expertmode_output "${ls} -l ${CMD}"
 2348         return 5
 2349     fi
 2350 
 2351     if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1
 2352     then
 2353         STATUS=${INFECTED}
 2354     fi
 2355     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2356     then
 2357         STATUS=${INFECTED}
 2358     fi
 2359     return ${STATUS}
 2360 }
 2361 
 2362 chk_biff () {
 2363     STATUS=${NOT_INFECTED}
 2364     CMD=`loc biff biff $pth`
 2365     if [ "${?}" -ne 0 ]
 2366        then
 2367         return ${NOT_FOUND}
 2368     fi
 2369 
 2370     if [ "${EXPERT}" = "t" ]; then
 2371         expertmode_output "${strings} -a ${CMD}"
 2372         expertmode_output "${ls} -l ${CMD}"
 2373         return 5
 2374     fi
 2375 
 2376     if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
 2377     then
 2378         STATUS=${INFECTED}
 2379     fi
 2380     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2381     then
 2382         STATUS=${INFECTED}
 2383     fi
 2384     return ${STATUS}
 2385 }
 2386 
 2387 chk_egrep () {
 2388     STATUS=${NOT_INFECTED}
 2389     EGREP_INFECTED_LABEL="blah"
 2390     CMD=`loc egrep egrep $pth`
 2391 
 2392     if [ "${EXPERT}" = "t" ]; then
 2393         expertmode_output "${strings} -a ${CMD}"
 2394         expertmode_output "${ls} -l ${CMD}"
 2395         return 5
 2396     fi
 2397     if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1
 2398     then
 2399         STATUS=${INFECTED}
 2400     fi
 2401     return ${STATUS}
 2402 }
 2403 
 2404 chk_grep () {
 2405     STATUS=${NOT_INFECTED}
 2406     GREP_INFECTED_LABEL="givemer"
 2407     CMD=`loc grep grep $pth`
 2408 
 2409     if [ "${EXPERT}" = "t" ]; then
 2410         expertmode_output "${strings} -a ${CMD}"
 2411         expertmode_output "${ls} -l ${CMD}"
 2412         return 5
 2413     fi
 2414 
 2415     if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1
 2416     then
 2417         STATUS=${INFECTED}
 2418     fi
 2419     if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
 2420     then
 2421         STATUS=${INFECTED}
 2422     fi
 2423     return ${STATUS}
 2424 }
 2425 
 2426 chk_find () {
 2427     STATUS=${NOT_INFECTED}
 2428     FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h"
 2429     CMD=`loc find find $pth`
 2430 
 2431     if [ "${?}" -ne 0 ]
 2432        then
 2433         return ${NOT_FOUND}
 2434     fi
 2435 
 2436     if [ "${EXPERT}" = "t" ]; then
 2437         expertmode_output "${strings} -a ${CMD}"
 2438         return 5
 2439     fi
 2440 
 2441     if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1
 2442     then
 2443        STATUS=${INFECTED}
 2444     fi
 2445     return ${STATUS}
 2446 }
 2447 
 2448 chk_rlogind () {
 2449     STATUS=${NOT_INFECTED}
 2450     RLOGIN_INFECTED_LABEL="p1r0c4|r00t"
 2451     CMD=`loc in.rlogind in.rlogind $pth`
 2452     if [ ! -x "${CMD}" ]; then
 2453           CMD=`loc rlogind rlogind $pth`
 2454        if [ ! -x "${CMD}" ]; then
 2455            return ${NOT_FOUND}
 2456        fi
 2457     fi
 2458     if [ "${EXPERT}" = "t" ]; then
 2459         expertmode_output "${strings} -a ${CMD}"
 2460         return 5
 2461     fi
 2462     if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
 2463     then
 2464        STATUS=${INFECTED}
 2465     fi
 2466     return ${STATUS}
 2467 }
 2468 
 2469 chk_lsof () {
 2470     STATUS=${NOT_INFECTED}
 2471     LSOF_INFECTED_LABEL="^/prof"
 2472     CMD=`loc lsof lsof $pth`
 2473     if [ ! -x "${CMD}" ]; then
 2474          return ${NOT_FOUND}
 2475     fi
 2476     if [ "${EXPERT}" = "t" ]; then
 2477         expertmode_output "${strings} -a ${CMD}"
 2478         return 5
 2479     fi
 2480     if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1
 2481     then
 2482        STATUS=${INFECTED}
 2483     fi
 2484     return ${STATUS}
 2485 }
 2486 
 2487 chk_amd () {
 2488     STATUS=${NOT_INFECTED}
 2489     AMD_INFECTED_LABEL="blah"
 2490     CMD=`loc amd amd $pth`
 2491     if [ ! -x "${CMD}" ]; then
 2492          return ${NOT_FOUND}
 2493     fi
