Package: chkrootkit Version: 0.44-2 There are two serious failures in getCMD() inside `chkrootkit`.
First, the RUNNING=... will only give a string if the program is running at the time. A test might be run for a daemon that isn't installed. Even if the daemon is present, it might not be running. In the case of ssh/sshd, if the file /etc/ssh/sshd_not_to_be_run exists the daemon won't run. In this case $RUNNING will be the empty string, $CMD will get set to "/". As / is typically a readable directory, the [ -r ] test passes. Presence of a directory named identical to a daemon might be indicative of a kit, so likely best to test for "x$RUNNING" = "x" to add to a variable for the final argument to the for statement. Second, the RUNNING=`...| ${egrep} -v chkrootkit |..." test is incorrect. Though unusual, one can make a symbolic link to chkrootkit and execute the link. A more likely case is to copy the script to another file for debuging. The script should save $0 for use in this test. Additionally naming a rootkit "sshd.chkrootkit" could be used to cloak from this test. -- (\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/) \BS ( | [EMAIL PROTECTED] PGP 8881EF59 | ) / \_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/ \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]