Attachment #30294 for bug #41040

View | Details | Raw Unified | Return to bug 41040
Collapse All | Expand All

Lines 10-15 Link Here

(-)chkrootkit-0.43/chkrootkit (-133 / +141 lines)
10	# (C)1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.	10	# (C)1997-2003 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
11	# All rights reserved	11	# All rights reserved
12		12
		13	# Gentoo specific : Could use `type <command> \| cut -f 3 -d " "`
		14	IFPROMISC="/usr/sbin/ifpromisc"
		15	CHKLASTLOG="/usr/sbin/chklastlog"
		16	CHKPROC="/usr/sbin/chkproc"
		17	CHKWTMP="/usr/sbin/chkwtmp"
		18	CHECK_WTMPX="/usr/sbin/check_wtmpx"
		19	STRINGS="/usr/sbin/strings-static"
		20
13	### workaround for some Bourne shell implementations	21	### workaround for some Bourne shell implementations
14	unalias login > /dev/null 2>&1	22	unalias login > /dev/null 2>&1
15	unalias ls > /dev/null 2>&1	23	unalias ls > /dev/null 2>&1
Lines 116-122 Link Here
116		124
117	if [ "${EXPERT}" = "t" ]; then	125	if [ "${EXPERT}" = "t" ]; then
118	expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"	126	expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
119	expertmode_output "${strings} -a ${CMD}"	127	expertmode_output "${STRINGS} -a ${CMD}"
120	return 5	128	return 5
121	fi	129	fi
122		130
Lines 132-138 Link Here
132	STATUS=${INFECTED}	140	STATUS=${INFECTED}
133	fi	141	fi
134		142
135	if ${strings} -a ${CMD} \| ${egrep} "${ASP_LABEL}" >/dev/null 2>&1	143	if ${STRINGS} -a ${CMD} \| ${egrep} "${ASP_LABEL}" >/dev/null 2>&1
136	then	144	then
137	echo "INFECTED"	145	echo "INFECTED"
138	STATUS=${INFECTED}	146	STATUS=${INFECTED}
Lines 151-170 Link Here
151	fi	159	fi
152		160
153	if [ "${EXPERT}" = "t" ]; then	161	if [ "${EXPERT}" = "t" ]; then
154	expertmode_output "./ifpromisc" -v	162	expertmode_output "${IFPROMISC}" -v
155	return 5	163	return 5
156	fi	164	fi
157	if [ ! -x ./ifpromisc ]; then	165	if [ ! -x ${IFPROMISC} ]; then
158	echo "not tested: can't exec ./ifpromisc"	166	echo "not tested: can't exec ${IFPROMISC}"
159	return ${NOT_TESTED}	167	return ${NOT_TESTED}
160	else	168	else
161	[ "${QUIET}" != "t" ] && ./ifpromisc -v \|\| ./ifpromisc -q	169	[ "${QUIET}" != "t" ] && ${IFPROMISC} -v \|\| ${IFPROMISC} -q
162	fi	170	fi
163	}	171	}
164		172
165	z2 () {	173	z2 () {
166	if [ ! -x ./chklastlog ]; then	174	if [ ! -x ${CHKLASTLOG} ]; then
167	echo "not tested: can't exec ./chklastlog"	175	echo "not tested: can't exec ${CHKLASTLOG}"
168	return ${NOT_TESTED}	176	return ${NOT_TESTED}
169	fi	177	fi
170		178
Lines 178-209 Link Here
178	fi	186	fi
179		187
180	if [ "${EXPERT}" = "t" ]; then	188	if [ "${EXPERT}" = "t" ]; then
181	expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}"	189	expertmode_output "${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}"
182	return 5	190	return 5
183	fi	191	fi
184		192
185	if ./chklastlog -f ${WTMP} -l ${LASTLOG}	193	if ${CHKLASTLOG} -f ${WTMP} -l ${LASTLOG}
186	then	194	then
187	if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi	195	if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi
188	fi	196	fi
189	}	197	}
190		198
191	wted () {	199	wted () {
192	if [ ! -x ./chkwtmp ]; then	200	if [ ! -x ${CHKWTMP} ]; then
193	echo "not tested: can't exec ./chkwtmp"	201	echo "not tested: can't exec ${CHKWTMP}"
194	return ${NOT_TESTED}	202	return ${NOT_TESTED}
195	fi	203	fi
196		204
197	if [ "$SYSTEM" = "SunOS" ]; then	205	if [ "$SYSTEM" = "SunOS" ]; then
198	if [ ! -x ./check_wtmpx ]; then	206	if [ ! -x ${CHECK_WTMPX} ]; then
199	echo "not tested: can't exec ./check_wtmpx"	207	echo "not tested: can't exec ${CHECK_WTMPX}"
200	else	208	else
201	if [ "${EXPERT}" = "t" ]; then	209	if [ "${EXPERT}" = "t" ]; then
202	expertmode_output "./check_wtmpx"	210	expertmode_output "${CHECK_WTMPX}"
203	return 5	211	return 5
204	fi	212	fi
205	if [ -f ${ROOTDIR}var/adm/wtmp ]; then	213	if [ -f ${ROOTDIR}var/adm/wtmp ]; then
206	if ./check_wtmpx	214	if ${CHECK_WTMPX}
207	then	215	then
208	if [ "${QUIET}" != "t" ]; then \	216	if [ "${QUIET}" != "t" ]; then \
209	echo "nothing deleted in /var/adm/wtmpx"; fi	217	echo "nothing deleted in /var/adm/wtmpx"; fi
Lines 214-225 Link Here
214	WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`	222	WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
215		223
216	if [ "${EXPERT}" = "t" ]; then	224	if [ "${EXPERT}" = "t" ]; then
217	expertmode_output "./chkwtmp -f ${WTMP}"	225	expertmode_output "${CHKWTMP} -f ${WTMP}"
218	return 5	226	return 5
219	fi	227	fi
220	fi	228	fi
221		229
222	if ./chkwtmp -f ${WTMP}	230	if ${CHKWTMP} -f ${WTMP}
223	then	231	then
224	if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi	232	if [ "${QUIET}" != "t" ]; then echo "nothing deleted"; fi
225	fi	233	fi
Lines 258-264 Link Here
258	prog=""	266	prog=""
259	if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \	267	if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \
260	${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then	268	${V} -gt 43 \) \) -a "${ROOTDIR}" = "/" ]; then
261	[ ! -x ./chkproc ] && prog="./chkproc"	269	[ ! -x ${CHKPROC} ] && prog="${CHKPROC}"
262	[ ! -x ./chkdirs ] && prog="$prog ./chkdirs"	270	[ ! -x ./chkdirs ] && prog="$prog ./chkdirs"
263	if [ "$prog" != "" ]; then	271	if [ "$prog" != "" ]; then
264	# echo "not tested: can't exec $prog"	272	# echo "not tested: can't exec $prog"
Lines 268-274 Link Here
268	if [ "${EXPERT}" = "t" ]; then	276	if [ "${EXPERT}" = "t" ]; then
269	[ -r /proc/ksyms ] && ${egrep} -i "adore\|sebek" < /proc/ksyms 2>/dev/null	277	[ -r /proc/ksyms ] && ${egrep} -i "adore\|sebek" < /proc/ksyms 2>/dev/null
270	[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null	278	[ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null
271	expertmode_output "./chkproc -v -v"	279	expertmode_output "${CHKPROC} -v -v"
272	return 5	280	return 5
273	fi	281	fi
274		282
Lines 289-295 Link Here
289	echo "Warning: Knark LKM installed"	297	echo "Warning: Knark LKM installed"
290	fi	298	fi
291		299
292	if ./chkproc	300	if ${CHKPROC}
293	then	301	then
294	if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi	302	if [ "${QUIET}" != "t" ]; then echo "nothing detected"; fi
295	else	303	else
Lines 465-471 Link Here
465	${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null	473	${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null
466		474
467	## Suckit rootkit	475	## Suckit rootkit
468	expertmode_output "${strings} ${ROOTDIR}sbin/init \| ${egrep} HOME"	476	expertmode_output "${STRINGS} ${ROOTDIR}sbin/init \| ${egrep} HOME"
469	expertmode_output "cat ${ROOTDIR}proc/1/maps \| ${egrep} init."	477	expertmode_output "cat ${ROOTDIR}proc/1/maps \| ${egrep} init."
