/usr/lib/tiger/scripts/check_rootkit is in tiger 1:3.2.3-10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 | #!/bin/sh
#
# tiger - A UN*X security checking system
# Copyright (C) 2003 Advanced Research Corporation
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 1, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# Please see the file `COPYING' for the complete copyright notice.
#
# check_rootkit - 05/15/2002
#
# Script to find systems which have been rootkited (sp?). It looks for
# trojaned ls and find commands.
#
# It also includes a wrapper to run CHKROOTKIT and format
# the results in Tiger's message format.
#
# Note: This script does not use the configured LS and FIND but, instead
# uses those defined in the path
#
# DATE (MM/DD/YYYY) NAME DESCRIPTION_OF_CHANGES
# 11/30/2006 jfs Send stderr output of chkrootkit to /dev/null
# to avoid the 'warning, got bogus unix line'
# messages that netstat might output (See Debian
# Bug 223847)
# 08/31/2006 jfs Fix typo in script
# 08/30/2006 jfs Introduce Tiger_CHKROOTKIT_ARGS so that
# admins can ajust the behaviour of CHKROOTKIT
# Output the lines of infected errors
# 01/13/2004 jfs Avoid which error on stdout if it's not found
# 10/15/2003 jfs Make CHKROOTKIT check silent
# 09/19/2003 jfs Removed unused temporary file creation
# 08/14/2003 jfs Implemented usage of CHKROOTKIT if available
# 08/13/2003 jfs Integrated into the Tiger tool
# 05/15/2002 ARSC Initial version
#
#-----------------------------------------------------------------------------
# TODO
# - Chkrootkit messages could be parsed more thoroughly
#-----------------------------------------------------------------------------
#
# This is the directory Tiger is installed on
TigerInstallDir="/usr/lib/tiger"
#
# Set default base directory.
# Order or preference:
# -B option
# TIGERHOMEDIR environment variable
# TigerInstallDir installed location
#
basedir=${TIGERHOMEDIR:=$TigerInstallDir}
for parm
do
case $parm in
-B) basedir=$2; break;;
esac
done
#
# Verify that a config file exists there, and if it does
# source it.
#
[ ! -r $basedir/config ] && {
echo "--ERROR-- [init002e] No 'config' file in \`$basedir'."
exit 1
}
. $basedir/config
. $BASEDIR/initdefs
#
# If run in test mode (-t) this will verify that all required
# elements are set.
#
[ "$Tiger_TESTMODE" = 'Y' ] && {
haveallcmds RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
echo "--CONFIG-- [init003c] $0: Configuration ok..."
exit 0
}
#------------------------------------------------------------------------
echo
echo "# Performing check for rookits..."
haveallcmds RM || exit 1
haveallfiles BASEDIR WORKDIR || exit 1
FINDFLAG="OK"
LSFLAG="OK"
BADFIND=""
BADLS=""
STRINGS="dummy defs divine S11klog ... .._ ..BK war war1 war2 brscan sbh rstv"
STRINGS="$STRINGS lsniff shadow illusion cl mirkforce buca smurf psybnc"
STRINGS="$STRINGS lib.a hideme occult tcp.log bnc eggdrop"
set *=$STRINGS
shift
while [ -n "$1" ]; do
LSFLAG="OK"
FINDFLAG="OK"
TMP=`echo $1 |sed -e "s/BK/ /g"`
touch "$WORKDIR/$TMP"
if [ $? -eq 0 ]; then
LSTMP=`ls "$WORKDIR/$TMP" 2>/dev/null`
if [ -z "$LSTMP" ]; then
LSFLAG="BAD"
BADLS="$BADLS,$TMP"
fi
FINDTMP=`find $WORKDIR -name "$TMP" -print`
if [ -z "$FINDTMP" ]; then
FINDFLAG="BAD"
BADFIND="$BADFIND,$TMP"
fi
fi
if [ -n "$VERBOSE" ]; then
echo "$TMP $LSFLAG $FINDFLAG"
fi
shift
delete "$WORKDIR/$TMP"
done
if [ -n "$BADLS" ]; then
message FAIL rootkit001f "" "ls appears to be a trojan version"
message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
fi
if [ -n "$BADFIND" ]; then
message FAIL rootkit002f "" "find appears to be a trojan version"
message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
fi
# Chkrookit binary location|override + default check
if [ -z "${Tiger_CHKROOTKIT_LOC_OVERRIDE}" ]
then
CHKROOTKIT=`which chkrootkit 2>/dev/null`
else
CHKROOTKIT=${Tiger_CHKROOTKIT_LOC_OVERRIDE}
fi
# Chkrootkit arguments
if [ -z "${Tiger_CHKROOTKIT_ARGS}" ]
then
# Note: we use the quiet mode to avoid parsing all the lines of
# "Searching for..." things
Tiger_CHKROOTKIT_ARGS="-q"
fi
# Redirect to /dev/null to make it silent
# (maybe a warning should be issued)
haveallcmds CHKROOTKIT >/dev/null && {
echo "# Running chkrootkit ($CHKROOTKIT) to perform further checks..."
# TODO: This code does not show some of chkrootkit's messages (such as
# suspicious files)
#
# Send stderr output to /dev/null to avoid the
# 'warning, got bogus unix line' messages that netstat might output
# (See Debian Bug 223847)
$CHKROOTKIT $Tiger_CHKROOTKIT_ARGS 2>/dev/null|
while read line
do
case "$line" in
Suspect' 'directory*)
message WARN rootkit003w "" "Chkrootkit has detected a suspicious directory"
echo $line ;;
Possible*)
message WARN rootkit004w "" "Chkrootkit has detected a possible rootkit installation"
echo $line ;;
Warning:' 'Possible*)
message WARN rootkit004w "" "Chkrootkit has detected a possible rootkit installation"
echo $line ;;
Warning:' '*installed)
message ALERT rootkit005a "" "Chkrootkit has detected a rootkit installation"
message ALERT rootkit006a "" "A rootkit seems to be installed in the system"
echo $line ;;
INFECTED*)
message ALERT rootkit005a "" "Chkrootkit has found a file which seems to be infected because of a rootkit"
message ALERT rootkit009a "" "A rootkit seems to be installed in the system"
echo $line ;;
esac
done
}
exit 0
|