"Fossies" - the Fresh Open Source Software Archive

Member "chkrootkit-0.55/patch" (9 Jun 2021, 4927 Bytes) of package /linux/misc/chkrootkit-0.55.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 *** ../chkrootkit-0.54/chkrootkit	2020-12-20 00:32:29.040003633 -0500
    2 --- chkrootkit	2021-05-30 01:58:27.864993530 -0400
    3 ***************
    4 *** 1,8 ****
    5   #! /bin/sh
    6   # -*- Shell-script -*-
    7   
    8 ! # $Id: chkrootkit, v 0.54 2020/12/24
    9 ! CHKROOTKIT_VERSION='0.54' 
   10   
   11   # Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
   12   #          Klaus Steding-Jessen <jessen@cert.br>
   13 --- 1,8 ----
   14   #! /bin/sh
   15   # -*- Shell-script -*-
   16   
   17 ! # $Id: chkrootkit, v 0.55 2021/06/10
   18 ! CHKROOTKIT_VERSION='0.55' 
   19   
   20   # Authors: Nelson Murilo <nelson@pangeia.com.br> (main author) and
   21   #          Klaus Steding-Jessen <jessen@cert.br>
   22 ***************
   23 *** 311,317 ****
   24       prog=""
   25       if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \
   26          `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
   27 !        [  -x ./chkproc -a "`find /proc 2>/dev/null| wc -l`" -gt 1 ] && prog="./chkproc"
   28         [  -x ./chkdirs ] && prog="$prog ./chkdirs"
   29         if [ "$prog" = "" -o ${mode} = "pm" ]; then
   30            echo "not tested: can't exec $prog"
   31 --- 311,317 ----
   32       prog=""
   33       if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \
   34          `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then
   35 !        [  -x ./chkproc -a "`find /proc -maxdepth 1 2>/dev/null| wc -l`" -gt 1 ] && prog="./chkproc"
   36         [  -x ./chkdirs ] && prog="$prog ./chkdirs"
   37         if [ "$prog" = "" -o ${mode} = "pm" ]; then
   38            echo "not tested: can't exec $prog"
   39 ***************
   40 *** 629,634 ****
   41 --- 629,643 ----
   42         ## PWNLNX6 - An LKM Roottkit 
   43         expertmode_output "${find} ${ROOTDIR}/tmp/suterusu"
   44   
   45 +       ## Umbreon 
   46 +       expertmode_output "${find} ${ROOTDIR}usr/share/libc.so*"
   47 + 
   48 +       ## KINSING.A Backdoor 
   49 +       expertmode_output "${find} ${ROOTDIR}tmp/kdevtmp*"
   50 + 
   51 +       ## RotaJakiro 
   52 +       expertmode_output "${ls} ${ROOTDIR}bin/system-daemon"
   53 + 
   54         ## Common SSH-SCANNERS
   55         expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2"
   56   
   57 ***************
   58 *** 1289,1295 ****
   59      ## Hidden Cobra (IBM AIX) 
   60      if [ "${QUIET}" != "t" ]; then
   61         printn "Searching for Hidden Cobra ... "; fi
   62 !    if ${ls} "${ROOTDIR}tmp/.ICE-unix/m*.so" ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then 
   63         echo "INFECTED: Possible Malicious Hidden Cobra installed"
   64      else
   65         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   66 --- 1298,1304 ----
   67      ## Hidden Cobra (IBM AIX) 
   68      if [ "${QUIET}" != "t" ]; then
   69         printn "Searching for Hidden Cobra ... "; fi
   70 !    if ${ls} ${ROOTDIR}tmp/.ICE-unix/m*.so ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then 
   71         echo "INFECTED: Possible Malicious Hidden Cobra installed"
   72      else
   73         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   74 ***************
   75 *** 1322,1327 ****
   76 --- 1331,1363 ----
   77         if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   78      fi
   79   
   80 +    ## Umbreon Linux Rootkit
   81 +    if [ "${QUIET}" != "t" ]; then
   82 +       printn "Searching for Umbreon lrk... "; fi
   83 +    if  ${ls} ${ROOTDIR}usr/share/libc.so.* > /dev/null 2>&1 ; then
   84 +       echo "INFECTED: Possible Malicious UMBREON LRK installed"
   85 +    else
   86 +       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   87 +    fi
   88 + 
   89 +    ## KINSING.A Backdoor 
   90 +    if [ "${QUIET}" != "t" ]; then
   91 +       printn "Searching for Kinsing.a backdoor... "; fi
   92 +    if  ${ls} "${ROOTDIR}tmp/kdevtmpfsi" > /dev/null 2>&1 ; then
   93 +       echo "INFECTED: Possible Malicious KINSING.A Backdoor installed"
   94 +    else
   95 +       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
   96 +    fi
   97 + 
   98 +    ## RotaJakiro Backdoor 
   99 +    if [ "${QUIET}" != "t" ]; then
  100 +       printn "Searching for RotaJakiro backdoor... "; fi
  101 +    if  ${ls} "${ROOTDIR}bin/systemd-daemon" > /dev/null 2>&1 ; then
  102 +       echo "INFECTED: Possible Malicious JOTAJAKIRO Backdoor installed"
  103 +    else
  104 +       if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi
  105 +    fi
  106 + 
  107      ###
  108      ### Suspects PHP files
  109      ###
  110 ***************
  111 *** 1477,1485 ****
  112       GENERIC_ROOTKIT_FEDORA=${GENERIC_ROOTKIT_LABEL} 
  113       if [ -f  /etc/system-release ]; then 
  114          v=`${egrep} -i fedora /etc/system-release | cut -d " " -f 3`
  115          if [ "$v" -gt "32" ]; then 
  116             GENERIC_ROOTKIT_FEDORA="bash|elite$|vejeta|\.ark|iroffer"
  117 !        fi
  118       fi
  119   
  120       if [ "${EXPERT}" = "t" ]; then
  121 --- 1513,1522 ----
  122       GENERIC_ROOTKIT_FEDORA=${GENERIC_ROOTKIT_LABEL} 
  123       if [ -f  /etc/system-release ]; then 
  124          v=`${egrep} -i fedora /etc/system-release | cut -d " " -f 3`
  125 +        test -n "$v" &&  { 
  126          if [ "$v" -gt "32" ]; then 
  127             GENERIC_ROOTKIT_FEDORA="bash|elite$|vejeta|\.ark|iroffer"
  128 !        fi } 
  129       fi
  130   
  131       if [ "${EXPERT}" = "t" ]; then