Thursday, January 7, 2010

Making chkrootkit a little more readable

I use cron to daily run a couple of rootkit checkers, rkhunter (http://www.rootkit.nl/) and chkroot
(http://www.chkrootkit.org/).  chkrootkit is nice, but it's a bit paranoid about weird and hidden files.  On the other hand, I probably want my rootkit checker to be a bit paranoid.

It's got a line of code to look for hidden files:

files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"` 

and then it just does an echo to display them.  Well, that's fine if you've got one or two, but if you've got a couple of dozen this is almost unreadable.  See, displaying like that will display all of the filenames with a space between them, and no newline, like so:

/usr/lib/firefox-3.0.16/.autoreg /usr/lib/gtk-2.0/immodules/.relocation-tag /usr/lib/.libfipscheck.so.1.hmac /usr/lib/.libgcrypt.so.11.hmac /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Term/ReadLine/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Term/ReadKey/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/YAML/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/GD/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/GD/Text/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/GD/Graph/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/File/Which/.packlist /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/File/Tail/.packlist /usr/lib/perl5/site_perl/5.

and so on, and so on.

I made a simple change:

      if test -n "$files"; then
        echo "Suspicious files = "
        for i in ${files}; do ls -la $i; done
      fi

and it prints the file out one line at a time.  Much nicer:

Suspicious files =
-rw-r--r-- 1 root root 0 Dec  3 11:05 /usr/lib/firefox-3.0.16/.autoreg
-rw-r--r-- 1 root root 4622 Dec 11  2007 /usr/lib/gtk-2.0/immodules/.relocation-tag
lrwxrwxrwx 1 root root 27 Sep 14 07:58 /usr/lib/.libfipscheck.so.1.hmac -> .libfipscheck.so.1.1.0.hmac
-rw-r--r-- 1 root root 65 Apr  7  2009 /usr/lib/.libgcrypt.so.11.hmac
-rw-r--r-- 1 root root 110 Apr  7  2009 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Term/ReadLine/.packlist
-rw-r--r-- 1 root root 363 Apr  7  2009 /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi/auto/Term/ReadKey/.packlist
...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)