Rootkit Hunter, version 1.2.7, miscellanious patches.
Since mr Boelen seems unavailable and there is no mailinglist for Rootkit Hunter I thought it best to post my patch here. Patch is clean against version 1.2.7 and is tested on Linux only.
Contents:
- not all binaries use testresult ( FOUND -eq 1) from BINPATHS,
- corrects finding skdet binary,
- skdet missing "-a" param,
- adding promisc flag to 1 interface, then adding next shows only last interface as promisc,
- parse subdirs for config file,
- "MYDIR" referenced in rkhunter but not in rkhunter.conf,
- use "-x" instead of "-f" for checking binaries,
- TMPDIR variable contamination by parent shell,
- correct some SCAN_ROOTKIT tag,
- displaytext/logtext,
- adds alternative check for /var/log/ksymoops (if dir available).
*I would urge you to install "ip" since ifconfig is close to worthless.
Please test if you can, TIA.
Code:
--- rkhunter 2005-05-24 07:40:23.000000000 -0100
+++ rkhunter 2005-05-24 07:40:23.000000000 -0100
@@ -131,6 +131,9 @@
NOARGS=1
fi
+# Var contamination
+unset TMPDIR
+
while [ $# -ge 1 ]; do
case $1 in
--allow-ssh-root-user)
@@ -564,11 +567,34 @@
( touch ${randf} && test -f ${randf} && rm -f ${randf} ||\
logtext "WARNING! ${SCAN_ROOTKIT} ${ext} hiding" )
done
- # If we've got skdet (check Debian), let's use it too
- which skdet 2>/dev/null >/dev/null && skdet
else
logtext "Info: Extended suckit tests skipped, due to missing stat binary"
fi
+
+ SCAN_ROOTKIT="Adore"
+ if [ "${SKDETFOUND}" -eq 1 ]; then
+ # If we've got skdet (check Debian), let's use it too
+ ${SKDETBINARY} -a 2>&1 | tr -s " " | grep -ie invis | while read pid invistag; do
+ _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND INVISIBLE PID [${pid}] "
+ displaytext "$_thisAlert"; logtext "$_thisAlert"
+ done
+
+ else
+ #logtext "Info: Extended suckit tests skipped, due to missing skdet binary"
+ logtext "Info: Extended Adore tests skipped, due to missing skdet binary, defaulting to ksymoops"
+ # Hardcoded dir, now was this a requirement in the modutils or sysklogd package, or should we use "find"?
+ if [ -d "/var/log/ksymoops" ]; then
+ egrep -ie "(adore|cleaner)" /var/log/ksymoops/*.ksyms | while read line; do
+ line=(${line}); _date=$(basename "${line[0]}");
+ _y=${_date:0:4}; _m=${_date:4:2}; _d=${_date:6:2}
+ _h=${_date:8:2} _m=${_date:10:2} _s=${_date:12:2}
+ _mod=${line[2]}; _thisAlert="WARNING! ${SCAN_ROOTKIT} FOUND module ${_mod} loaded ${_y}/${_m}/${_d} ${_h}:${_m}:${_s}"
+ displaytext "$_thisAlert"; logtext "$_thisAlert"
+ done
+ else
+ logtext "Info: Extended Adore tests skipped, due to missing ksymoops directory"
+ fi
+ fi
else
logtext "Info: Extended suckit tests skipped for this operating system (no Linux architecture)"
fi
@@ -588,9 +614,13 @@
# Check configuration file
-if [ "${CONFIGFILE}" = "" ]
+if [ -z "${CONFIGFILE}" ]
then
- if [ -f /etc/rkhunter.conf ]
+ # Relative, from current installdir root
+ if [ -d "../etc" -a -f "../etc/rkhunter.conf" ]
+ then
+ CONFIGFILE="../etc/rkhunter.conf"
+ elif [ -f "/etc/rkhunter.conf" ]
then
CONFIGFILE="/etc/rkhunter.conf"
