Gentoo Attachment #30294 for bug #41040

View | Details | Raw Unified
Collapse All | Expand All

(-) chkrootkit-0.43/chkrootkit (-133 / +141 lines)

Lines 10-15	Link Here

# (C)1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.

# (C)1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.

# All rights reserved

# All rights reserved

# Gentoo specific : Could use `type <command> | cut -f 3 -d " "`

IFPROMISC="/usr/sbin/ifpromisc"

CHKLASTLOG="/usr/sbin/chklastlog"

CHKPROC="/usr/sbin/chkproc"

CHKWTMP="/usr/sbin/chkwtmp"

CHECK_WTMPX="/usr/sbin/check_wtmpx"

STRINGS="/usr/sbin/strings-static"

### workaround for some Bourne shell implementations

### workaround for some Bourne shell implementations

unalias login > /dev/null 2>&1

unalias login > /dev/null 2>&1

unalias ls > /dev/null 2>&1

unalias ls > /dev/null 2>&1

Lines 116-122	Link Here

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"

        expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

Lines 132-138	Link Here

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1

       then

       then

          echo "INFECTED"

          echo "INFECTED"

          STATUS=${INFECTED}

          STATUS=${INFECTED}

Lines 151-170	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "./ifpromisc" -v

        expertmode_output "${IFPROMISC}" -v

        return 5

        return 5

fi

fi

    if [ ! -x ./ifpromisc ]; then

    if [ ! -x ${IFPROMISC} ]; then

      echo "not tested: can't exec ./ifpromisc"

      echo "not tested: can't exec ${IFPROMISC}"

      return ${NOT_TESTED}

      return ${NOT_TESTED}

    else

    else

      [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q

      [ "${QUIET}" != "t" ] && ${IFPROMISC} -v || ${IFPROMISC} -q

fi

fi

z2 () {

z2 () {

    if [ ! -x ./chklastlog ]; then

    if [ ! -x ${CHKLASTLOG} ]; then

      echo "not tested: can't exec ./chklastlog"

      echo "not tested: can't exec ${CHKLASTLOG}"

      return ${NOT_TESTED}

      return ${NOT_TESTED}

fi

fi

Lines 178-209	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}"

        expertmode_output "${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}"

        return 5

        return 5

fi

fi

    if ./chklastlog -f ${WTMP} -l ${LASTLOG}

    if ${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}

    then

    then

      if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi

      if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi

fi

fi

wted () {

wted () {

    if [ ! -x ./chkwtmp ]; then

    if [ ! -x ${CHKWTMP} ]; then

      echo "not tested: can't exec ./chkwtmp"

      echo "not tested: can't exec ${CHKWTMP}"

      return ${NOT_TESTED}

      return ${NOT_TESTED}

fi

fi

   if [ "$SYSTEM" = "SunOS" ]; then

   if [ "$SYSTEM" = "SunOS" ]; then

       if [ ! -x ./check_wtmpx ]; then

       if [ ! -x ${CHECK_WTMPX} ]; then

          echo "not tested: can't exec ./check_wtmpx"

          echo "not tested: can't exec ${CHECK_WTMPX}"

       else

       else

          if [ "${EXPERT}" = "t" ]; then

          if [ "${EXPERT}" = "t" ]; then

             expertmode_output "./check_wtmpx"

             expertmode_output "${CHECK_WTMPX}"

              return 5

              return 5

fi

fi

	  if [ -f ${ROOTDIR}var/adm/wtmp ]; then

	  if [ -f ${ROOTDIR}var/adm/wtmp ]; then

             if ./check_wtmpx

             if ${CHECK_WTMPX}

                then

                then

                if [ "${QUIET}" != "t" ]; then \

                if [ "${QUIET}" != "t" ]; then \

                   echo "nothing deleted in /var/adm/wtmpx"; fi

                   echo "nothing deleted in /var/adm/wtmpx"; fi

Lines 214-225	Link Here

       WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

       WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

       if [ "${EXPERT}" = "t" ]; then

       if [ "${EXPERT}" = "t" ]; then

          expertmode_output "./chkwtmp -f ${WTMP}"