 2494     if [ "${EXPERT}" = "t" ]; then
 2495         expertmode_output "${strings} -a ${CMD}"
 2496         return 5
 2497     fi
 2498     if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1
 2499     then
 2500        STATUS=${INFECTED}
 2501     fi
 2502     return ${STATUS}
 2503 }
 2504 
 2505 chk_slogin () {
 2506     STATUS=${NOT_INFECTED}
 2507     SLOGIN_INFECTED_LABEL="homo"
 2508     CMD=`loc slogin slogin $pth`
 2509     if [ ! -x "${CMD}" ]; then
 2510          return ${NOT_FOUND}
 2511     fi
 2512     if [ "${EXPERT}" = "t" ]; then
 2513         expertmode_output "${strings} -a ${CMD}"
 2514         return 5
 2515     fi
 2516     if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
 2517     then
 2518        STATUS=${INFECTED}
 2519     fi
 2520     return ${STATUS}
 2521 }
 2522 
 2523 chk_cron () {
 2524     STATUS=${NOT_INFECTED}
 2525     CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0"
 2526     CMD=`loc cron cron $pth`
 2527     if [ "${?}" -ne 0 ]; then
 2528           CMD=`loc crond crond $pth`
 2529     fi
 2530     if [ "${?}" -ne 0 ]
 2531        then
 2532         return ${NOT_FOUND}
 2533     fi
 2534     if [ "${EXPERT}" = "t" ]; then
 2535         expertmode_output "${strings} -a ${CMD}"
 2536         return 5
 2537     fi
 2538     if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1
 2539     then
 2540        STATUS=${INFECTED}
 2541     fi
 2542     return ${STATUS}
 2543 }
 2544 
 2545 chk_ifconfig () {
 2546     STATUS=${INFECTED}
 2547     CMD=`loc ifconfig ifconfig $pth`
 2548     if [ "${?}" -ne 0 ]; then
 2549         return ${NOT_FOUND}
 2550     fi
 2551 
 2552     if [ "${EXPERT}" = "t" ]; then
 2553         expertmode_output "${strings} -a ${CMD}"
 2554         return 5
 2555     fi
 2556 
 2557     IFCONFIG_NOT_INFECTED_LABEL="PROMISC"
 2558     IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"
 2559     if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \
 2560     >/dev/null 2>&1
 2561     then
 2562        STATUS=${NOT_INFECTED}
 2563     fi
 2564     if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \
 2565     >/dev/null 2>&1
 2566     then
 2567        STATUS=${INFECTED}
 2568     fi
 2569     return ${STATUS}
 2570 }
 2571 
 2572 chk_rshd () {
 2573     STATUS=${NOT_INFECTED}
 2574     case "${SYSTEM}" in
 2575        Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";;
 2576        FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";;
 2577        *) CMD=`loc rshd rshd $pth`;;
 2578     esac
 2579 
 2580     if [ ! -x ${CMD} ] ;then
 2581        return ${NOT_FOUND}
 2582     fi
 2583     if [ "${EXPERT}" = "t" ]; then
 2584         expertmode_output "${strings} -a ${CMD}"
 2585         return 5
 2586     fi
 2587 
 2588     RSHD_INFECTED_LABEL="HISTFILE"
 2589     if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1
 2590     then
 2591         STATUS=${INFECTED}
 2592         if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \
 2593             ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then
 2594            STATUS=${INFECTED_BUT_DISABLED}
 2595         fi
 2596     fi
 2597     return ${STATUS}
 2598 }
 2599 
 2600 chk_tcpdump () {
 2601    STATUS=${NOT_INFECTED}
 2602    TCPDUMP_I_L="212.146.0.34:1963";
 2603    _chk_netstat_or_ss; 
 2604    OPT="-an" 
 2605    [ "${netstat}" = "ss" ] && OPT="-a"  
 2606    if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then
 2607       STATUS=${INFECTED}
 2608    fi
 2609    return ${STATUS}
 2610 }
 2611 
 2612 chk_tcpd () {
 2613     STATUS=${NOT_INFECTED}
 2614     TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux"
 2615     CMD=""
 2616     [ -r ${ROOTDIR}etc/inetd.conf ] &&
 2617     CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \
 2618          ${awk} '{ print $6 }'`
 2619     if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1;  then
 2620        CMD=`loc tcpd tcpd $pth`
 2621     fi
 2622     [ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth`
 2623 
 2624     [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};
 2625 
