--- chkrootkit-0.41/chkrootkit 2003-06-21 04:09:09.000000000 +0200 +++ chkrootkit 2003-07-16 19:00:58.466540216 +0200 @@ -10,6 +10,14 @@ # (C)1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. # All rights reserved +# Gentoo specific : Could use `type | cut -f 3 -d " "` +IFPROMISC="/usr/sbin/ifpromisc" +CHKLASTLOG="/usr/sbin/chklastlog" +CHKPROC="/usr/sbin/chkproc" +CHKWTMP="/usr/sbin/chkwtmp" +CHECK_WTMPX="/usr/sbin/check_wtmpx" +STRINGS="/usr/sbin/strings-static" + ### workaround for some Bourne shell implementations unalias login > /dev/null 2>&1 unalias ls > /dev/null 2>&1 @@ -116,7 +124,7 @@ if [ "${EXPERT}" = "t" ]; then expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi @@ -132,7 +140,7 @@ STATUS=${INFECTED} fi - if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1 then echo "INFECTED" STATUS=${INFECTED} @@ -150,22 +158,22 @@ return ${NOT_TESTED} fi - if [ ! -x ./ifpromisc ]; then - echo "not tested: can't exec ./ifpromisc" + if [ ! -x ${IFPROMISC} ]; then + echo "not tested: can't exec ${IFPROMISC}" return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "./ifpromisc" + expertmode_output "${IFPROMISC}" return 5 fi echo - [ "${QUIET}" != "t" ] && ./ifpromisc || ./ifpromisc -q + [ "${QUIET}" != "t" ] && ${IFPROMISC} || ${IFPROMISC} -q } z2 () { - if [ ! -x ./chklastlog ]; then - echo "not tested: can't exec ./chklastlog" + if [ ! -x ${CHKLASTLOG} ]; then + echo "not tested: can't exec ${CHKLASTLOG}" return ${NOT_TESTED} fi @@ -173,31 +181,31 @@ LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"` if [ "${EXPERT}" = "t" ]; then - expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}" + expertmode_output "${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}" return 5 fi - if ./chklastlog -f ${WTMP} -l ${LASTLOG} + if ${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG} then if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi fi } wted () { - if [ ! -x ./chkwtmp ]; then - echo "not tested: can't exec ./chkwtmp" + if [ ! -x ${CHKWTMP} ]; then + echo "not tested: can't exec ${CHKWTMP}" return ${NOT_TESTED} fi if [ "$SYSTEM" = "SunOS" ]; then - if [ ! -x ./check_wtmpx ]; then - echo "not tested: can't exec ./check_wtmpx" + if [ ! -x ${CHECK_WTMPX} ]; then + echo "not tested: can't exec ${CHECK_WTMPX}" else if [ "${EXPERT}" = "t" ]; then - expertmode_output "./check_wtmpx" + expertmode_output "${CHECK_WTMPX}" return 5 fi - if ./check_wtmpx + if ${CHECK_WTMPX} then if [ "${QUIET}" != "t" ]; then \ echo "nothing deleted in /var/adm/wtmpx"; fi @@ -207,12 +215,12 @@ WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` if [ "${EXPERT}" = "t" ]; then - expertmode_output "./chkwtmp -f ${WTMP}" + expertmode_output "${CHKWTMP} -f ${WTMP}" return 5 fi fi - if ./chkwtmp -f ${WTMP} + if ${CHKWTMP} -f ${WTMP} then if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi fi @@ -251,7 +259,7 @@ prog="" if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then - [ ! -x ./chkproc ] && prog="./chkproc" + [ ! -x ${CHKPROC} ] && prog="${CHKPROC}" [ ! -x ./chkdirs ] && prog="$prog ./chkdirs" if [ "$prog" != "" ]; then # echo "not tested: can't exec $prog" @@ -261,7 +269,7 @@ if [ "${EXPERT}" = "t" ]; then [ -r /proc/ksyms ] && ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null - expertmode_output "./chkproc -v -v" + expertmode_output "${CHKPROC} -v -v" return 5 fi @@ -282,7 +290,7 @@ echo "Warning: Knark LKM installed" fi - if ./chkproc + if ${CHKPROC} then if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi else @@ -454,7 +462,7 @@ ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ## Suckit rootkit - expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME" + expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME" ## Volc rootkit expertmode_output "${ls} ${ROOTDIR}usr/bin/volc" @@ -863,7 +871,7 @@ ### Suckit if [ -f /sbin/init ]; then if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit ... "; fi - if ${strings} /sbin/init | ${egrep} HOME >/dev/null 2>&1 ; then + if ${STRINGS} /sbin/init | ${egrep} HOME >/dev/null 2>&1 ; then echo "Warning: /sbin/init INFECTED" else if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi @@ -1008,19 +1016,19 @@ CMD=`loc chfn chfn $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} fi;; FreeBSD) - if [ `${strings} -a ${CMD} | \ + if [ `${STRINGS} -a ${CMD} | \ ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] then STATUS=${INFECTED} @@ -1035,16 +1043,16 @@ REDHAT_PAM_LABEL="*NOT*" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi case "${SYSTEM}" in Linux) - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then - if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ >/dev/null 2>&1 then : @@ -1053,7 +1061,7 @@ fi fi;; FreeBSD) - if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] + if [ `${STRINGS} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ] then STATUS=${INFECTED} fi;; @@ -1066,13 +1074,13 @@ CMD=`loc login login $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi if [ "$SYSTEM" = "SunOS" ]; then TROJED_L_L="porcao|/bin/xstat" - if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then + if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then return ${INFECTED} else return ${NOT_TESTED} @@ -1080,7 +1088,7 @@ fi GENERAL="^root$" TROJED_L_L="vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT" - ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` + ret=`${STRINGS} -a ${CMD} | ${egrep} -c "${GENERAL}"` if [ ${ret} -gt 0 ]; then case ${ret} in 1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \ @@ -1091,7 +1099,7 @@ *) STATUS=${INFECTED};; esac fi - if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null + if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null then STATUS=${INFECTED} fi @@ -1107,14 +1115,14 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" fi if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ] then return ${NOT_TESTED} fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1132,11 +1140,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1155,11 +1163,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1176,11 +1184,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1198,11 +1206,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1220,11 +1228,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1242,11 +1250,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1260,11 +1268,11 @@ CMD=`loc ls ls $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1277,11 +1285,11 @@ CMD=`loc du du $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1301,11 +1309,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1319,11 +1327,11 @@ CMD=`loc netstat netstat $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -1338,11 +1346,11 @@ CMD=`loc ps ps $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1360,11 +1368,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1382,11 +1390,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1404,11 +1412,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1426,11 +1434,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1443,18 +1451,18 @@ if [ "${SYSTEM}" = "Linux" ] then - if [ ! -x ./strings ]; then - printn "can't exec ./strings-static, " + if [ ! -x ${STRINGS} ]; then + printn "can't exec ${STRINGS}, " return ${NOT_TESTED} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "./strings -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi ### strings must be a statically linked binary. - if ./strings-static -a ${CMD} > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1469,11 +1477,11 @@ CMD=`loc basename basename $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1493,11 +1501,11 @@ CMD=`loc dirname dirname $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1518,11 +1526,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1534,12 +1542,12 @@ CMD=`loc rpcinfo rpcinfo $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1555,12 +1563,12 @@ CMD=`loc date date $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1576,12 +1584,12 @@ CMD=`loc echo echo $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1597,12 +1605,12 @@ CMD=`loc env env $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1624,11 +1632,11 @@ fi fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1642,11 +1650,11 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1661,11 +1669,11 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1679,11 +1687,11 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1697,11 +1705,11 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1713,12 +1721,12 @@ CMD=`loc write write $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1735,11 +1743,11 @@ W_INFECTED_LABEL="uname -a" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1755,11 +1763,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1791,7 +1799,7 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi STATUS=${INFECTED} @@ -1808,12 +1816,12 @@ MAIL_INFECTED_LABEL="sh -i" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1833,12 +1841,12 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1855,11 +1863,11 @@ CMD=`loc egrep egrep $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1872,12 +1880,12 @@ CMD=`loc grep grep $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" expertmode_output "${ls} -l ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1899,11 +1907,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1921,10 +1929,10 @@ fi fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1939,10 +1947,10 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1957,10 +1965,10 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1975,10 +1983,10 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -1997,10 +2005,10 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2012,18 +2020,18 @@ CMD="${ROOTDIR}sbin/ifconfig" if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi IFCONFIG_NOT_INFECTED_LABEL="PROMISC" IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null" - if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${NOT_INFECTED} fi - if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED} @@ -2043,12 +2051,12 @@ return ${NOT_FOUND} fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi RSHD_INFECTED_LABEL="HISTFILE" - if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ @@ -2084,11 +2092,11 @@ CMD=${ROOTDIR}${CMD} if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2105,11 +2113,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} @@ -2126,11 +2134,11 @@ CMD=`loc su su $pth` if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 + if ${STRINGS} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 then STATUS=${INFECTED} fi @@ -2150,11 +2158,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ > /dev/null 2>&1 then STATUS=${INFECTED} @@ -2202,11 +2210,11 @@ fi if [ "${EXPERT}" = "t" ]; then - expertmode_output "${strings} -a ${CMD}" + expertmode_output "${STRINGS} -a ${CMD}" return 5 fi - if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ + if ${STRINGS} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ >/dev/null 2>&1 then STATUS=${INFECTED}