470		478
471	## Volc rootkit	479	## Volc rootkit
Lines 890-896 Link Here
890	### Suckit	898	### Suckit
891	if [ -f ${ROOTDIR}sbin/init ]; then	899	if [ -f ${ROOTDIR}sbin/init ]; then
892	if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit ... "; fi	900	if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit ... "; fi
893	if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init \| ${egrep} HOME \|\| \	901	if [ ${SYSTEM} != "HP-UX" ] && ( ${STRINGS} ${ROOTDIR}sbin/init \| ${egrep} HOME \|\| \
894	cat ${ROOTDIR}/proc/1/maps \| ${egrep} "init." ) >/dev/null 2>&1	902	cat ${ROOTDIR}/proc/1/maps \| ${egrep} "init." ) >/dev/null 2>&1
895	then	903	then
896	echo "Warning: ${ROOTDIR}sbin/init INFECTED"	904	echo "Warning: ${ROOTDIR}sbin/init INFECTED"
Lines 1068-1087 Link Here
1068	STATUS=${NOT_INFECTED}	1076	STATUS=${NOT_INFECTED}
1069	CMD=`loc chfn chfn $pth`	1077	CMD=`loc chfn chfn $pth`
1070	if [ "${EXPERT}" = "t" ]; then	1078	if [ "${EXPERT}" = "t" ]; then
1071	expertmode_output "${strings} -a ${CMD}"	1079	expertmode_output "${STRINGS} -a ${CMD}"
1072	return 5	1080	return 5
1073	fi	1081	fi
1074		1082
1075	case "${SYSTEM}" in	1083	case "${SYSTEM}" in
1076	Linux)	1084	Linux)
1077	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \	1085	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1078	>/dev/null 2>&1	1086	>/dev/null 2>&1
1079	then	1087	then
1080	STATUS=${INFECTED}	1088	STATUS=${INFECTED}
1081	fi;;	1089	fi;;
1082	FreeBSD)	1090	FreeBSD)
1083	[ $V -gt 50 ] && n=1 \|\| n=2	1091	[ $V -gt 50 ] && n=1 \|\| n=2
1084	if [ `${strings} -a ${CMD} \| \	1092	if [ `${STRINGS} -a ${CMD} \| \
1085	${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]	1093	${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1086	then	1094	then
1087	STATUS=${INFECTED}	1095	STATUS=${INFECTED}
Lines 1096-1111 Link Here
1096	REDHAT_PAM_LABEL="NOT"	1104	REDHAT_PAM_LABEL="NOT"
1097		1105
1098	if [ "${EXPERT}" = "t" ]; then	1106	if [ "${EXPERT}" = "t" ]; then
1099	expertmode_output "${strings} -a ${CMD}"	1107	expertmode_output "${STRINGS} -a ${CMD}"
1100	return 5	1108	return 5
1101	fi	1109	fi
1102		1110
1103	case "${SYSTEM}" in	1111	case "${SYSTEM}" in
1104	Linux)	1112	Linux)
1105	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \	1113	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1106	>/dev/null 2>&1	1114	>/dev/null 2>&1
1107	then	1115	then
1108	if ${strings} -a ${CMD} \| ${egrep} "${REDHAT_PAM_LABEL}" \	1116	if ${STRINGS} -a ${CMD} \| ${egrep} "${REDHAT_PAM_LABEL}" \
1109	>/dev/null 2>&1	1117	>/dev/null 2>&1
1110	then	1118	then
1111	:	1119	:
Lines 1115-1121 Link Here
1115	fi;;	1123	fi;;
1116	FreeBSD)	1124	FreeBSD)
1117	[ $V -gt 50 ] && n=1 \|\| n=2	1125	[ $V -gt 50 ] && n=1 \|\| n=2
1118	if [ `${strings} -a ${CMD} \| ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]	1126	if [ `${STRINGS} -a ${CMD} \| ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ]
1119	then	1127	then
1120	STATUS=${INFECTED}	1128	STATUS=${INFECTED}
1121	fi;;	1129	fi;;
Lines 1128-1140 Link Here
1128	CMD=`loc login login $pth`	1136	CMD=`loc login login $pth`
1129		1137
1130	if [ "${EXPERT}" = "t" ]; then	1138	if [ "${EXPERT}" = "t" ]; then
1131	expertmode_output "${strings} -a ${CMD}"	1139	expertmode_output "${STRINGS} -a ${CMD}"
1132	return 5	1140	return 5
1133	fi	1141	fi
1134		1142
1135	if [ "$SYSTEM" = "SunOS" ]; then	1143	if [ "$SYSTEM" = "SunOS" ]; then
1136	TROJED_L_L="porcao\|/bin/xstat"	1144	TROJED_L_L="porcao\|/bin/xstat"
1137	if ${strings} -a ${CMD} \| ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then	1145	if ${STRINGS} -a ${CMD} \| ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then
1138	return ${INFECTED}	1146	return ${INFECTED}
1139	else	1147	else
1140	return ${NOT_TESTED}	1148	return ${NOT_TESTED}
Lines 1142-1148 Link Here
1142	fi	1150	fi
1143	GENERAL="^root$"	1151	GENERAL="^root$"
1144	TROJED_L_L="vejeta\|xlogin\|^@$#$klogin\.c\|lets_log\|sukasuka\|/usr/lib/.ark?\|SucKIT"	1152	TROJED_L_L="vejeta\|xlogin\|^@$#$klogin\.c\|lets_log\|sukasuka\|/usr/lib/.ark?\|SucKIT"
1145	ret=`${strings} -a ${CMD} \| ${egrep} -c "${GENERAL}"`	1153	ret=`${STRINGS} -a ${CMD} \| ${egrep} -c "${GENERAL}"`
1146	if [ ${ret} -gt 0 ]; then	1154	if [ ${ret} -gt 0 ]; then
1147	case ${ret} in	1155	case ${ret} in
1148	1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \	1156	1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \
Lines 1153-1159 Link Here
1153	*) STATUS=${INFECTED};;	1161	*) STATUS=${INFECTED};;
1154	esac	1162	esac
1155	fi	1163	fi
1156	if ${strings} -a ${CMD} \| ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null	1164	if ${STRINGS} -a ${CMD} \| ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null
1157	then	1165	then
1158	STATUS=${INFECTED}	1166	STATUS=${INFECTED}
