Package: chrkootkit Version: 0.46a-2 Priority: normal Tags: security I have started noticing some errors generated by Tiger which were emailed to me every 8 hours and included this:
usr/bin/strings: 'write': No such file /bin/ls: write: No such file or directory Digging into it, this turns out to be generated by chkrootkit, which Tiger runs through the chk_rootkit script. Running chkrootkit manually yields this: Checking `write'... /usr/bin/strings: 'write': No such file /bin/ls: write: No such file or directory not infected This started happening to me January 10, after a system upgrade which removed the 'write' command. On review, it seems that bsdmainutils uses '/usr/bin/bsd-write' and setups an alternative for 'write' in Debian. However, for some reason, the alternative was not set up in my system (a bug I will investigate and report) and I was left with no '/usr/bin/write' at all. The root cause for this bug, however, is that some of the chk_XXX() scripts in chkrootkit don't test whether they have succesfully found the CMD they are looking for in the directories they search for and go ahead and do they thing against files that do not exist. I've taken the liberty of fixing this bug for 'write' and for other commands too, a proposed patch is attached. Even though most of them should be available in most systems there is no reason why some should be there in some small (embedded) systems, so it might be better to test the return value of the 'loc' call in any case. I've also noticed that the test code (and even the return status) for "not found" commands is not always the same, some tests try if the file is readable (-r "${CMD}") and some if the loc command worked ok ( [ "${?}" -ne 0 ]). IMHO the first check is a bug (if loc does not succeed then it returns the name given and there could be a file named 'write', for example, in the path). Thus, all the new tests (save for one) use the return status of loc. I believe other tests (like the one for 'inetd' or 'syslogd' or 'hdparm') should be changed to use the return status instead (to avoid checking out a file in the local directory named as them if it exists) or enhanced to do something like 'if [ "${CMD}" != "inetd" ] || [ ! -r "${CMD}" ]' but I have not changed their behaviour. Attached is a patch fixing some of the chk_XXX functions, please review and apply to the program. Thanks Javier
--- chkrootkit.orig 2006-01-13 09:33:31.000000000 +0100 +++ chkrootkit 2006-01-13 10:04:50.000000000 +0100 @@ -1239,6 +1239,11 @@ chk_login () { STATUS=${NOT_INFECTED} CMD=`loc login login $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1281,6 +1286,11 @@ if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then CMD="${ROOTDIR}usr/bin/passwd" fi + if [ ! -r "${CMD}" ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1435,6 +1445,11 @@ STATUS=${NOT_INFECTED} LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h" CMD=`loc ls ls $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1452,6 +1467,11 @@ STATUS=${NOT_INFECTED} DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h" CMD=`loc du du $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1494,6 +1514,11 @@ STATUS=${NOT_INFECTED} NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h" CMD=`loc netstat netstat $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1513,6 +1538,11 @@ PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\ /dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|proc\.h" CMD=`loc ps ps $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1645,6 +1675,11 @@ chk_basename () { STATUS=${NOT_INFECTED} CMD=`loc basename basename $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1669,6 +1704,11 @@ chk_dirname () { STATUS=${NOT_INFECTED} CMD=`loc dirname dirname $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1737,6 +1777,11 @@ STATUS=${NOT_INFECTED} S_L="/bin/.*sh" CMD=`loc date date $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1767,6 +1812,11 @@ chk_echo () { STATUS=${NOT_INFECTED} CMD=`loc echo echo $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1788,6 +1838,11 @@ chk_env () { STATUS=${NOT_INFECTED} CMD=`loc env env $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1904,6 +1959,11 @@ chk_write () { STATUS=${NOT_INFECTED} CMD=`loc write write $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark" if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -1925,6 +1985,11 @@ chk_w () { STATUS=${NOT_INFECTED} CMD=`loc w w $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi W_INFECTED_LABEL="uname -a" if [ "${EXPERT}" = "t" ]; then @@ -1962,6 +2027,11 @@ chk_tar () { STATUS=${NOT_INFECTED} CMD=`loc tar tar $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${ls} -l ${CMD}" @@ -2049,6 +2119,11 @@ STATUS=${NOT_INFECTED} EGREP_INFECTED_LABEL="blah" CMD=`loc egrep egrep $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -2066,6 +2141,11 @@ STATUS=${NOT_INFECTED} GREP_INFECTED_LABEL="givemer" CMD=`loc grep grep $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}" @@ -2323,6 +2403,11 @@ STATUS=${NOT_INFECTED} SU_INFECTED_LABEL="satori|vejeta|conf\.inv" CMD=`loc su su $pth` + if [ "${?}" -ne 0 ] + then + if [ "${QUIET}" != "t" ]; then echo "not found"; fi + return ${NOT_FOUND} + fi if [ "${EXPERT}" = "t" ]; then expertmode_output "${strings} -a ${CMD}"
signature.asc
Description: Digital signature