diff options
| author | root <root@rshg054.dnsready.net> | 2011-09-23 23:14:53 +0000 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2011-09-23 23:14:53 +0000 |
| commit | cb2a1951e9cd1de18c0ab88c9d741e91a423fc36 (patch) | |
| tree | 97c7682d2038f33c83b0b3910cea44bb38a3533f /extra/chkrootkit | |
| parent | 919a63ffc80158b2a5610fa87eb51fd5f8f724ba (diff) | |
Fri Sep 23 23:14:53 UTC 2011
Diffstat (limited to 'extra/chkrootkit')
| -rw-r--r-- | extra/chkrootkit/PKGBUILD | 25 | ||||
| -rw-r--r-- | extra/chkrootkit/backslashes.patch | 22 | ||||
| -rw-r--r-- | extra/chkrootkit/chkrootkit.cron | 2 | ||||
| -rw-r--r-- | extra/chkrootkit/fix-tools-path.patch | 172 | ||||
| -rw-r--r-- | extra/chkrootkit/kallsyms.patch | 30 |
5 files changed, 83 insertions, 168 deletions
diff --git a/extra/chkrootkit/PKGBUILD b/extra/chkrootkit/PKGBUILD index 8e00d17b6..bb9303fc0 100644 --- a/extra/chkrootkit/PKGBUILD +++ b/extra/chkrootkit/PKGBUILD @@ -1,31 +1,42 @@ -# $Id: PKGBUILD 137609 2011-09-10 03:51:07Z eric $ +# $Id: PKGBUILD 138434 2011-09-23 03:32:41Z eric $ # Maintainer: Eric BĂ©langer <eric@archlinux.org> pkgname=chkrootkit pkgver=0.49 -pkgrel=2 +pkgrel=3 pkgdesc="Locally checks for signs of a rootkit" arch=('i686' 'x86_64') url="http://www.chkrootkit.org" depends=('sh' 'net-tools') license=('BSD') -source=(ftp://ftp.pangeia.com.br/pub/seg/pac/${pkgname}.tar.gz fix-tools-path.patch) +source=(ftp://ftp.pangeia.com.br/pub/seg/pac/${pkgname}.tar.gz chkrootkit.cron \ + fix-tools-path.patch backslashes.patch kallsyms.patch) md5sums=('304d840d52840689e0ab0af56d6d3a18' - '6a2f3038114b8b14e1ad74e30fe44eee') + 'f4b6494270f708bf016e087104681739' + '3e5f2d5e2f4fa7a0d780baec9039c07f' + '758f892dcf73e8a2a4694662fba366d4' + 'd087f3aad8a9e97fea496ef83e4f1d48') sha1sums=('cec1a3c482b95b20d3a946b07fffb23290abc4a6' - 'f192cda177ec1920ce3313ed983ac44ee571ca6c') + '6dda90abf779b6f5c3bacd638e1231f34635575d' + '7fcad8117a064f0a6910134e8bb3a55de110650f' + 'e22546f445c145cf05dbc1a10f7b196fcd1c8202' + 'dc5b402ee69a7a5ae622ecfd733682516df54e88') build() { cd "${srcdir}/${pkgname}-${pkgver}" + sed -i 's|/var/adm|/var/log|' check_wtmpx.c chklastlog.c chkutmp.c chkwtmp.c patch -p0 -i "${srcdir}/fix-tools-path.patch" + patch -p1 -i "${srcdir}/backslashes.patch" + patch -p1 -i "${srcdir}/kallsyms.patch" make } package() { cd "${srcdir}/${pkgname}-${pkgver}" - for i in check_wtmpx chkdirs chklastlog chkproc chkrootkit chkrootkit.orig \ + for i in check_wtmpx chkdirs chklastlog chkproc chkrootkit \ chkutmp chkwtmp ifpromisc strings-static ; do - install -D -m755 $i "${pkgdir}/usr/bin/$i" + install -D -m755 $i "${pkgdir}/usr/sbin/$i" done + install -D -m744 "${srcdir}/chkrootkit.cron" "${pkgdir}/etc/cron.weekly/chkrootkit" install -D -m644 COPYRIGHT "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" } diff --git a/extra/chkrootkit/backslashes.patch b/extra/chkrootkit/backslashes.patch new file mode 100644 index 000000000..6ac981441 --- /dev/null +++ b/extra/chkrootkit/backslashes.patch @@ -0,0 +1,22 @@ +Author: James R. Van Zandt <jrv@debian.org> +Description: Two of the chkrootkit messages have unnecessary backslashes (#498063) +--- a/chkrootkit ++++ b/chkrootkit +@@ -672,7 +672,7 @@ etc/ld.so.hash sbin/init.zk usr/lib/in.h + if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \ + "$SYSTEM" != "FreeBSD" ] + then +- echo "Possible t0rn v8 \(or variation\) rootkit installed" ++ echo "Possible t0rn v8 (or variation) rootkit