else
@@ -606,8 +636,8 @@
fi
# Is the installation directory available in the configuration file?
-MYDIR=`cat ${CONFIGFILE} | grep 'INSTALLDIR=' | sed s/INSTALLDIR=//`
-if [ "${MYDIR}" = "" ]
+MYDIR=`grep '^INSTALLDIR=' ${CONFIGFILE} | sed s/INSTALLDIR=//`
+if [ -z "${MYDIR}" ]
then
echo "Fatal error: can't find INSTALLDIR option in configuration file (${CONFIGFILE})"
exit 1
@@ -630,10 +660,10 @@
if [ "${TMPDIR}" = "" ]
then
# Search in configuration file
- TMPDIR=`cat ${CONFIGFILE} | egrep '^TMPDIR=' | sed s/TMPDIR=//`
+ TMPDIR=`grep '^TMPDIR=' ${CONFIGFILE} | sed s/TMPDIR=//`
# If not available in configuration file, make it static
- if [ "${TMPDIR}" = "" ]
+ if [ -z "${TMPDIR}" ]
then
TMPDIR="${MYDIR}/lib/rkhunter/tmp"
fi
@@ -715,33 +745,34 @@
PERLFOUND=0; PRELINKFOUND=0; PSFOUND=0;
STATFOUND=0; STRINGSFOUND=0
WGETFOUND=0
-
+SKDETFOUND=0
logtext "-------------------------- Application scan ---------------------------"
for I in ${BINPATHS}; do
- J=${I}"/find"; if [ -f ${J} ]; then logtext "Found ${J}"; FINDFOUND=1; FINDBINARY=${J}; fi
- J=${I}"/ip"; if [ -f ${J} ]; then logtext "Found ${J}"; IPFOUND=1; IPBINARY=${J}; fi
- J=${I}"/ifconfig"; if [ -f ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1; IFCONFIGBINARY=${J}; fi
- J=${I}"/lynx"; if [ -f ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1; LYNXBINARY=${J}; fi
- J=${I}"/ls"; if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1; LSBINARY=${J}; fi
- J=${I}"/lsattr"; if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1; LSATTRBINARY=${J}; fi
- J=${I}"/lsmod"; if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1; LSMODBINARY=${J}; fi
- J=${I}"/lsof"; if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1; LSOFBINARY=${J}; fi
- J=${I}"/md5"; if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1; MD5BINARY=${J}; fi
- J=${I}"/md5sum"; if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1; MD5BINARY=${J}; fi
- J=${I}"/nmap"; if [ -f ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1; NMAPBINARY=${J}; fi
- J=${I}"/prelink"; if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; PRELINKBINARY=${J}; fi
- J=${I}"/ps"; if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1; PSBINARY=${J}; fi
- J=${I}"/stat"; if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1; STATBINARY=${J}; fi
- J=${I}"/strings"; if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; STRINGSBINARY=${J}; fi
- J=${I}"/wget"; if [ -f ${J} ]; then logtext "Found ${J}"; WGETFOUND=1; WGETBINARY=${J}; fi
+ J=${I}"/find"; if [ -x ${J} ]; then logtext "Found ${J}"; FINDFOUND=1; FINDBINARY=${J}; fi
+ J=${I}"/ip"; if [ -x ${J} ]; then logtext "Found ${J}"; IPFOUND=1; IPBINARY=${J}; fi
+ J=${I}"/ifconfig"; if [ -x ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1; IFCONFIGBINARY=${J}; fi
+ J=${I}"/lynx"; if [ -x ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1; LYNXBINARY=${J}; fi
+ J=${I}"/ls"; if [ -x ${J} ]; then logtext "Found ${J}"; LSFOUND=1; LSBINARY=${J}; fi
+ J=${I}"/lsattr"; if [ -x ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1; LSATTRBINARY=${J}; fi
+ J=${I}"/lsmod"; if [ -x ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1; LSMODBINARY=${J}; fi
+ J=${I}"/lsof"; if [ -x ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1; LSOFBINARY=${J}; fi
+ J=${I}"/md5"; if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1; MD5BINARY=${J}; fi
+ J=${I}"/md5sum"; if [ -x ${J} ]; then logtext "Found ${J}"; MD5FOUND=1; MD5BINARY=${J}; fi
+ J=${I}"/nmap"; if [ -x ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1; NMAPBINARY=${J}; fi
+ J=${I}"/prelink"; if [ -x ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; PRELINKBINARY=${J}; fi
+ J=${I}"/ps"; if [ -x ${J} ]; then logtext "Found ${J}"; PSFOUND=1; PSBINARY=${J}; fi
+ J=${I}"/stat"; if [ -x ${J} ]; then logtext "Found ${J}"; STATFOUND=1; STATBINARY=${J}; fi
+ J=${I}"/strings"; if [ -x ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; STRINGSBINARY=${J}; fi
+ J=${I}"/wget"; if [ -x ${J} ]; then logtext "Found ${J}"; WGETFOUND=1; WGETBINARY=${J}; fi
+ J=${I}"/skdet"; if [ -x ${J} ]; then logtext "Found ${J}"; SKDETFOUND=1; SKDETBINARY=${J}; fi
# Perl
J=${I}"/perl";
- if [ -f ${J} ]; then
+ if [ -x ${J} ]; then
PERLFOUND=1
PERLBINARY=${J}
#PERLVERSION=`${J} -V:version | tr -d "version" | tr -d '=' | tr -d "'" | tr -d ";" `
@@ -776,6 +807,12 @@
logtext "Info: ip not found" >> ${DEBUGFILE}
fi
+if [ "${SKDETFOUND}" -eq 1 ]; then
+ logtext "Info: skdet found" >> ${DEBUGFILE}
+ else
+ logtext "Info: skdet not found" >> ${DEBUGFILE}
+fi
+
logtext "Application scan ended"
@@ -2299,7 +2336,7 @@
MYPACKAGES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 6`
#FILEHASHES=`echo ${i} | cut -d : -f 3`
for J in ${FILEHASHES}; do
- if [ ${PRELINKING} -eq 1 ]
+ if [ "$PRELINKING" -eq "1" -a "$PRELINKFOUND" -eq "1" ]
then
PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1`
@@ -3843,7 +3880,7 @@
logtext "Possible promisc interfaces:"
logtext "Output test 1: ${PROMISCSCAN}"
if [ ! "${PROMISCSCAN2}" = "" ]; then
- PROMISCSCAN2IFACES=`${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'`
+ PROMISCSCAN2IFACES=( `${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'` ); PROMISCSCAN2IFACES="${PROMISCSCAN2IFACES[@]}"
logtext "Output test 2: ${PROMISCSCAN2IFACES}"
fi