1159	fi	1167	fi
Lines 1169-1182 Link Here
1169	fi	1177	fi
1170		1178
1171	if [ "${EXPERT}" = "t" ]; then	1179	if [ "${EXPERT}" = "t" ]; then
1172	expertmode_output "${strings} -a ${CMD}"	1180	expertmode_output "${STRINGS} -a ${CMD}"
1173	fi	1181	fi
1174		1182
1175	if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ]	1183	if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ]
1176	then	1184	then
1177	return ${NOT_TESTED}	1185	return ${NOT_TESTED}
1178	fi	1186	fi
1179	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}\|/lib/security" \	1187	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}\|/lib/security" \
1180	>/dev/null 2>&1	1188	>/dev/null 2>&1
1181	then	1189	then
1182	STATUS=${INFECTED}	1190	STATUS=${INFECTED}
Lines 1194-1204 Link Here
1194	fi	1202	fi
1195		1203
1196	if [ "${EXPERT}" = "t" ]; then	1204	if [ "${EXPERT}" = "t" ]; then
1197	expertmode_output "${strings} -a ${CMD}"	1205	expertmode_output "${STRINGS} -a ${CMD}"
1198	return 5	1206	return 5
1199	fi	1207	fi
1200		1208
1201	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \	1209	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
1202	>/dev/null 2>&1	1210	>/dev/null 2>&1
1203	then	1211	then
1204	STATUS=${INFECTED}	1212	STATUS=${INFECTED}
Lines 1217-1227 Link Here
1217	fi	1225	fi
1218		1226
1219	if [ "${EXPERT}" = "t" ]; then	1227	if [ "${EXPERT}" = "t" ]; then
1220	expertmode_output "${strings} -a ${CMD}"	1228	expertmode_output "${STRINGS} -a ${CMD}"
1221	return 5	1229	return 5
1222	fi	1230	fi
1223		1231
1224	if ${strings} -a ${CMD} \| ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1	1232	if ${STRINGS} -a ${CMD} \| ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1
1225	then	1233	then
1226	STATUS=${INFECTED}	1234	STATUS=${INFECTED}
1227	fi	1235	fi
Lines 1238-1248 Link Here
1238	fi	1246	fi
1239		1247
1240	if [ "${EXPERT}" = "t" ]; then	1248	if [ "${EXPERT}" = "t" ]; then
1241	expertmode_output "${strings} -a ${CMD}"	1249	expertmode_output "${STRINGS} -a ${CMD}"
1242	return 5	1250	return 5
1243	fi	1251	fi
1244		1252
1245	if ${strings} -a ${CMD} \| ${egrep} "${HDPARM_INFECTED_LABEL}" \	1253	if ${STRINGS} -a ${CMD} \| ${egrep} "${HDPARM_INFECTED_LABEL}" \
1246	>/dev/null 2>&1	1254	>/dev/null 2>&1
1247	then	1255	then
1248	STATUS=${INFECTED}	1256	STATUS=${INFECTED}
Lines 1260-1270 Link Here
1260	fi	1268	fi
1261		1269
1262	if [ "${EXPERT}" = "t" ]; then	1270	if [ "${EXPERT}" = "t" ]; then
1263	expertmode_output "${strings} -a ${CMD}"	1271	expertmode_output "${STRINGS} -a ${CMD}"
1264	return 5	1272	return 5
1265	fi	1273	fi
1266		1274
1267	if ${strings} -a ${CMD} \| ${egrep} "${GPM_INFECTED_LABEL}" \	1275	if ${STRINGS} -a ${CMD} \| ${egrep} "${GPM_INFECTED_LABEL}" \
1268	>/dev/null 2>&1	1276	>/dev/null 2>&1
1269	then	1277	then
1270	STATUS=${INFECTED}	1278	STATUS=${INFECTED}
Lines 1282-1292 Link Here
1282	fi	1290	fi
1283		1291
1284	if [ "${EXPERT}" = "t" ]; then	1292	if [ "${EXPERT}" = "t" ]; then
1285	expertmode_output "${strings} -a ${CMD}"	1293	expertmode_output "${STRINGS} -a ${CMD}"
1286	return 5	1294	return 5
1287	fi	1295	fi
1288		1296
1289	if ${strings} -a ${CMD} \| ${egrep} "${MINGETTY_INFECTED_LABEL}" \	1297	if ${STRINGS} -a ${CMD} \| ${egrep} "${MINGETTY_INFECTED_LABEL}" \
1290	>/dev/null 2>&1	1298	>/dev/null 2>&1
1291	then	1299	then
1292	STATUS=${INFECTED}	1300	STATUS=${INFECTED}
Lines 1304-1314 Link Here
1304	fi	1312	fi
1305		1313
1306	if [ "${EXPERT}" = "t" ]; then	1314	if [ "${EXPERT}" = "t" ]; then
1307	expertmode_output "${strings} -a ${CMD}"	1315	expertmode_output "${STRINGS} -a ${CMD}"
1308	return 5	1316	return 5
1309	fi	1317	fi
1310		1318
1311	if ${strings} -a ${CMD} \| ${egrep} "${SENDMAIL_INFECTED_LABEL}" \	1319	if ${STRINGS} -a ${CMD} \| ${egrep} "${SENDMAIL_INFECTED_LABEL}" \
1312	>/dev/null 2>&1	1320	>/dev/null 2>&1
1313	then	1321	then
1314	STATUS=${INFECTED}	1322	STATUS=${INFECTED}
Lines 1322-1332 Link Here
1322	CMD=`loc ls ls $pth`	1330	CMD=`loc ls ls $pth`
1323		1331
1324	if [ "${EXPERT}" = "t" ]; then	1332	if [ "${EXPERT}" = "t" ]; then
1325	expertmode_output "${strings} -a ${CMD}"	1333	expertmode_output "${STRINGS} -a ${CMD}"
1326	return 5	1334	return 5
1327	fi	1335	fi
1328		1336
1329	if ${strings} -a ${CMD} \| ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1	1337	if ${STRINGS} -a ${CMD} \| ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1
1330	then	1338	then
1331	STATUS=${INFECTED}	1339	STATUS=${INFECTED}
1332	fi	1340	fi
Lines 1339-1349 Link Here
1339	CMD=`loc du du $pth`	1347	CMD=`loc du du $pth`
1340		1348
1341	if [ "${EXPERT}" = "t" ]; then	1349	if [ "${EXPERT}" = "t" ]; then
1342	expertmode_output "${strings} -a ${CMD}"	1350	expertmode_output "${STRINGS} -a ${CMD}"
1343	return 5	1351	return 5
1344	fi	1352	fi
1345		1353