installed" + else + if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + fi +@@ -726,7 +726,7 @@ etc/ld.so.hash sbin/init.zk usr/lib/in.h + + if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \ + -d ${ROOTDIR}usr/doc/"... " ]; then +- echo "Possible Ambient's rootkit \(ark\) installed" ++ echo "Possible Ambient's rootkit (ark) installed" + else + if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + fi diff --git a/extra/chkrootkit/chkrootkit.cron b/extra/chkrootkit/chkrootkit.cron new file mode 100644 index 000000000..0fc84ded8 --- /dev/null +++ b/extra/chkrootkit/chkrootkit.cron @@ -0,0 +1,2 @@ +#!/bin/sh +/usr/sbin/chkrootkit -q diff --git a/extra/chkrootkit/fix-tools-path.patch b/extra/chkrootkit/fix-tools-path.patch index 2f3c38528..d45f07901 100644 --- a/extra/chkrootkit/fix-tools-path.patch +++ b/extra/chkrootkit/fix-tools-path.patch @@ -1,161 +1,11 @@ ---- chkrootkit 2008-01-19 11:01:15.000000000 +0100 -+++ chkrootkit 2008-11-01 13:11:14.000000000 +0100 -@@ -158,23 +158,23 @@ - fi - - if [ "${EXPERT}" = "t" ]; then -- expertmode_output "./ifpromisc" -v -+ expertmode_output "/usr/bin/ifpromisc" -v - return 5 - fi -- if [ ! -x ./ifpromisc ]; then -- echo "not tested: can't exec ./ifpromisc" -+ if [ ! -x /usr/bin/ifpromisc ]; then -+ echo "not tested: can't exec /usr/bin/ifpromisc" - return ${NOT_TESTED} - else -- [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q -+ [ "${QUIET}" != "t" ] && /usr/bin/ifpromisc -v || /usr/bin/ifpromisc -q - fi - } - - chkutmp() { -- if [ ! -x ./chkutmp ]; then -- echo "not tested: can't exec ./chkutmp" -+ if [ ! -x /usr/bin/chkutmp ]; then -+ echo "not tested: can't exec /usr/bin/chkutmp" - return ${NOT_TESTED} - fi -- if ./chkutmp -+ if /usr/bin/chkutmp - then - if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi - fi -@@ -182,8 +182,8 @@ - } - - z2 () { -- if [ ! -x ./chklastlog ]; then -- echo "not tested: can't exec ./chklastlog" -+ if [ ! -x /usr/bin/chklastlog ]; then -+ echo "not tested: can't exec /usr/bin/chklastlog" - return ${NOT_TESTED} - fi - -@@ -196,32 +196,32 @@ - fi - - if [ "${EXPERT}" = "t" ]; then -- expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}" -+ expertmode_output "/usr/bin/chklastlog -f ${WTMP} -l ${LASTLOG}" - return 5 - fi - -- if ./chklastlog -f ${WTMP} -l ${LASTLOG} -+ if /usr/bin/chklastlog -f ${WTMP} -l ${LASTLOG} - then - if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi - fi - } - - wted () { -- if [ ! -x ./chkwtmp ]; then -- echo "not tested: can't exec ./chkwtmp" -+ if [ ! -x /usr/bin/chkwtmp ]; then -+ echo "not tested: can't exec /usr/bin/chkwtmp" - return ${NOT_TESTED} - fi - - if [ "$SYSTEM" = "SunOS" ]; then -- if [ ! -x ./check_wtmpx ]; then -- echo "not tested: can't exec ./check_wtmpx" -+ if [ ! -x /usr/bin/check_wtmpx ]; then -+ echo "not tested: can't exec /usr/bin/check_wtmpx" - else - if [ "${EXPERT}" = "t" ]; then -- expertmode_output "./check_wtmpx" -+ expertmode_output "/usr/bin/check_wtmpx" - return 5 - fi - if [ -f ${ROOTDIR}var/adm/wtmp ]; then -- if ./check_wtmpx -+ if /usr/bin/check_wtmpx - then - if [ "${QUIET}" != "t" ]; then \ - echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi -@@ -232,12 +232,12 @@ - WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` - - if [ "${EXPERT}" = "t" ]; then -- expertmode_output "./chkwtmp -f ${WTMP}" -+ expertmode_output "/usr/bin/chkwtmp -f ${WTMP}" - return 5 - fi - fi - -- if ./chkwtmp -f ${WTMP} -+ if /usr/bin/chkwtmp -f ${WTMP} - then - if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi - fi -@@ -275,8 +275,8 @@ - prog="" - if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ - `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then -- [ -x ./chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="./chkproc" -- [ -x ./chkdirs ] && prog="$prog ./chkdirs" -+ [ -x /usr/bin/chkproc -a "`find /proc | wc -l`" -gt 1 ] && prog="/usr/bin/chkproc" -+ [ -x /usr/bin/chkdirs ] && prog="$prog /usr/bin/chkdirs" - if [ "$prog" = "" ]; then - echo "not tested: can't exec $prog" - return ${NOT_TESTED} -@@ -288,7 +288,7 @@ - PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` - [ "$PV" = "" ] && PV=2 - [ "${SYSTEM}" = "SunOS" ] && PV=0 -- expertmode_output "./chkproc -v -v -p $PV" -+ expertmode_output "/usr/bin/chkproc -v -v -p $PV" - return 5 - fi - -@@ -315,7 +315,7 @@ - if [ "${DEBUG}" = "t" ]; then - ${echo} "*** PV=$PV ***" - fi -- if ./chkproc -p ${PV}; then -+ if /usr/bin/chkproc -p ${PV}; then - if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi - else - echo "chkproc: Warning: Possible LKM Trojan installed" -@@ -324,7 +324,7 @@ - for i in /usr/share /usr/bin /usr/sbin /lib; do - [ -d $i ] && dirs="$dirs $i" - done -- if ./chkdirs $dirs; then -+ if /usr/bin/chkdirs $dirs; then - if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi - else - echo "chkdirs: Warning: Possible LKM Trojan installed" -@@ -1690,18 +1690,18 @@ - - if [ "${SYSTEM}" = "Linux" ] - then -- if [ ! -x ./strings-static ]; then -- printn "can't exec ./strings-static, " -+ if [ ! -x /usr/bin/strings-static ]; then -+ printn "can't exec /usr/bin/strings-static, " - return ${NOT_TESTED} - fi - - if [ "${EXPERT}" = "t" ]; then -- expertmode_output "./strings-static -a ${CMD}" -+ expertmode_output "/usr/bin/strings-static -a ${CMD}" - return 5 - fi - - ### strings must be a statically linked binary. -- if ./strings-static -a ${CMD} > /dev/null 2>&1 -+ if /usr/bin/strings-static -a ${CMD} > /dev/null 2>&1 - then - STATUS=${INFECTED} - fi +--- chkrootkit ++++ chkrootkit +@@ -17,6 +17,8 @@ unalias netstat > /dev/null 2>&1 + unalias ps > /dev/null 2>&1 + unalias dirname > /dev/null 2>&1 + ++cd /usr/sbin ++ + # Workaround for recent GNU coreutils + _POSIX2_VERSION=199209 + export _POSIX2_VERSION diff --git a/extra/chkrootkit/kallsyms.patch b/extra/chkrootkit/kallsyms.patch new file mode 100644 index 000000000..4e3694aad --- /dev/null +++ b/extra/chkrootkit/kallsyms.patch @@ -0,0 +1,30 @@ +--- a/chkrootkit ++++ b/chkrootkit +@@ -308,7 +316,7 @@ lkm () + fi + + if [ "${EXPERT}" = "t" ]; then +- [ -r /proc/ksyms ] && ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null ++ [ -r /proc/kallsyms ] && ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null + [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null + PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` + [ "$PV" = "" ] && PV=2 +@@ -318,14 +326,14 @@ lkm () + fi + + ### adore LKM +- [ -r /proc/ksyms ] && \ +- if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then ++ [ -r /proc/kallsyms ] && \ ++ if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then + echo "Warning: Adore LKM installed" + fi + + ### sebek LKM (Adore based) +- [ -r /proc/ksyms ] && \ +- if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then ++ [ -r /proc/kallsyms ] && \ ++ if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then + echo "Warning: Sebek LKM installed" + fi + |