Misc. patches for rkhunter-1.2.7.tar.gz

unSpawn · 10-24-2005, 10:58 AM

Rootkit Hunter, version 1.2.7, miscellanious patches.

Since mr Boelen seems unavailable and there is no mailinglist for Rootkit Hunter I thought it best to post my patch here. Patch is clean against version 1.2.7 and is tested on Linux only.

Contents:
- not all binaries use testresult ( FOUND -eq 1) from BINPATHS,
- corrects finding skdet binary,
- skdet missing "-a" param,
- adding promisc flag to 1 interface, then adding next shows only last interface as promisc,
- parse subdirs for config file,
- "MYDIR" referenced in rkhunter but not in rkhunter.conf,
- use "-x" instead of "-f" for checking binaries,
- TMPDIR variable contamination by parent shell,
- correct some SCAN_ROOTKIT tag,
- displaytext/logtext,
- adds alternative check for /var/log/ksymoops (if dir available).

*I would urge you to install "ip" since ifconfig is close to worthless.
Please test if you can, TIA.

Code:

--- rkhunter	2005-05-24 07:40:23.000000000 -0100
+++ rkhunter	2005-05-24 07:40:23.000000000 -0100
@@ -131,6 +131,9 @@
   NOARGS=1
 fi
 
+# Var contamination
+unset TMPDIR 
+
 while [ $# -ge 1 ]; do
   case $1 in
       --allow-ssh-root-user)
@@ -564,11 +567,34 @@
 	               ( touch ${randf} && test -f ${randf} && rm -f ${randf} ||\
 	                logtext "WARNING! ${SCAN_ROOTKIT} ${ext} hiding" )
 	        done
-	        # If we've got skdet (check Debian), let's use it too
-	        which skdet 2>/dev/null >/dev/null && skdet
 	     else
 	      logtext "Info: Extended suckit tests skipped, due to missing stat binary"       
 	   fi
+
+          SCAN_ROOTKIT="Adore"
+            if [ "${SKDETFOUND}" -eq 1 ]; then
+	        # If we've got skdet (check Debian), let's use it too
+	         ${SKDETBINARY} -a 2>&1 | tr -s " " | grep -ie invis | while read pid invistag; do
+                        _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND INVISIBLE PID [${pid}] "
+                        displaytext "$_thisAlert"; logtext "$_thisAlert"
+                 done
+
+	     else
+	      #logtext "Info: Extended suckit tests skipped, due to missing skdet binary"
+              logtext "Info: Extended Adore tests skipped, due to missing skdet binary, defaulting to ksymoops"
+                 # Hardcoded dir, now was this a requirement in the modutils or sysklogd package, or should we use "find"?
+                 if [ -d "/var/log/ksymoops" ]; then
+                        egrep -ie "(adore|cleaner)" /var/log/ksymoops/*.ksyms | while read line; do
+                             line=(${line}); _date=$(basename "${line[0]}");
+                             _y=${_date:0:4}; _m=${_date:4:2}; _d=${_date:6:2}
+                             _h=${_date:8:2} _m=${_date:10:2} _s=${_date:12:2}
+                             _mod=${line[2]}; _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND module ${_mod} loaded ${_y}/${_m}/${_d} ${_h}:${_m}:${_s}"
+                             displaytext "$_thisAlert"; logtext "$_thisAlert" 
+                        done
+                 else
+                        logtext "Info: Extended Adore tests skipped, due to missing ksymoops directory"
+                 fi
+	    fi
 	  else
 	    logtext "Info: Extended suckit tests skipped for this operating system (no Linux architecture)"
 	fi
@@ -588,9 +614,13 @@
 
 
 # Check configuration file
-if [ "${CONFIGFILE}" = "" ]
+if [ -z "${CONFIGFILE}" ]
   then
-    if [ -f /etc/rkhunter.conf ]
+    # Relative, from current installdir root
+    if [ -d "../etc" -a -f "../etc/rkhunter.conf" ]
+      then
+        CONFIGFILE="../etc/rkhunter.conf"
+      elif [ -f "/etc/rkhunter.conf" ]
       then
         CONFIGFILE="/etc/rkhunter.conf"
       else
@@ -606,8 +636,8 @@
 fi
 
 # Is the installation directory available in the configuration file? 
-MYDIR=`cat ${CONFIGFILE} | grep 'INSTALLDIR=' | sed s/INSTALLDIR=//`
-if [ "${MYDIR}" = "" ]
+MYDIR=`grep '^INSTALLDIR=' ${CONFIGFILE} | sed s/INSTALLDIR=//`
+if [ -z "${MYDIR}" ]
   then
     echo "Fatal error: can't find INSTALLDIR option in configuration file (${CONFIGFILE})"
     exit 1
@@ -630,10 +660,10 @@
 if [ "${TMPDIR}" = "" ]
   then
     # Search in configuration file
-    TMPDIR=`cat ${CONFIGFILE} | egrep '^TMPDIR=' | sed s/TMPDIR=//`
+    TMPDIR=`grep '^TMPDIR=' ${CONFIGFILE} | sed s/TMPDIR=//`
     