1346	if ${strings} -a ${CMD} \| ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1	1354	if ${STRINGS} -a ${CMD} \| ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1
1347	then	1355	then
1348	STATUS=${INFECTED}	1356	STATUS=${INFECTED}
1349	fi	1357	fi
Lines 1363-1373 Link Here
1363	fi	1371	fi
1364		1372
1365	if [ "${EXPERT}" = "t" ]; then	1373	if [ "${EXPERT}" = "t" ]; then
1366	expertmode_output "${strings} -a ${CMD}"	1374	expertmode_output "${STRINGS} -a ${CMD}"
1367	return 5	1375	return 5
1368	fi	1376	fi
1369		1377
1370	if ${strings} -a ${CMD} \| ${egrep} "${NAMED_I_L}" \	1378	if ${STRINGS} -a ${CMD} \| ${egrep} "${NAMED_I_L}" \
1371	>/dev/null 2>&1	1379	>/dev/null 2>&1
1372	then	1380	then
1373	STATUS=${INFECTED}	1381	STATUS=${INFECTED}
Lines 1381-1391 Link Here
1381	CMD=`loc netstat netstat $pth`	1389	CMD=`loc netstat netstat $pth`
1382		1390
1383	if [ "${EXPERT}" = "t" ]; then	1391	if [ "${EXPERT}" = "t" ]; then
1384	expertmode_output "${strings} -a ${CMD}"	1392	expertmode_output "${STRINGS} -a ${CMD}"
1385	return 5	1393	return 5
1386	fi	1394	fi
1387		1395
1388	if ${strings} -a ${CMD} \| ${egrep} "${NETSTAT_I_L}" \	1396	if ${STRINGS} -a ${CMD} \| ${egrep} "${NETSTAT_I_L}" \
1389	>/dev/null 2>&1	1397	>/dev/null 2>&1
1390	then	1398	then
1391	STATUS=${INFECTED}	1399	STATUS=${INFECTED}
Lines 1400-1410 Link Here
1400	CMD=`loc ps ps $pth`	1408	CMD=`loc ps ps $pth`
1401		1409
1402	if [ "${EXPERT}" = "t" ]; then	1410	if [ "${EXPERT}" = "t" ]; then
1403	expertmode_output "${strings} -a ${CMD}"	1411	expertmode_output "${STRINGS} -a ${CMD}"
1404	return 5	1412	return 5
1405	fi	1413	fi
1406		1414
1407	if ${strings} -a ${CMD} \| ${egrep} "${PS_I_L}" >/dev/null 2>&1	1415	if ${STRINGS} -a ${CMD} \| ${egrep} "${PS_I_L}" >/dev/null 2>&1
1408	then	1416	then
1409	STATUS=${INFECTED}	1417	STATUS=${INFECTED}
1410	fi	1418	fi
Lines 1422-1432 Link Here
1422	fi	1430	fi
1423		1431
1424	if [ "${EXPERT}" = "t" ]; then	1432	if [ "${EXPERT}" = "t" ]; then
1425	expertmode_output "${strings} -a ${CMD}"	1433	expertmode_output "${STRINGS} -a ${CMD}"
1426	return 5	1434	return 5
1427	fi	1435	fi
1428		1436
1429	if ${strings} -a ${CMD} \| ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1	1437	if ${STRINGS} -a ${CMD} \| ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1
1430	then	1438	then
1431	STATUS=${INFECTED}	1439	STATUS=${INFECTED}
1432	fi	1440	fi
Lines 1444-1454 Link Here
1444	fi	1452	fi
1445		1453
1446	if [ "${EXPERT}" = "t" ]; then	1454	if [ "${EXPERT}" = "t" ]; then
1447	expertmode_output "${strings} -a ${CMD}"	1455	expertmode_output "${STRINGS} -a ${CMD}"
1448	return 5	1456	return 5
1449	fi	1457	fi
1450		1458
1451	if ${strings} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1	1459	if ${STRINGS} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1452	then	1460	then
1453	STATUS=${INFECTED}	1461	STATUS=${INFECTED}
1454	fi	1462	fi
Lines 1466-1476 Link Here
1466	fi	1474	fi
1467		1475
1468	if [ "${EXPERT}" = "t" ]; then	1476	if [ "${EXPERT}" = "t" ]; then
1469	expertmode_output "${strings} -a ${CMD}"	1477	expertmode_output "${STRINGS} -a ${CMD}"
1470	return 5	1478	return 5
1471	fi	1479	fi
1472		1480
1473	if ${strings} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1	1481	if ${STRINGS} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1474	then	1482	then
1475	STATUS=${INFECTED}	1483	STATUS=${INFECTED}
1476	fi	1484	fi
Lines 1488-1498 Link Here
1488	fi	1496	fi
1489		1497
1490	if [ "${EXPERT}" = "t" ]; then	1498	if [ "${EXPERT}" = "t" ]; then
1491	expertmode_output "${strings} -a ${CMD}"	1499	expertmode_output "${STRINGS} -a ${CMD}"
1492	return 5	1500	return 5
1493	fi	1501	fi
1494		1502
1495	if ${strings} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1	1503	if ${STRINGS} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1496	then	1504	then
1497	STATUS=${INFECTED}	1505	STATUS=${INFECTED}
1498	fi	1506	fi
Lines 1531-1541 Link Here
1531	CMD=`loc basename basename $pth`	1539	CMD=`loc basename basename $pth`
1532		1540
1533	if [ "${EXPERT}" = "t" ]; then	1541	if [ "${EXPERT}" = "t" ]; then
1534	expertmode_output "${strings} -a ${CMD}"	1542	expertmode_output "${STRINGS} -a ${CMD}"
1535	expertmode_output "${ls} -l ${CMD}"	1543	expertmode_output "${ls} -l ${CMD}"
1536	return 5	1544	return 5
1537	fi	1545	fi
1538	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1546	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1539	then	1547	then
1540	STATUS=${INFECTED}	1548	STATUS=${INFECTED}
1541	fi	1549	fi
Lines 1555-1565 Link Here
1555	CMD=`loc dirname dirname $pth`	1563	CMD=`loc dirname dirname $pth`
1556		1564
1557	if [ "${EXPERT}" = "t" ]; then	1565	if [ "${EXPERT}" = "t" ]; then
1558	expertmode_output "${strings} -a ${CMD}"	1566	expertmode_output "${STRINGS} -a ${CMD}"