 2626     if [ "${EXPERT}" = "t" ]; then
 2627         expertmode_output "${strings} -a ${CMD}"
 2628         return 5
 2629     fi
 2630 
 2631     if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1
 2632     then
 2633         STATUS=${INFECTED}
 2634     fi
 2635     return ${STATUS}
 2636 }
 2637 
 2638 chk_sshd () {
 2639     STATUS=${NOT_INFECTED}
 2640     SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk"
 2641     getCMD 'sshd'
 2642 
 2643     if [ -s ${CMD} ]; then
 2644        return ${NOT_FOUND}
 2645     fi
 2646 
 2647     if [ "${EXPERT}" = "t" ]; then
 2648         expertmode_output "${strings} -a ${CMD}"
 2649         return 5
 2650     fi
 2651 
 2652     if ${strings} -a "${CMD}" | ${egrep} "${SSHD2_INFECTED_LABEL}" \
 2653        > /dev/null 2>&1
 2654     then
 2655         STATUS=${INFECTED}
 2656         if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then
 2657            STATUS=${INFECTED_BUT_DISABLED}
 2658         fi
 2659     fi
 2660     return ${STATUS}
 2661 }
 2662 
 2663 chk_su () {
 2664     STATUS=${NOT_INFECTED}
 2665     SU_INFECTED_LABEL="satori|vejeta|conf\.inv"
 2666     CMD=`loc su su $pth`
 2667 
 2668     if [ "${EXPERT}" = "t" ]; then
 2669         expertmode_output "${strings} -a ${CMD}"
 2670         return 5
 2671     fi
 2672 
 2673     if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1
 2674     then
 2675         STATUS=${INFECTED}
 2676     fi
 2677     return ${STATUS}
 2678 }
 2679 
 2680 chk_fingerd () {
 2681     STATUS=${NOT_INFECTED}
 2682     FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}"
 2683     CMD=`loc fingerd fingerd $pth`
 2684 
 2685     if [ ${?} -ne 0 ]; then
 2686         CMD=`loc in.fingerd in.fingerd $pth`
 2687         if [ ${?} -ne 0 ]; then
 2688            return ${NOT_FOUND}
 2689         fi
 2690     fi
 2691 
 2692     if [ "${EXPERT}" = "t" ]; then
 2693         expertmode_output "${strings} -a ${CMD}"
 2694         return 5
 2695     fi
 2696 
 2697     if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \
 2698 > /dev/null 2>&1
 2699     then
 2700         STATUS=${INFECTED}
 2701     fi
 2702     return ${STATUS}
 2703 }
 2704 
 2705 
 2706 chk_inetdconf () {
 2707     STATUS=${NOT_INFECTED}
 2708     SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash"
 2709 
 2710     if [ -r ${ROOTDIR}etc/shells ]; then
 2711         SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`";
 2712     fi
 2713 
 2714     if [ -r ${ROOTDIR}etc/inetd.conf ]; then
 2715     for CHK_SHELL in ${SHELLS}; do
 2716         cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null
 2717         if [ ${?} -ne 1 ]; then
 2718             if [ "${EXPERT}" = "t" ]; then
 2719                 echo "Backdoor shell record(s) in /etc/inetd.conf: "
 2720                 cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*"
 2721             fi
 2722             STATUS=${INFECTED}
 2723         fi
 2724     done
 2725     return ${STATUS}
 2726     else
 2727         return ${NOT_FOUND}
 2728     fi
 2729 
 2730 }
 2731 
 2732 chk_telnetd () {
 2733     STATUS=${NOT_INFECTED}
 2734     TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]'
 2735     CMD=`loc telnetd telnetd $pth`
 2736 
 2737     if [ ${?} -ne 0 ]; then
 2738         CMD=`loc in.telnetd in.telnetd $pth`
 2739         if [ ${?} -ne 0 ]; then
 2740            return ${NOT_FOUND}
 2741         fi
 2742     fi
 2743 
 2744     if [ "${EXPERT}" = "t" ]; then
 2745         expertmode_output "${strings} -a ${CMD}"
 2746         return 5
 2747     fi
 2748 
 2749     if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \
 2750        >/dev/null 2>&1
 2751     then
 2752         STATUS=${INFECTED}
 2753     fi
 2754     return ${STATUS}
 2755 }
 2756 
 2757 printn () {
 2758     if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then
 2759         ${echo} -n "$1" 
 2760     else
 2761         ${echo} "${1}\c"  
 2762     fi
 2763 }
 2764 
 2765 # main
 2766 #
 2767 
 2768 
 2769 ### using regexps, as the `-w' option to grep/egrep is not portable.