          expertmode_output "${CHKWTMP} -f ${WTMP}"

          return 5

          return 5

fi

fi

fi

fi

    if ./chkwtmp -f ${WTMP}

    if ${CHKWTMP} -f ${WTMP}

    then

    then

      if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi

      if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi

fi

fi

Lines 258-264	Link Here

    prog=""

    prog=""

    if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \

    if [  \( "${SYSTEM}" = "Linux"  -o \( "${SYSTEM}" = "FreeBSD" -a \

       ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then

       ${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then

      [ ! -x ./chkproc ] && prog="./chkproc"

      [ ! -x ${CHKPROC} ] && prog="${CHKPROC}"

      [ ! -x ./chkdirs ] && prog="$prog ./chkdirs"

      [ ! -x ./chkdirs ] && prog="$prog ./chkdirs"

      if [ "$prog" != "" ]; then

      if [ "$prog" != "" ]; then

#        echo "not tested: can't exec $prog"

#        echo "not tested: can't exec $prog"

Lines 268-274	Link Here

      if [ "${EXPERT}" = "t" ]; then

      if [ "${EXPERT}" = "t" ]; then

         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null

         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null

         [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null

         [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null

          expertmode_output "./chkproc -v -v"

          expertmode_output "${CHKPROC} -v -v"

          return 5

          return 5

fi

fi

Lines 289-295	Link Here

         echo "Warning: Knark LKM installed"

         echo "Warning: Knark LKM installed"

fi

fi

      if ./chkproc

      if ${CHKPROC}

      then

      then

           if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi

           if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi

      else

      else

Lines 465-471	Link Here

      ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null

      ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null

      ## Suckit rootkit

      ## Suckit rootkit

      expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} HOME"

      expertmode_output "${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME"

      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."

      expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init."

      ## Volc rootkit

      ## Volc rootkit

Lines 890-896	Link Here

   ### Suckit

   ### Suckit

   if [ -f ${ROOTDIR}sbin/init ]; then

   if [ -f ${ROOTDIR}sbin/init ]; then

      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit ... "; fi

      if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit ... "; fi

      if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} HOME  || \

      if [ ${SYSTEM} != "HP-UX" ] && ( ${STRINGS} ${ROOTDIR}sbin/init | ${egrep} HOME  || \

	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1

	      cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." ) >/dev/null 2>&1

        then

        then

        echo "Warning: ${ROOTDIR}sbin/init INFECTED"

        echo "Warning: ${ROOTDIR}sbin/init INFECTED"

Lines 1068-1087	Link Here

    STATUS=${NOT_INFECTED}

    STATUS=${NOT_INFECTED}

    CMD=`loc chfn chfn $pth`

    CMD=`loc chfn chfn $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    case "${SYSTEM}" in

    case "${SYSTEM}" in

       Linux)

       Linux)

          if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

          if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

             >/dev/null 2>&1

             >/dev/null 2>&1

          then

          then

             STATUS=${INFECTED}

             STATUS=${INFECTED}

          fi;;

          fi;;

       FreeBSD)

       FreeBSD)

          [ $V -gt 50 ] && n=1 || n=2

          [ $V -gt 50 ] && n=1 || n=2

          if [ `${strings} -a ${CMD} | \

          if [ `${STRINGS} -a ${CMD} | \

                ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]

                ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]

          then

          then

             STATUS=${INFECTED}

             STATUS=${INFECTED}

Lines 1096-1111	Link Here

    REDHAT_PAM_LABEL="*NOT*"

    REDHAT_PAM_LABEL="*NOT*"

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    case "${SYSTEM}" in

    case "${SYSTEM}" in

       Linux)