1559	expertmode_output "${ls} -l ${CMD}"	1567	expertmode_output "${ls} -l ${CMD}"
1560	return 5	1568	return 5
1561	fi	1569	fi
1562	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1570	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1563	then	1571	then
1564	STATUS=${INFECTED}	1572	STATUS=${INFECTED}
1565	fi	1573	fi
Lines 1580-1590 Link Here
1580	fi	1588	fi
1581		1589
1582	if [ "${EXPERT}" = "t" ]; then	1590	if [ "${EXPERT}" = "t" ]; then
1583	expertmode_output "${strings} -a ${CMD}"	1591	expertmode_output "${STRINGS} -a ${CMD}"
1584	return 5	1592	return 5
1585	fi	1593	fi
1586		1594
1587	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1595	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1588	then	1596	then
1589	STATUS=${INFECTED}	1597	STATUS=${INFECTED}
1590	fi	1598	fi
Lines 1596-1607 Link Here
1596	CMD=`loc rpcinfo rpcinfo $pth`	1604	CMD=`loc rpcinfo rpcinfo $pth`
1597		1605
1598	if [ "${EXPERT}" = "t" ]; then	1606	if [ "${EXPERT}" = "t" ]; then
1599	expertmode_output "${strings} -a ${CMD}"	1607	expertmode_output "${STRINGS} -a ${CMD}"
1600	expertmode_output "${ls} -l ${CMD}"	1608	expertmode_output "${ls} -l ${CMD}"
1601	return 5	1609	return 5
1602	fi	1610	fi
1603		1611
1604	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1612	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1605	then	1613	then
1606	STATUS=${INFECTED}	1614	STATUS=${INFECTED}
1607	fi	1615	fi
Lines 1618-1636 Link Here
1618	CMD=`loc date date $pth`	1626	CMD=`loc date date $pth`
1619		1627
1620	if [ "${EXPERT}" = "t" ]; then	1628	if [ "${EXPERT}" = "t" ]; then
1621	expertmode_output "${strings} -a ${CMD}"	1629	expertmode_output "${STRINGS} -a ${CMD}"
1622	expertmode_output "${ls} -l ${CMD}"	1630	expertmode_output "${ls} -l ${CMD}"
1623	return 5	1631	return 5
1624	fi	1632	fi
1625	[ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&	1633	[ "${SYSTEM}" = "FreeBSD" -a $V -gt 50 ] &&
1626	{	1634	{
1627	if [ `${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \| \	1635	if [ `${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" \| \
1628	${egrep} -c "$S_L"` -ne 2 ]; then	1636	${egrep} -c "$S_L"` -ne 2 ]; then
1629	STATUS=${INFECTED}	1637	STATUS=${INFECTED}
1630	fi	1638	fi
1631	} \|\|	1639	} \|\|
1632	{	1640	{
1633	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1	1641	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1
1634	then	1642	then
1635	STATUS=${INFECTED}	1643	STATUS=${INFECTED}
1636	fi	1644	fi
Lines 1647-1658 Link Here
1647	CMD=`loc echo echo $pth`	1655	CMD=`loc echo echo $pth`
1648		1656
1649	if [ "${EXPERT}" = "t" ]; then	1657	if [ "${EXPERT}" = "t" ]; then
1650	expertmode_output "${strings} -a ${CMD}"	1658	expertmode_output "${STRINGS} -a ${CMD}"
1651	expertmode_output "${ls} -l ${CMD}"	1659	expertmode_output "${ls} -l ${CMD}"
1652	return 5	1660	return 5
1653	fi	1661	fi
1654		1662
1655	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1663	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1656	then	1664	then
1657	STATUS=${INFECTED}	1665	STATUS=${INFECTED}
1658	fi	1666	fi
Lines 1668-1679 Link Here
1668	CMD=`loc env env $pth`	1676	CMD=`loc env env $pth`
1669		1677
1670	if [ "${EXPERT}" = "t" ]; then	1678	if [ "${EXPERT}" = "t" ]; then
1671	expertmode_output "${strings} -a ${CMD}"	1679	expertmode_output "${STRINGS} -a ${CMD}"
1672	expertmode_output "${ls} -l ${CMD}"	1680	expertmode_output "${ls} -l ${CMD}"
1673	return 5	1681	return 5
1674	fi	1682	fi
1675		1683
1676	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1684	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1677	then	1685	then
1678	STATUS=${INFECTED}	1686	STATUS=${INFECTED}
1679	fi	1687	fi
Lines 1695-1705 Link Here
1695	fi	1703	fi
1696	fi	1704	fi
1697	if [ "${EXPERT}" = "t" ]; then	1705	if [ "${EXPERT}" = "t" ]; then
1698	expertmode_output "${strings} -a ${CMD}"	1706	expertmode_output "${STRINGS} -a ${CMD}"
1699	return 5	1707	return 5
1700	fi	1708	fi
1701		1709
1702	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1710	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1703	then	1711	then
1704	STATUS=${INFECTED}	1712	STATUS=${INFECTED}
1705	fi	1713	fi
Lines 1713-1723 Link Here
1713	return ${NOT_FOUND}	1721	return ${NOT_FOUND}
1714	fi	1722	fi
1715	if [ "${EXPERT}" = "t" ]; then	1723	if [ "${EXPERT}" = "t" ]; then
1716	expertmode_output "${strings} -a ${CMD}"	1724	expertmode_output "${STRINGS} -a ${CMD}"
1717	return 5	1725	return 5
1718	fi	1726	fi
1719		1727
1720	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1728	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1721	then	1729	then
1722	STATUS=${INFECTED}	1730	STATUS=${INFECTED}
1723	fi	1731	fi
Lines 1732-1742 Link Here
1732	return ${NOT_FOUND}	1740	return ${NOT_FOUND}
1733	fi	1741	fi
1734	if [ "${EXPERT}" = "t" ]; then	1742	if [ "${EXPERT}" = "t" ]; then