 2770 L_REGEXP='(^|[^A-Za-z0-9_])'
 2771 R_REGEXP='([^A-Za-z0-9_]|$)'
 2772 
 2773 ### default ROOTDIR is "/"
 2774 ROOTDIR='/'
 2775 mode="rt" 
 2776 
 2777 while :
 2778 do
 2779         case $1 in
 2780         -r)    [ -z "$2" ] && exit 1; 
 2781                shift
 2782                mode="pm" 
 2783                ROOTDIR=$1;;
 2784         -p)    [ -z "$2" ] && exit 1; 
 2785                 shift
 2786                 CHKRKPATH=$1;;
 2787 
 2788         -d)     DEBUG=t;;
 2789 
 2790         -x)     EXPERT=t;;
 2791 
 2792         -q)     QUIET=t;;
 2793 
 2794         -V)     echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}"
 2795                 exit 1;;
 2796 
 2797         -l)     echo >&2 "$0: tests: ${TOOLS} ${TROJAN}"
 2798                 exit 1;;
 2799 
 2800         -n)     tnfs;;
 2801 
 2802         -h | -*) echo >&2 "Usage: $0 [options] [test ...]
 2803 Options:
 2804         -h                show this help and exit
 2805         -V                show version information and exit
 2806         -l                show available tests and exit
 2807         -d                debug
 2808         -q                quiet mode
 2809         -x                expert mode
 2810         -r dir            use dir as the root directory
 2811         -p dir1:dir2:dirN path for the external commands used by chkrootkit
 2812         -n                skip NFS mounted dirs"
 2813                 exit 1;;
 2814         *)      break
 2815         esac
 2816 
 2817         shift
 2818 done
 2819 
 2820 ### check the external commands needed
 2821 
 2822 cmdlist="
 2823 awk
 2824 cut
 2825 echo
 2826 egrep
 2827 find
 2828 head
 2829 id
 2830 ls
 2831 ps
 2832 sed
 2833 strings
 2834 uname
 2835 "
 2836 
 2837 ### PATH used by loc
 2838 pth=`echo $PATH | sed -e "s/:/ /g"`
 2839 pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ."
 2840 
 2841 ### external command's PATH
 2842 if [ "${CHKRKPATH}" = "" ]; then
 2843   chkrkpth=${pth}
 2844 else
 2845   ### use the path provided with the -p option
 2846   chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"`
 2847 fi
 2848 echo=echo
 2849 for file in $cmdlist; do
 2850         xxx=`loc $file $file $chkrkpth`
 2851         eval $file=$xxx
 2852         case "$xxx" in
 2853         /* | ./* | ../*)
 2854 
 2855                 if [ ! -x "${xxx}" ]
 2856                 then
 2857                     echo >&2 "chkrootkit: can't exec \`$xxx'."
 2858                     exit 1
 2859                 fi
 2860                 ;;
 2861         *)
 2862                 echo >&2 "chkrootkit: can't find \`$file'."
