Package: chkrootkit Version: 0.48-8 Severity: important Tags: patch
-- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.30.3service Locale: lang=it...@euro, lc_ctype=it...@euro (charmap=ISO-8859-15) Shell: /bin/sh linked to /bin/bash Versions of packages chkrootkit depends on: ii binutils 2.18.1~cvs20080103-7 The GNU assembler, linker and bina ii debconf [debconf-2. 1.5.24 Debian configuration management sy ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii net-tools 1.60-22 The NET-3 networking toolkit ii procps 1:3.2.7-11 /proc file system utilities chkrootkit recommends no packages. chkrootkit suggests no packages. -- debconf information: * chkrootkit/run_daily: true * chkrootkit/run_daily_opts: -q -n * chkrootkit/diff_mode: false Ciao Giuseppe, Two problem : 1) With some nfs mounted, every day the chkrootkit send a messages with the mounted directory. Also putting this dir in -e don't work 2) Every day chkrootkit send me a messages with some legacy sniffer and in the current version i can't exclude this daemon (ex. dhcpd3, ntop, snort etc). For this problem i've created a new exclusion switch (-s for "sniffer") and i this is the best syntax to put in the RUN_DAILY_OPTS sample with one sniffer to exclude : -s '(\/usr\/sbin\/ntop\[[:0-9]+\])'" sample with two sniffer to exclude : -s '(\/usr\/sbin\/ntop\[[:0-9]+\], \/usr\/sbin\/snort\[[:0-9]+\])' i suggest to capture the last report from chkrootkit for settings your rules I've solved the two problem with the attached the patch bye
--- chkrootkit.ori 2008-11-27 08:10:54.000000000 +0100 +++ chkrootkit 2010-05-06 12:07:27.000000000 +0200 @@ -177,7 +177,15 @@ echo "not tested: can't exec ./ifpromisc" return ${NOT_TESTED} else - [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q +# [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q + outmsg=`[ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q` + [ "$EXCLUDES_SNIF" ] && { + for exclude in $EXCLUDES_SNIF + do + outmsg=`echo $outmsg | egrep -v $exclude` + done + } + echo $outmsg fi } @@ -734,28 +742,26 @@ then if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi else - if [ "${QUIET}" = "t" ]; then - printn "The following suspicious files and directories were found:" - fi - echo - + outmsg="" if [ -n "${EXCLUDES}" ]; then for name in $files; do for exclude in $EXCLUDES; do if [ $name = $exclude ]; then continue 2; fi done - echo $name + outmsg="$outmsg$name\n" done for name in $dirs; do for exclude in $EXCLUDES; do if [ $name = $exclude ]; then continue 2; fi done - echo $name + outmsg="$outmsg$name\n" done else - echo ${files} - echo ${dirs} + outmsg="${files}\n${dirs}" fi + if [ "${QUIET}" = "t" -a "$outmsg" ]; then + echo -e "The following suspicious files and directories were found:\n\n $outmsg" + fi fi ### LPD Worm @@ -1227,10 +1233,12 @@ findargs="" if find /etc -maxdepth 0 >/dev/null 2>&1; then find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \ - findargs=" -fstype nfs -prune -o " + findargs=" -fstype nfs -prune " +# findargs=" -fstype nfs -prune -o " elif find /etc -prune > /dev/null 2>&1; then find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \ - findargs=" -fstype nfs -prune -o " + findargs=" -fstype nfs -prune " +# findargs=" -fstype nfs -prune -o " fi } @@ -2647,6 +2655,9 @@ -e) shift EXCLUDES="$1 $EXCLUDES";; + -s) shift + EXCLUDES_SNIF="$1 $EXCLUDES_SNIF";; + -q) QUIET=t QUIET_ARG="-q" ;; @@ -2669,6 +2680,8 @@ -x expert mode -e exclude known false positive files/dirs, quoted, space separated, READ WARNING IN README + -s exclude known false positive sniffer (dhcpd, ntop etc) + quoted, space separated -r dir use dir as the root directory -p dir1:dir2:dirN path for the external commands used by chkrootkit -n skip NFS mounted dirs"