1735	expertmode_output "${strings} -a ${CMD}"	1743	expertmode_output "${STRINGS} -a ${CMD}"
1736	return 5	1744	return 5
1737	fi	1745	fi
1738		1746
1739	if ${strings} -a ${CMD} \| ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1	1747	if ${STRINGS} -a ${CMD} \| ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1
1740	then	1748	then
1741	STATUS=${INFECTED}	1749	STATUS=${INFECTED}
1742	fi	1750	fi
Lines 1750-1760 Link Here
1750	return ${NOT_FOUND}	1758	return ${NOT_FOUND}
1751	fi	1759	fi
1752	if [ "${EXPERT}" = "t" ]; then	1760	if [ "${EXPERT}" = "t" ]; then
1753	expertmode_output "${strings} -a ${CMD}"	1761	expertmode_output "${STRINGS} -a ${CMD}"
1754	return 5	1762	return 5
1755	fi	1763	fi
1756		1764
1757	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1765	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1758	then	1766	then
1759	STATUS=${INFECTED}	1767	STATUS=${INFECTED}
1760	fi	1768	fi
Lines 1768-1778 Link Here
1768	return ${NOT_FOUND}	1776	return ${NOT_FOUND}
1769	fi	1777	fi
1770	if [ "${EXPERT}" = "t" ]; then	1778	if [ "${EXPERT}" = "t" ]; then
1771	expertmode_output "${strings} -a ${CMD}"	1779	expertmode_output "${STRINGS} -a ${CMD}"
1772	return 5	1780	return 5
1773	fi	1781	fi
1774		1782
1775	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1783	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1776	then	1784	then
1777	STATUS=${INFECTED}	1785	STATUS=${INFECTED}
1778	fi	1786	fi
Lines 1784-1795 Link Here
1784	CMD=`loc write write $pth`	1792	CMD=`loc write write $pth`
1785	WRITE_ROOTKIT_LABEL="bash\|elite$\|vejeta\|\.ark"	1793	WRITE_ROOTKIT_LABEL="bash\|elite$\|vejeta\|\.ark"
1786	if [ "${EXPERT}" = "t" ]; then	1794	if [ "${EXPERT}" = "t" ]; then
1787	expertmode_output "${strings} -a ${CMD}"	1795	expertmode_output "${STRINGS} -a ${CMD}"
1788	expertmode_output "${ls} -l ${CMD}"	1796	expertmode_output "${ls} -l ${CMD}"
1789	return 5	1797	return 5
1790	fi	1798	fi
1791		1799
1792	if ${strings} -a ${CMD} \| ${egrep} "${WRITE_ROOTKIT_LABEL}" \| grep -v locale > /dev/null 2>&1	1800	if ${STRINGS} -a ${CMD} \| ${egrep} "${WRITE_ROOTKIT_LABEL}" \| grep -v locale > /dev/null 2>&1
1793	then	1801	then
1794	STATUS=${INFECTED}	1802	STATUS=${INFECTED}
1795	fi	1803	fi
Lines 1806-1816 Link Here
1806	W_INFECTED_LABEL="uname -a"	1814	W_INFECTED_LABEL="uname -a"
1807		1815
1808	if [ "${EXPERT}" = "t" ]; then	1816	if [ "${EXPERT}" = "t" ]; then
1809	expertmode_output "${strings} -a ${CMD}"	1817	expertmode_output "${STRINGS} -a ${CMD}"
1810	expertmode_output "${ls} -l ${CMD}"	1818	expertmode_output "${ls} -l ${CMD}"
1811	return 5	1819	return 5
1812	fi	1820	fi
1813	if ${strings} -a ${CMD} \| ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1	1821	if ${STRINGS} -a ${CMD} \| ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1
1814	then	1822	then
1815	STATUS=${INFECTED}	1823	STATUS=${INFECTED}
1816	fi	1824	fi
Lines 1826-1836 Link Here
1826	fi	1834	fi
1827		1835
1828	if [ "${EXPERT}" = "t" ]; then	1836	if [ "${EXPERT}" = "t" ]; then
1829	expertmode_output "${strings} -a ${CMD}"	1837	expertmode_output "${STRINGS} -a ${CMD}"
1830	expertmode_output "${ls} -l ${CMD}"	1838	expertmode_output "${ls} -l ${CMD}"
1831	return 5	1839	return 5
1832	fi	1840	fi
1833	if ${strings} -a ${CMD} \| ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1	1841	if ${STRINGS} -a ${CMD} \| ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1
1834	then	1842	then
1835	STATUS=${INFECTED}	1843	STATUS=${INFECTED}
1836	fi	1844	fi
Lines 1862-1868 Link Here
1862	fi	1870	fi
1863		1871
1864	if [ "${EXPERT}" = "t" ]; then	1872	if [ "${EXPERT}" = "t" ]; then
1865	expertmode_output "${strings} -a ${CMD}"	1873	expertmode_output "${STRINGS} -a ${CMD}"
1866	return 5	1874	return 5
1867	fi	1875	fi
1868	STATUS=${INFECTED}	1876	STATUS=${INFECTED}
Lines 1879-1890 Link Here
1879	MAIL_INFECTED_LABEL="sh -i"	1887	MAIL_INFECTED_LABEL="sh -i"
1880		1888
1881	if [ "${EXPERT}" = "t" ]; then	1889	if [ "${EXPERT}" = "t" ]; then
1882	expertmode_output "${strings} -a ${CMD}"	1890	expertmode_output "${STRINGS} -a ${CMD}"
1883	expertmode_output "${ls} -l ${CMD}"	1891	expertmode_output "${ls} -l ${CMD}"
1884	return 5	1892	return 5
1885	fi	1893	fi
1886		1894
1887	if ${strings} -a ${CMD} \| ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1	1895	if ${STRINGS} -a ${CMD} \| ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1
1888	then	1896	then
1889	STATUS=${INFECTED}	1897	STATUS=${INFECTED}
1890	fi	1898	fi
Lines 1904-1915 Link Here
1904	fi	1912	fi
1905		1913
1906	if [ "${EXPERT}" = "t" ]; then	1914	if [ "${EXPERT}" = "t" ]; then
1907	expertmode_output "${strings} -a ${CMD}"	1915	expertmode_output "${STRINGS} -a ${CMD}"
1908	expertmode_output "${ls} -l ${CMD}"	1916	expertmode_output "${ls} -l ${CMD}"