       Linux)

          if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

          if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

          >/dev/null 2>&1

          >/dev/null 2>&1

             then

             then

             if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \

             if ${STRINGS} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \

             >/dev/null 2>&1

             >/dev/null 2>&1

                then

                then

Lines 1115-1121	Link Here

          fi;;

          fi;;

       FreeBSD)

       FreeBSD)

          [ $V -gt 50 ] && n=1 || n=2

          [ $V -gt 50 ] && n=1 || n=2

          if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]

          if [ `${STRINGS} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]

             then

             then

             STATUS=${INFECTED}

             STATUS=${INFECTED}

          fi;;

          fi;;

Lines 1128-1140	Link Here

    CMD=`loc login login $pth`

    CMD=`loc login login $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if [ "$SYSTEM" = "SunOS" ]; then

    if [ "$SYSTEM" = "SunOS" ]; then

      TROJED_L_L="porcao|/bin/xstat"

      TROJED_L_L="porcao|/bin/xstat"

      if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then

      if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then

          return ${INFECTED}

          return ${INFECTED}

       else

       else

          return ${NOT_TESTED}

          return ${NOT_TESTED}

Lines 1142-1148	Link Here

fi

fi

    GENERAL="^root$"

    GENERAL="^root$"

    TROJED_L_L="vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT"

    TROJED_L_L="vejeta|xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT"

    ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"`

    ret=`${STRINGS} -a ${CMD} | ${egrep} -c "${GENERAL}"`

    if [ ${ret} -gt 0 ]; then

    if [ ${ret} -gt 0 ]; then

        case ${ret} in

        case ${ret} in

        1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \

        1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \

Lines 1153-1159	Link Here

        *) STATUS=${INFECTED};;

        *) STATUS=${INFECTED};;

        esac

        esac

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null

    if ${STRINGS} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null

       then

       then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1169-1182	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

       expertmode_output "${strings} -a ${CMD}"

       expertmode_output "${STRINGS} -a ${CMD}"

fi

fi

    if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ]

    if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ]

    then

    then

       return ${NOT_TESTED}

       return ${NOT_TESTED}

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1194-1204	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1217-1227	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1238-1248	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \

       >/dev/null 2>&1

       >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1260-1270	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \

       >/dev/null 2>&1

       >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1282-1292	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \

       >/dev/null 2>&1

       >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1304-1314	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \

       >/dev/null 2>&1

       >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1322-1332	Link Here

    CMD=`loc ls ls $pth`

    CMD=`loc ls ls $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1339-1349	Link Here

    CMD=`loc du du $pth`

    CMD=`loc du du $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1363-1373	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${NAMED_I_L}" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1381-1391	Link Here

    CMD=`loc netstat netstat $pth`

    CMD=`loc netstat netstat $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 1400-1410	Link Here

   CMD=`loc ps ps $pth`

   CMD=`loc ps ps $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1422-1432	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1444-1454	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1466-1476	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1488-1498	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1531-1541	Link Here

   CMD=`loc basename basename $pth`

   CMD=`loc basename basename $pth`

   if [ "${EXPERT}" = "t" ]; then

   if [ "${EXPERT}" = "t" ]; then

       expertmode_output "${strings} -a ${CMD}"

       expertmode_output "${STRINGS} -a ${CMD}"

       expertmode_output "${ls} -l ${CMD}"

       expertmode_output "${ls} -l ${CMD}"

       return 5

       return 5

fi

fi

   if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

   if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

   then

   then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1555-1565	Link Here

    CMD=`loc dirname dirname $pth`

    CMD=`loc dirname dirname $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1580-1590	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1596-1607	Link Here

    CMD=`loc rpcinfo rpcinfo $pth`

    CMD=`loc rpcinfo rpcinfo $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1618-1636	Link Here

    CMD=`loc date date $pth`

    CMD=`loc date date $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    [ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&