     # If not available in configuration file, make it static
-    if [ "${TMPDIR}" = "" ]
+    if [ -z "${TMPDIR}" ]
       then
         TMPDIR="${MYDIR}/lib/rkhunter/tmp"
     fi
@@ -715,33 +745,34 @@
 PERLFOUND=0; PRELINKFOUND=0; PSFOUND=0;
 STATFOUND=0; STRINGSFOUND=0
 WGETFOUND=0
-
+SKDETFOUND=0
 
 logtext "-------------------------- Application scan ---------------------------"
 
 for I in ${BINPATHS}; do
 
 
-  J=${I}"/find";      	if [ -f ${J} ]; then logtext "Found ${J}"; FINDFOUND=1;    	 FINDBINARY=${J};      	fi
-  J=${I}"/ip";      	if [ -f ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
-  J=${I}"/ifconfig";	if [ -f ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
-  J=${I}"/lynx";    	if [ -f ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
-  J=${I}"/ls";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
-  J=${I}"/lsattr";     	if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
-  J=${I}"/lsmod";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
-  J=${I}"/lsof";    	if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
-  J=${I}"/md5";     	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
-  J=${I}"/md5sum";  	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
-  J=${I}"/nmap";    	if [ -f ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
-  J=${I}"/prelink";   	if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
-  J=${I}"/ps";      	if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
-  J=${I}"/stat"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
-  J=${I}"/strings"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
-  J=${I}"/wget";    	if [ -f ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
+  J=${I}"/find";      	if [ -x ${J} ]; then logtext "Found ${J}"; FINDFOUND=1;    	 FINDBINARY=${J};      	fi
+  J=${I}"/ip";      	if [ -x ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
+  J=${I}"/ifconfig";	if [ -x ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
+  J=${I}"/lynx";    	if [ -x ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
+  J=${I}"/ls";      	if [ -x ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
+  J=${I}"/lsattr";     	if [ -x ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
+  J=${I}"/lsmod";      	if [ -x ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
+  J=${I}"/lsof";    	if [ -x ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
+  J=${I}"/md5";     	if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
+  J=${I}"/md5sum";  	if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
+  J=${I}"/nmap";    	if [ -x ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
+  J=${I}"/prelink";   	if [ -x ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
+  J=${I}"/ps";      	if [ -x ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
+  J=${I}"/stat"; 	if [ -x ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
+  J=${I}"/strings"; 	if [ -x ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
+  J=${I}"/wget";    	if [ -x ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
+  J=${I}"/skdet";    	if [ -x ${J} ]; then logtext "Found ${J}"; SKDETFOUND=1;    	 SKDETBINARY=${J};      fi
   
   # Perl
   J=${I}"/perl";
-  if [ -f ${J} ]; then
+  if [ -x ${J} ]; then
     PERLFOUND=1
     PERLBINARY=${J}
     #PERLVERSION=`${J} -V:version | tr -d "version" | tr -d '=' | tr -d "'" | tr -d ";" `
@@ -776,6 +807,12 @@
   logtext "Info: ip not found" >> ${DEBUGFILE}
 fi
 
+if [ "${SKDETFOUND}" -eq 1 ]; then
+  logtext "Info: skdet found" >> ${DEBUGFILE}
+ else
+  logtext "Info: skdet not found" >> ${DEBUGFILE}
+fi
+
 
 
 logtext "Application scan ended"
@@ -2299,7 +2336,7 @@
 		  MYPACKAGES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 6`
 		  #FILEHASHES=`echo ${i} | cut -d : -f 3`
 		  for J in ${FILEHASHES}; do
-		  if [ ${PRELINKING} -eq 1 ]
+		  if [ "$PRELINKING" -eq "1" -a "$PRELINKFOUND" -eq "1" ]
 		    then
 		      PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
 		      myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1`
@@ -3843,7 +3880,7 @@
 	    	logtext "Possible promisc interfaces:"
 		logtext "Output test 1: ${PROMISCSCAN}"
 	        if [ ! "${PROMISCSCAN2}" = "" ]; then
-		  PROMISCSCAN2IFACES=`${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'`
+		  PROMISCSCAN2IFACES=( `${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'` ); PROMISCSCAN2IFACES="${PROMISCSCAN2IFACES[@]}"
 		  logtext "Output test 2: ${PROMISCSCAN2IFACES}"
 		  
 	        fi