[csw-users] [csw-pkgrequests] package request

Dennis Clarke dclarke at blastwave.org
Fri Nov 23 02:43:15 CET 2007 

> Dennis Clarke wrote:
>>> Dennis Clarke wrote:
>>>
>>>>> chkrootkit is a tool to locally check for signs of a rootkit. It
>>>>> contains:
>>>>>
>>>>>     * chkrootkit: shell script that checks system binaries for rootkit
>>>>> modification.
>>>>>     * ifpromisc.c: checks if the interface is in promiscuous mode.
>>>>>     * chklastlog.c: checks for lastlog deletions.
>>>>>     * chkwtmp.c: checks for wtmp deletions.
>>>>>     * check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
>>>>>     * chkproc.c: checks for signs of LKM trojans.
>>>>>     * chkdirs.c: checks for signs of LKM trojans.
>>>>>     * strings.c: quick and dirty strings replacement.
>>>>>     * chkutmp.c: checks for utmp deletions.
>>>>>
>>
>
> Thanks a lot, Dennis!
>

well, out of the gate I see that the Makefile requires static linkage. That
seems to make sense because you are checking for a machine that has been
compromised and thus you won't trust the libraries there.

The Makefile included with this is trivial and since there are only eight
source files I may as well compile them manually .. just to watch each one
carefully.

Firstly we have chkwtmp.c which does not seem to apply to Solaris at all.
The purpose seems to be to check the validity of the wtmp file which no
longer exists on any modern Solaris.  So there is no decent reason to even
compile it.

see http://docs.sun.com/app/docs/doc/817-0403/6mg741c2q?l=en&a=view

and http://docs.sun.com/app/docs/doc/817-0403/6mg741c32?l=en&a=view

and man wtmp says it all :

$ date
Thu Nov 22 20:21:30 EST 2007
$ man wtmp
Reformatting page.  Please Wait... done

File Formats                                              utmp(4)

NAME
     utmp, wtmp - utmp and wtmp database entry formats

SYNOPSIS
     #include <utmp.h>
     /var/adm/utmp
     /var/adm/wtmp

DESCRIPTION
     The utmp and wtmp database files are  obsolete  and  are  no
     longer  present on the system.  They have been superseded by
     the extended database contained in the utmpx and wtmpx data-
     base files.  See utmpx(4).

     It is possible for /var/adm/utmp to reappear on the  system.
     This  would  most  likely occur if a third party application
     that still uses utmp recreates the file if it finds it miss-
     ing.  This  file should not be allowed to remain on the sys-
     tem. The user should investigate to determine which applica-
     tion is recreating this file.

SEE ALSO
     utmpx(4)

SunOS 5.8           Last change: 22 Feb 1999                    1

Then we have chkutmp.c which also checks entry data in /var/adm/utmp which
also does not exist HOWEVER the source has this in it :

#if defined(__sun)
#define UTMP "/var/adm/utmpx"
#define UT_LINESIZE 12
#define UT_NAMESIZE 8
#define PS_CMD 0

There we see that we get a conditional define to correct our focus to utmpx
as opposed to the obsolete utmp. No such defines exist in chkwtmp.c to
correct the situation.

The chklastlog.c source has a define for MAX_ID of 99999 when in fact the
MAXUID is now 2147483647 as defined in sys/param.h for Solaris 8 upwards. I
may compile that static anyways and then run it while I also have an active
user on the system with a uid of 1048575 just to see if those process slide
under the radar of this code.  Give me some time with that.

I don't see how I can compile this for Solaris in good faith. As a package
it does not seem appropriate for modern Solaris.

Have any thoughts on this ?

Dennis

More information about the users mailing list