    [ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&

       if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \

       if [ `${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \

          ${egrep} -c "$S_L"` -ne 2 ]; then

          ${egrep} -c "$S_L"` -ne 2 ]; then

          STATUS=${INFECTED}

          STATUS=${INFECTED}

fi

fi

    } ||

    } ||

       if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1

       if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1

          then

          then

          STATUS=${INFECTED}

          STATUS=${INFECTED}

fi

fi

Lines 1647-1658	Link Here

    CMD=`loc echo echo $pth`

    CMD=`loc echo echo $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1668-1679	Link Here

    CMD=`loc env env $pth`

    CMD=`loc env env $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1695-1705	Link Here

fi

fi

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1713-1723	Link Here

       return ${NOT_FOUND}

       return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1732-1742	Link Here

       return ${NOT_FOUND}

       return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1750-1760	Link Here

       return ${NOT_FOUND}

       return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1768-1778	Link Here

        return ${NOT_FOUND}

        return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1784-1795	Link Here

    CMD=`loc write write $pth`

    CMD=`loc write write $pth`

    WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"

    WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1806-1816	Link Here

    W_INFECTED_LABEL="uname -a"

    W_INFECTED_LABEL="uname -a"

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1826-1836	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1862-1868	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    STATUS=${INFECTED}

    STATUS=${INFECTED}

Lines 1879-1890	Link Here

    MAIL_INFECTED_LABEL="sh -i"

    MAIL_INFECTED_LABEL="sh -i"

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1904-1915	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1926-1936	Link Here

    CMD=`loc egrep egrep $pth`

    CMD=`loc egrep egrep $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1943-1954	Link Here

    CMD=`loc grep grep $pth`

    CMD=`loc grep grep $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        expertmode_output "${ls} -l ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 1970-1980	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 1992-2001	Link Here

fi

fi

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 2010-2019	Link Here

         return ${NOT_FOUND}

         return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 2028-2037	Link Here

         return ${NOT_FOUND}

         return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 2046-2055	Link Here

         return ${NOT_FOUND}

         return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 2068-2077	Link Here

        return ${NOT_FOUND}

        return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

fi

fi

Lines 2083-2100	Link Here

    CMD="${ROOTDIR}sbin/ifconfig"

    CMD="${ROOTDIR}sbin/ifconfig"

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    IFCONFIG_NOT_INFECTED_LABEL="PROMISC"

    IFCONFIG_NOT_INFECTED_LABEL="PROMISC"

    IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"

    IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null"

    if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${NOT_INFECTED}

       STATUS=${NOT_INFECTED}

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \

    >/dev/null 2>&1

    >/dev/null 2>&1

    then

    then

       STATUS=${INFECTED}

       STATUS=${INFECTED}

Lines 2114-2125	Link Here

       return ${NOT_FOUND}

       return ${NOT_FOUND}

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    RSHD_INFECTED_LABEL="HISTFILE"

    RSHD_INFECTED_LABEL="HISTFILE"

    if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

        if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \

        if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \

Lines 2155-2165	Link Here

    [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};

    [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 2176-2186	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \

       > /dev/null 2>&1

       > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

Lines 2197-2207	Link Here

    CMD=`loc su su $pth`

    CMD=`loc su su $pth`

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1

    if ${STRINGS} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

fi

fi

Lines 2221-2231	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \

> /dev/null 2>&1

> /dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

Lines 2273-2283	Link Here

fi

fi

    if [ "${EXPERT}" = "t" ]; then

    if [ "${EXPERT}" = "t" ]; then

        expertmode_output "${strings} -a ${CMD}"

        expertmode_output "${STRINGS} -a ${CMD}"

        return 5

        return 5

fi

fi

    if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \

    if ${STRINGS} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \

       >/dev/null 2>&1

       >/dev/null 2>&1

    then

    then

        STATUS=${INFECTED}

        STATUS=${INFECTED}

Attachment #30294: chkrootkit-0.43-gentoo.diff for bug #41040