1909	return 5	1917	return 5
1910	fi	1918	fi
1911		1919
1912	if ${strings} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1	1920	if ${STRINGS} -a ${CMD} \| ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
1913	then	1921	then
1914	STATUS=${INFECTED}	1922	STATUS=${INFECTED}
1915	fi	1923	fi
Lines 1926-1936 Link Here
1926	CMD=`loc egrep egrep $pth`	1934	CMD=`loc egrep egrep $pth`
1927		1935
1928	if [ "${EXPERT}" = "t" ]; then	1936	if [ "${EXPERT}" = "t" ]; then
1929	expertmode_output "${strings} -a ${CMD}"	1937	expertmode_output "${STRINGS} -a ${CMD}"
1930	expertmode_output "${ls} -l ${CMD}"	1938	expertmode_output "${ls} -l ${CMD}"
1931	return 5	1939	return 5
1932	fi	1940	fi
1933	if ${strings} -a ${CMD} \| ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1	1941	if ${STRINGS} -a ${CMD} \| ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1
1934	then	1942	then
1935	STATUS=${INFECTED}	1943	STATUS=${INFECTED}
1936	fi	1944	fi
Lines 1943-1954 Link Here
1943	CMD=`loc grep grep $pth`	1951	CMD=`loc grep grep $pth`
1944		1952
1945	if [ "${EXPERT}" = "t" ]; then	1953	if [ "${EXPERT}" = "t" ]; then
1946	expertmode_output "${strings} -a ${CMD}"	1954	expertmode_output "${STRINGS} -a ${CMD}"
1947	expertmode_output "${ls} -l ${CMD}"	1955	expertmode_output "${ls} -l ${CMD}"
1948	return 5	1956	return 5
1949	fi	1957	fi
1950		1958
1951	if ${strings} -a ${CMD} \| ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1	1959	if ${STRINGS} -a ${CMD} \| ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1
1952	then	1960	then
1953	STATUS=${INFECTED}	1961	STATUS=${INFECTED}
1954	fi	1962	fi
Lines 1970-1980 Link Here
1970	fi	1978	fi
1971		1979
1972	if [ "${EXPERT}" = "t" ]; then	1980	if [ "${EXPERT}" = "t" ]; then
1973	expertmode_output "${strings} -a ${CMD}"	1981	expertmode_output "${STRINGS} -a ${CMD}"
1974	return 5	1982	return 5
1975	fi	1983	fi
1976		1984
1977	if ${strings} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1	1985	if ${STRINGS} -a ${CMD} \| ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
1978	then	1986	then
1979	STATUS=${INFECTED}	1987	STATUS=${INFECTED}
1980	fi	1988	fi
Lines 1992-2001 Link Here
1992	fi	2000	fi
1993	fi	2001	fi
1994	if [ "${EXPERT}" = "t" ]; then	2002	if [ "${EXPERT}" = "t" ]; then
1995	expertmode_output "${strings} -a ${CMD}"	2003	expertmode_output "${STRINGS} -a ${CMD}"
1996	return 5	2004	return 5
1997	fi	2005	fi
1998	if ${strings} -a ${CMD} \| ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1	2006	if ${STRINGS} -a ${CMD} \| ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
1999	then	2007	then
2000	STATUS=${INFECTED}	2008	STATUS=${INFECTED}
2001	fi	2009	fi
Lines 2010-2019 Link Here
2010	return ${NOT_FOUND}	2018	return ${NOT_FOUND}
2011	fi	2019	fi
2012	if [ "${EXPERT}" = "t" ]; then	2020	if [ "${EXPERT}" = "t" ]; then
2013	expertmode_output "${strings} -a ${CMD}"	2021	expertmode_output "${STRINGS} -a ${CMD}"
2014	return 5	2022	return 5
2015	fi	2023	fi
2016	if ${strings} -a ${CMD} \| ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1	2024	if ${STRINGS} -a ${CMD} \| ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1
2017	then	2025	then
2018	STATUS=${INFECTED}	2026	STATUS=${INFECTED}
2019	fi	2027	fi
Lines 2028-2037 Link Here
2028	return ${NOT_FOUND}	2036	return ${NOT_FOUND}
2029	fi	2037	fi
2030	if [ "${EXPERT}" = "t" ]; then	2038	if [ "${EXPERT}" = "t" ]; then
2031	expertmode_output "${strings} -a ${CMD}"	2039	expertmode_output "${STRINGS} -a ${CMD}"
2032	return 5	2040	return 5
2033	fi	2041	fi
2034	if ${strings} -a ${CMD} \| ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1	2042	if ${STRINGS} -a ${CMD} \| ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1
2035	then	2043	then
2036	STATUS=${INFECTED}	2044	STATUS=${INFECTED}
2037	fi	2045	fi
Lines 2046-2055 Link Here
2046	return ${NOT_FOUND}	2054	return ${NOT_FOUND}
2047	fi	2055	fi
2048	if [ "${EXPERT}" = "t" ]; then	2056	if [ "${EXPERT}" = "t" ]; then
2049	expertmode_output "${strings} -a ${CMD}"	2057	expertmode_output "${STRINGS} -a ${CMD}"
2050	return 5	2058	return 5
2051	fi	2059	fi
2052	if ${strings} -a ${CMD} \| ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1	2060	if ${STRINGS} -a ${CMD} \| ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1
2053	then	2061	then
2054	STATUS=${INFECTED}	2062	STATUS=${INFECTED}
2055	fi	2063	fi
Lines 2068-2077 Link Here
2068	return ${NOT_FOUND}	2076	return ${NOT_FOUND}
2069	fi	2077	fi
2070	if [ "${EXPERT}" = "t" ]; then	2078	if [ "${EXPERT}" = "t" ]; then
2071	expertmode_output "${strings} -a ${CMD}"	2079	expertmode_output "${STRINGS} -a ${CMD}"
2072	return 5	2080	return 5
2073	fi	2081	fi
2074	if ${strings} -a ${CMD} \| ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1	2082	if ${STRINGS} -a ${CMD} \| ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1
