This file is indexed.

/usr/lib/tiger/scripts/check_rootkit is in tiger 1:3.2.3-10.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
#!/bin/sh
#
#     tiger - A UN*X security checking system
#     Copyright (C) 2003 Advanced Research Corporation
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 1, or (at your option)
#    any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#     Please see the file `COPYING' for the complete copyright notice.
#
# check_rootkit -  05/15/2002
# 
# Script to find systems which have been rootkited (sp?). It looks for
# trojaned ls and find commands.
#
# It also includes a wrapper to run CHKROOTKIT and format 
# the results in Tiger's message format.
#
# Note: This script does not use the configured LS and FIND but, instead
# uses those defined in the path
#
# DATE (MM/DD/YYYY) 	NAME 	DESCRIPTION_OF_CHANGES
# 11/30/2006            jfs     Send stderr output of chkrootkit to /dev/null 
#                               to avoid the 'warning, got bogus unix line'
#                               messages that netstat might output (See Debian
#                               Bug 223847)
# 08/31/2006            jfs     Fix typo in script
# 08/30/2006            jfs     Introduce Tiger_CHKROOTKIT_ARGS so that 
#                               admins can ajust the behaviour of CHKROOTKIT
#                               Output the lines of infected errors
# 01/13/2004            jfs     Avoid which error on stdout if it's not found
# 10/15/2003            jfs     Make CHKROOTKIT check silent
# 09/19/2003            jfs     Removed unused temporary file creation
# 08/14/2003            jfs     Implemented usage of CHKROOTKIT if available
# 08/13/2003            jfs     Integrated into the Tiger tool
# 05/15/2002            ARSC	Initial version
#
#-----------------------------------------------------------------------------
# TODO
# - Chkrootkit messages could be parsed more thoroughly
#-----------------------------------------------------------------------------
#
# This is the directory Tiger is installed on
TigerInstallDir="/usr/lib/tiger"

#
# Set default base directory.
# Order or preference:
#      -B option
#      TIGERHOMEDIR environment variable
#      TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}

for parm
do
   case $parm in
   -B) basedir=$2; break;;
   esac
done

#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
  echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
  exit 1
}

. $basedir/config

. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
  haveallcmds RM || exit 1
  haveallfiles BASEDIR WORKDIR || exit 1
  
  echo "--CONFIG-- [init003c] $0: Configuration ok..."
  exit 0
}

#------------------------------------------------------------------------
echo
echo "# Performing check for rookits..."

haveallcmds RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1

FINDFLAG="OK"
LSFLAG="OK"
BADFIND=""
BADLS=""
STRINGS="dummy defs divine S11klog ... .._ ..BK war war1 war2 brscan sbh rstv"
STRINGS="$STRINGS lsniff shadow illusion cl mirkforce buca smurf psybnc"
STRINGS="$STRINGS lib.a hideme occult tcp.log bnc eggdrop"
set *=$STRINGS
shift

while [ -n "$1" ]; do
  LSFLAG="OK"
  FINDFLAG="OK"
  TMP=`echo $1 |sed -e "s/BK/ /g"`
  touch "$WORKDIR/$TMP"
  if [ $? -eq 0 ]; then
    LSTMP=`ls "$WORKDIR/$TMP" 2>/dev/null`
    if [ -z "$LSTMP" ]; then
      LSFLAG="BAD"
      BADLS="$BADLS,$TMP"
    fi
    FINDTMP=`find $WORKDIR -name "$TMP" -print`
    if [ -z "$FINDTMP" ]; then
      FINDFLAG="BAD"
      BADFIND="$BADFIND,$TMP"
    fi
  fi
  if [ -n "$VERBOSE" ]; then
    echo "$TMP $LSFLAG $FINDFLAG"
  fi
  shift
  delete "$WORKDIR/$TMP"
done

if [ -n "$BADLS" ]; then
  message FAIL rootkit001f "" "ls appears to be a trojan version"
  message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
fi
if [ -n "$BADFIND" ]; then
  message FAIL rootkit002f "" "find appears to be a trojan version"
  message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
fi

# Chkrookit binary location|override + default check
if [ -z "${Tiger_CHKROOTKIT_LOC_OVERRIDE}" ]
then
        CHKROOTKIT=`which chkrootkit 2>/dev/null`
else
        CHKROOTKIT=${Tiger_CHKROOTKIT_LOC_OVERRIDE}
fi
# Chkrootkit arguments
if [ -z "${Tiger_CHKROOTKIT_ARGS}" ]
then
# Note: we use the quiet mode to avoid parsing all the lines of 
# "Searching for..." things
	Tiger_CHKROOTKIT_ARGS="-q"
fi

# Redirect to /dev/null to make it silent 
# (maybe a warning should be issued)
haveallcmds CHKROOTKIT >/dev/null && {
	echo "# Running chkrootkit ($CHKROOTKIT) to perform further checks..."
# TODO: This code does not show some of chkrootkit's messages (such as
# suspicious files)
#
# Send stderr output to /dev/null to avoid the
# 'warning, got bogus unix line' messages that netstat might output 
# (See Debian Bug 223847)
	$CHKROOTKIT $Tiger_CHKROOTKIT_ARGS 2>/dev/null|
	while read line
	do
		case "$line" in 
		Suspect' 'directory*)
  		message WARN rootkit003w "" "Chkrootkit has detected a suspicious directory"
		echo $line ;;
		Possible*)
  		message WARN rootkit004w "" "Chkrootkit has detected a possible rootkit installation"
		echo $line ;;
		Warning:' 'Possible*)
  		message WARN rootkit004w "" "Chkrootkit has detected a possible rootkit installation"
		echo $line ;;
		Warning:' '*installed)
  		message ALERT rootkit005a "" "Chkrootkit has detected a rootkit installation"
                message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
		echo $line ;;
		INFECTED*)
  		message ALERT rootkit005a "" "Chkrootkit has found a file which seems to be infected because of a rootkit"
                message ALERT rootkit009a "" "A rootkit seems to be installed in the system"
		echo $line ;;
		esac

	done
}
exit 0