Package: chkrootkit
Version: 0.44-2
There are two serious failures in getCMD() inside `chkrootkit`.
First, the RUNNING=... will only give a string if the program is running
at the time. A test might be run for a daemon that isn't installed. Even
if the daemon is present, it might not be running. In the case of
ssh/sshd, if the file /etc/ssh/sshd_not_to_be_run exists the daemon won't
run.
In this case $RUNNING will be the empty string, $CMD will get set to "/".
As / is typically a readable directory, the [ -r ] test passes. Presence
of a directory named identical to a daemon might be indicative of a kit,
so likely best to test for "x$RUNNING" = "x" to add to a variable for the
final argument to the for statement.
Second, the RUNNING=`...| ${egrep} -v chkrootkit |..." test is incorrect.
Though unusual, one can make a symbolic link to chkrootkit and execute
the link. A more likely case is to copy the script to another file for
debuging. The script should save $0 for use in this test. Additionally
naming a rootkit "sshd.chkrootkit" could be used to cloak from this test.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | [EMAIL PROTECTED] PGP 8881EF59 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
\___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