2075	then	2083	then
2076	STATUS=${INFECTED}	2084	STATUS=${INFECTED}
2077	fi	2085	fi
Lines 2083-2100 Link Here
2083	CMD="${ROOTDIR}sbin/ifconfig"	2091	CMD="${ROOTDIR}sbin/ifconfig"
2084		2092
2085	if [ "${EXPERT}" = "t" ]; then	2093	if [ "${EXPERT}" = "t" ]; then
2086	expertmode_output "${strings} -a ${CMD}"	2094	expertmode_output "${STRINGS} -a ${CMD}"
2087	return 5	2095	return 5
2088	fi	2096	fi
2089		2097
2090	IFCONFIG_NOT_INFECTED_LABEL="PROMISC"	2098	IFCONFIG_NOT_INFECTED_LABEL="PROMISC"
2091	IFCONFIG_INFECTED_LABEL="/dev/tux\|/session.null"	2099	IFCONFIG_INFECTED_LABEL="/dev/tux\|/session.null"
2092	if ${strings} -a ${CMD} \| ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \	2100	if ${STRINGS} -a ${CMD} \| ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \
2093	>/dev/null 2>&1	2101	>/dev/null 2>&1
2094	then	2102	then
2095	STATUS=${NOT_INFECTED}	2103	STATUS=${NOT_INFECTED}
2096	fi	2104	fi
2097	if ${strings} -a ${CMD} \| ${egrep} "${IFCONFIG_INFECTED_LABEL}" \	2105	if ${STRINGS} -a ${CMD} \| ${egrep} "${IFCONFIG_INFECTED_LABEL}" \
2098	>/dev/null 2>&1	2106	>/dev/null 2>&1
2099	then	2107	then
2100	STATUS=${INFECTED}	2108	STATUS=${INFECTED}
Lines 2114-2125 Link Here
2114	return ${NOT_FOUND}	2122	return ${NOT_FOUND}
2115	fi	2123	fi
2116	if [ "${EXPERT}" = "t" ]; then	2124	if [ "${EXPERT}" = "t" ]; then
2117	expertmode_output "${strings} -a ${CMD}"	2125	expertmode_output "${STRINGS} -a ${CMD}"
2118	return 5	2126	return 5
2119	fi	2127	fi
2120		2128
2121	RSHD_INFECTED_LABEL="HISTFILE"	2129	RSHD_INFECTED_LABEL="HISTFILE"
2122	if ${strings} -a ${CMD} \| ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1	2130	if ${STRINGS} -a ${CMD} \| ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1
2123	then	2131	then
2124	STATUS=${INFECTED}	2132	STATUS=${INFECTED}
2125	if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \	2133	if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \
Lines 2155-2165 Link Here
2155	[ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};	2163	[ "tcpd" = "${CMD}" ] && return ${NOT_FOUND};
2156		2164
2157	if [ "${EXPERT}" = "t" ]; then	2165	if [ "${EXPERT}" = "t" ]; then
2158	expertmode_output "${strings} -a ${CMD}"	2166	expertmode_output "${STRINGS} -a ${CMD}"
2159	return 5	2167	return 5
2160	fi	2168	fi
2161		2169
2162	if ${strings} -a ${CMD} \| ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1	2170	if ${STRINGS} -a ${CMD} \| ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1
2163	then	2171	then
2164	STATUS=${INFECTED}	2172	STATUS=${INFECTED}
2165	fi	2173	fi
Lines 2176-2186 Link Here
2176	fi	2184	fi
2177		2185
2178	if [ "${EXPERT}" = "t" ]; then	2186	if [ "${EXPERT}" = "t" ]; then
2179	expertmode_output "${strings} -a ${CMD}"	2187	expertmode_output "${STRINGS} -a ${CMD}"
2180	return 5	2188	return 5
2181	fi	2189	fi
2182		2190
2183	if ${strings} -a ${CMD} \| ${egrep} "${SSHD2_INFECTED_LABEL}" \	2191	if ${STRINGS} -a ${CMD} \| ${egrep} "${SSHD2_INFECTED_LABEL}" \
2184	> /dev/null 2>&1	2192	> /dev/null 2>&1
2185	then	2193	then
2186	STATUS=${INFECTED}	2194	STATUS=${INFECTED}
Lines 2197-2207 Link Here
2197	CMD=`loc su su $pth`	2205	CMD=`loc su su $pth`
2198		2206
2199	if [ "${EXPERT}" = "t" ]; then	2207	if [ "${EXPERT}" = "t" ]; then
2200	expertmode_output "${strings} -a ${CMD}"	2208	expertmode_output "${STRINGS} -a ${CMD}"
2201	return 5	2209	return 5
2202	fi	2210	fi
2203		2211
2204	if ${strings} -a ${CMD} \| ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1	2212	if ${STRINGS} -a ${CMD} \| ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1
2205	then	2213	then
2206	STATUS=${INFECTED}	2214	STATUS=${INFECTED}
2207	fi	2215	fi
Lines 2221-2231 Link Here
2221	fi	2229	fi
2222		2230
2223	if [ "${EXPERT}" = "t" ]; then	2231	if [ "${EXPERT}" = "t" ]; then
2224	expertmode_output "${strings} -a ${CMD}"	2232	expertmode_output "${STRINGS} -a ${CMD}"
2225	return 5	2233	return 5
2226	fi	2234	fi
2227		2235
2228	if ${strings} -a ${CMD} \| ${egrep} "${FINGER_INFECTED_LABEL}" \	2236	if ${STRINGS} -a ${CMD} \| ${egrep} "${FINGER_INFECTED_LABEL}" \
2229	> /dev/null 2>&1	2237	> /dev/null 2>&1
2230	then	2238	then
2231	STATUS=${INFECTED}	2239	STATUS=${INFECTED}
Lines 2273-2283 Link Here
2273	fi	2281	fi
2274		2282
2275	if [ "${EXPERT}" = "t" ]; then	2283	if [ "${EXPERT}" = "t" ]; then
2276	expertmode_output "${strings} -a ${CMD}"	2284	expertmode_output "${STRINGS} -a ${CMD}"
2277	return 5	2285	return 5
2278	fi	2286	fi
2279		2287
2280	if ${strings} -a ${CMD} \| ${egrep} "${TELNETD_INFECTED_LABEL}" \	2288	if ${STRINGS} -a ${CMD} \| ${egrep} "${TELNETD_INFECTED_LABEL}" \
2281	>/dev/null 2>&1	2289	>/dev/null 2>&1
2282	then	2290	then
2283	STATUS=${INFECTED}	2291	STATUS=${INFECTED}

Return to bug 41040