Package: chrkootkit Version: 0.46a-2 Priority: normal Tags: security I have started noticing some errors generated by Tiger which were emailed to me every 8 hours and included this:
usr/bin/strings: 'write': No such file
/bin/ls: write: No such file or directory
Digging into it, this turns out to be generated by chkrootkit, which Tiger
runs through the chk_rootkit script. Running chkrootkit manually yields this:
Checking `write'... /usr/bin/strings: 'write': No such file
/bin/ls: write: No such file or directory
not infected
This started happening to me January 10, after a system upgrade which removed
the 'write' command. On review, it seems that bsdmainutils uses
'/usr/bin/bsd-write' and setups an alternative for 'write' in Debian.
However, for some reason, the alternative was not set up in my system (a bug
I will investigate and report) and I was left with no '/usr/bin/write' at
all.
The root cause for this bug, however, is that some of the chk_XXX() scripts
in chkrootkit don't test whether they have succesfully found the CMD they are
looking for in the directories they search for and go ahead and do they thing
against files that do not exist.
I've taken the liberty of fixing this bug for 'write' and for other commands
too, a proposed patch is attached. Even though most of them should be
available in most systems there is no reason why some should be there in some
small (embedded) systems, so it might be better to test the return value of
the 'loc' call in any case.
I've also noticed that the test code (and even the return status) for "not
found" commands is not always the same, some tests try if the file is
readable (-r "${CMD}") and some if the loc command worked ok ( [ "${?}" -ne 0
]). IMHO the first check is a bug (if loc does not succeed then it returns
the name given and there could be a file named 'write', for example, in the
path). Thus, all the new tests (save for one) use the return status of loc. I
believe other tests (like the one for 'inetd' or 'syslogd' or 'hdparm')
should be changed to use the return status instead (to avoid checking out a
file in the local directory named as them if it exists) or enhanced to do
something like 'if [ "${CMD}" != "inetd" ] || [ ! -r "${CMD}" ]' but I have
not changed their behaviour.
Attached is a patch fixing some of the chk_XXX functions, please review and
apply to the program.
Thanks
Javier
--- chkrootkit.orig 2006-01-13 09:33:31.000000000 +0100
+++ chkrootkit 2006-01-13 10:04:50.000000000 +0100
@@ -1239,6 +1239,11 @@
chk_login () {
STATUS=${NOT_INFECTED}
CMD=`loc login login $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1281,6 +1286,11 @@
if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then
CMD="${ROOTDIR}usr/bin/passwd"
fi
+ if [ ! -r "${CMD}" ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1435,6 +1445,11 @@
STATUS=${NOT_INFECTED}
LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h"
CMD=`loc ls ls $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1452,6 +1467,11 @@
STATUS=${NOT_INFECTED}
DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h"
CMD=`loc du du $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1494,6 +1514,11 @@
STATUS=${NOT_INFECTED}
NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h"
CMD=`loc netstat netstat $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1513,6 +1538,11 @@
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\
/dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|proc\.h"
CMD=`loc ps ps $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1645,6 +1675,11 @@
chk_basename () {
STATUS=${NOT_INFECTED}
CMD=`loc basename basename $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1669,6 +1704,11 @@
chk_dirname () {
STATUS=${NOT_INFECTED}
CMD=`loc dirname dirname $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1737,6 +1777,11 @@
STATUS=${NOT_INFECTED}
S_L="/bin/.*sh"
CMD=`loc date date $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1767,6 +1812,11 @@
chk_echo () {
STATUS=${NOT_INFECTED}
CMD=`loc echo echo $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1788,6 +1838,11 @@
chk_env () {
STATUS=${NOT_INFECTED}
CMD=`loc env env $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1904,6 +1959,11 @@
chk_write () {
STATUS=${NOT_INFECTED}
CMD=`loc write write $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark"
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -1925,6 +1985,11 @@
chk_w () {
STATUS=${NOT_INFECTED}
CMD=`loc w w $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
W_INFECTED_LABEL="uname -a"
if [ "${EXPERT}" = "t" ]; then
@@ -1962,6 +2027,11 @@
chk_tar () {
STATUS=${NOT_INFECTED}
CMD=`loc tar tar $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${ls} -l ${CMD}"
@@ -2049,6 +2119,11 @@
STATUS=${NOT_INFECTED}
EGREP_INFECTED_LABEL="blah"
CMD=`loc egrep egrep $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -2066,6 +2141,11 @@
STATUS=${NOT_INFECTED}
GREP_INFECTED_LABEL="givemer"
CMD=`loc grep grep $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
@@ -2323,6 +2403,11 @@
STATUS=${NOT_INFECTED}
SU_INFECTED_LABEL="satori|vejeta|conf\.inv"
CMD=`loc su su $pth`
+ if [ "${?}" -ne 0 ]
+ then
+ if [ "${QUIET}" != "t" ]; then echo "not found"; fi
+ return ${NOT_FOUND}
+ fi
if [ "${EXPERT}" = "t" ]; then
expertmode_output "${strings} -a ${CMD}"
signature.asc
Description: Digital signature