 2863                 exit 1
 2864                 ;;
 2865         esac
 2866 done
 2867 
 2868 
 2869 SYSTEM=`${uname} -s`
 2870 VERSION=`${uname} -r`
 2871 if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then
 2872    V=4.4
 2873 else
 2874    V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'`
 2875 fi
 2876 
 2877 # head command
 2878 _head()
 2879 {
 2880    if `$echo a | $head -n 1 >/dev/null 2>&1` ; then
 2881       $head -n `echo $1 | tr -d "-"`
 2882    else
 2883       $head $1
 2884    fi
 2885 }
 2886 # ps command
 2887 ps_cmd="ax"
 2888 if [ "$SYSTEM" = "SunOS" ]; then
 2889   if [ "${CHKRKPATH}" = "" ]; then
 2890     if [ -x /usr/ucb/ps ]; then
 2891        ps="/usr/ucb/ps"
 2892     else
 2893        ps_cmd="-fe"
 2894     fi
 2895   else
 2896     ### -p is in place: use `-fe' as ps options
 2897     ps_cmd="-fe"
 2898   fi
 2899 fi
 2900 # Check if ps command is ok
 2901 if ${ps} ax >/dev/null 2>&1 ; then
 2902    ps_cmd="ax"
 2903 else
 2904    ps_cmd="-fe"
 2905 fi
 2906 
 2907 if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then
 2908    echo "$0 needs root privileges"
 2909    exit 1
 2910 fi
 2911 
 2912 if [ $# -gt 0 ]
 2913 then
 2914     ### perform only tests supplied as arguments
 2915     for arg in $*
 2916     do
 2917         ### check if is a valid test name
 2918         if echo "${TROJAN} ${TOOLS}"| \
 2919            ${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1
 2920         then
 2921             echo >&2 "$0: \`$arg': not a known test"
 2922             exit 1
 2923         fi
 2924     done
 2925     LIST=$*
 2926 else
 2927     ### this is the default: perform all tests
 2928     LIST="${TROJAN} ${TOOLS}"
 2929 fi
 2930 
 2931 if [ "${DEBUG}" = "t" ]; then
 2932     set -x
 2933 fi
 2934 
 2935 if [ "${ROOTDIR}" != "/" ]; then
 2936 
 2937     ### remove trailing `/'
 2938     ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'`
 2939 
 2940     for dir in ${pth}
 2941     do
 2942       if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1
 2943       then
 2944         newpth="${newpth} ${ROOTDIR}${dir}"
 2945       else
 2946         newpth="${newpth} ${ROOTDIR}/${dir}"
 2947       fi
 2948     done
 2949     pth=${newpth}
 2950    ROOTDIR="${ROOTDIR}/"
 2951 fi
 2952 if [ "${QUIET}" != "t" ]; then
 2953     echo "ROOTDIR is \`${ROOTDIR}'"
 2954 fi
 2955 #
 2956 # NETSTAT OR SS
 2957 #
 2958 _chk_netstat_or_ss() 
 2959 {
 2960     netstat="netstat"  
 2961     CMD=`loc ss ss $pth`
 2962     [ ${?} -eq 0 ] && netstat="ss"  
 2963 }
 2964 
 2965 for cmd in ${LIST}
 2966 do
 2967     if echo "${TROJAN}" | \
 2968     ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1
 2969     then
 2970         if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
 2971            printn "Checking \`${cmd}'... "
 2972         fi
 2973         chk_${cmd}
 2974         STATUS=$?
 2975         ### quiet mode
 2976         if [ "${QUIET}" = "t" ]; then
 2977             ### show only INFECTED status
 2978             if [ ${STATUS} -eq 0 ]; then
 2979                 echo "Checking \`${cmd}'... INFECTED"
 2980             fi
 2981             continue
 2982         fi
 2983         case $STATUS in
 2984         0) echo "INFECTED";;
 2985         1) echo "not infected";;
 2986         2) echo "not tested";;
 2987         3) echo "not found";;
 2988         4) echo "infected but disabled";;
 2989         5) ;;   ### expert mode
 2990         esac
 2991     else
 2992         ### external tool
 2993         if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then
 2994             printn "Checking \`$cmd'... "
 2995         fi
 2996         ${cmd}
 2997     fi
 2998 done
 2999 
 3000 ### chkrootkit ends here.