Rate this Entry

Chkrootkit 0.49 modifications and notes

Posted 01-06-2010 at 05:03 PM by unSpawn

Chkrootkit 0.49 was released on 2009/07/30 and I sent some emails to the users mailing list and Nelson after it about changes. Realizing I never got word back I'll just post here. The patch below adds:
0) a new test called which utilizes '(/sbin/)ip' instead of 'ifconfig' because a sniffer (benign or malicious) does not need to have the interface in promiscuous mode (e.g.: 'ifconfig eth0 promisc && tcpdump -p -i any 2>&1>/dev/null &') and 'ip' detects and differentiates libpcap/libnet-based sniffers where ifconfig/ifpromisc can not. * Google for phrases like : "libpcap vs ifconfig", "setsockopt vs SIOCGIFFLAGS" and "IFF_PROMISC vs MR_PACKET_PROMISC" for discussions,
1) a port whitelist for the bindshell() test. Just create a file called "/etc/chkrootkit.portwhitelist" and fill it with the PORT variable as you wish with more or less port values like:

Code:

PORT="6666|6667|6668"

to have it override the internal PORT variable. That's easier than having to modify $PATH/chkrootkit each time you need to add a port which might make your file integrity checker (Samhain, Aide, Osiris, Integrit or even tripwire) trip, and
2) a change from /proc/ksyms (kernel 2.4) to /proc/kallsyms (kernel 2.6). Kinda odd this never got changed.
As usual YMMV(VM) as it works for me (and I've posted about and used the "promisctest" since Chkrootkit 0.42b).

Code:

--- chkrootkit  2009-08-01 23:04:17.000000000 +0000
+++ chkrootkit  2009-08-01 23:04:18.000000000 +0000
@@ -29,7 +29,7 @@
 tcpdump top telnetd timed traceroute vdir w write"
 
 # Tools
-TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG"
+TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG promisctest"
 
 # Return Codes
 INFECTED=0
@@ -267,6 +267,9 @@
 }
 bindshell () {
 PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
+if [ -f "/etc/chkrootkit.portwhitelist" ]; then
+       source /etc/chkrootkit.portwhitelist || echo "${FUNCNAME}: failed to source /etc/chkrootkit.portwhitelist, using defaults."
+fi
    OPT="-an"
    PI=""
    if [ "${ROOTDIR}" != "/" ]; then
@@ -306,7 +309,7 @@
       fi
 
       if [ "${EXPERT}" = "t" ]; then
-         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
+         [ -r /proc/kallsyms ] &&  ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null
          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
          [ "$PV" = "" ] &&  PV=2
@@ -316,14 +319,14 @@
       fi
 
       ### adore LKM
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Adore LKM installed"
       fi
 
       ### sebek LKM (Adore based)
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Sebek LKM installed"
       fi
 
@@ -2519,6 +2522,42 @@
     fi
 }
 
+promisctest () { 
+ip="/sbin/ip"
+       if [ ! "$SYSTEM" = "Linux" ]; then
+               printf "%snot tested: non-Linux system.\n"
+               return ${NOT_TESTED}
+       elif [ ! "${VERSION:2:1}" -ge "4" ]; then
+               printf "%snot tested: unsupported kernel version.\n"
+               return ${NOT_TESTED}
+       elif [ ! -x ${ip} ]; then
+               printf "%snot tested: could not exec ${ip}.\n"
+               return ${NOT_TESTED}
+       fi
+       printf "%s\n"
+       ${ip} link show | ${egrep} "^[0-9]" | while read DEVF; do
+       DEVF=( ${DEVF} ); let DEVFLEN="${#DEVF[0]}+${#DEVF[1]}+${#DEVF[2]}"
+       if [ "${#DEVF[2]}" -le "4" -o "${DEVFLEN}" -le "9" ]; then
+               printf "%snot tested: device ${DEVF[1]} has only device flags: ${DEVF[2]}.\n"
+       else    
+               printf "%s${DEVF[@]}" | ${egrep} -qe "PROMISC"
+               case "$?" in
+               1)      if [ "${EXPERT}" = "t" ]; then
+                               printf "%s${DEVF[1]} has device flags: ${DEVF[2]}\n"
+                       else
+                               printf "%s${DEVF[1]}\tis not promisc\n"
+                       fi;;
+               0)
+                       if [ "${EXPERT}" = "t" ]; then
+                               printf "%s${DEVF[1]} has device flags: ${DEVF[2]}\n"
+                       else
+                               printf "%s${DEVF[1]}\tIS PROMISC\n"
+                       fi;;
+               esac
+       fi
+       done
+ }
+ 
 # main
 #

Apart from that patch in chkrootkit-0.49 on line:
435) the BACKDOORS var could have some more names added for PHP shells like c99, dc3, hauru, ir4dex, n3tshell, locus, 0sirys, sniper, storm7shell (apart from the fact that using only names is a rather weak way of determining things),
509) could have the "r" added to read "-name sourcemask",
811) could possibly be changed because why duplicate the BACKDOORS var again instead of initalizing it once?,
1115) could be changed because there are two default strings to hide with ENYE LKM, not one...

*If you want to discuss things then the appropriate thing to do would be to subscribe to the Chkrootkit users mailing list and ask there.

Posted in Uncategorized

Views 1404 Comments 0

« Prev Main Next »