[csw-users] [csw-pkgrequests] package request
Dennis Clarke
dclarke at blastwave.org
Fri Nov 23 02:43:15 CET 2007
> Dennis Clarke wrote:
>>> Dennis Clarke wrote:
>>>
>>>>> chkrootkit is a tool to locally check for signs of a rootkit. It
>>>>> contains:
>>>>>
>>>>> * chkrootkit: shell script that checks system binaries for rootkit
>>>>> modification.
>>>>> * ifpromisc.c: checks if the interface is in promiscuous mode.
>>>>> * chklastlog.c: checks for lastlog deletions.
>>>>> * chkwtmp.c: checks for wtmp deletions.
>>>>> * check_wtmpx.c: checks for wtmpx deletions. (Solaris only)
>>>>> * chkproc.c: checks for signs of LKM trojans.
>>>>> * chkdirs.c: checks for signs of LKM trojans.
>>>>> * strings.c: quick and dirty strings replacement.
>>>>> * chkutmp.c: checks for utmp deletions.
>>>>>
>>
>
> Thanks a lot, Dennis!
>
well, out of the gate I see that the Makefile requires static linkage. That
seems to make sense because you are checking for a machine that has been
compromised and thus you won't trust the libraries there.
The Makefile included with this is trivial and since there are only eight
source files I may as well compile them manually .. just to watch each one
carefully.
Firstly we have chkwtmp.c which does not seem to apply to Solaris at all.
The purpose seems to be to check the validity of the wtmp file which no
longer exists on any modern Solaris. So there is no decent reason to even
compile it.
see http://docs.sun.com/app/docs/doc/817-0403/6mg741c2q?l=en&a=view
and http://docs.sun.com/app/docs/doc/817-0403/6mg741c32?l=en&a=view
and man wtmp says it all :
$ date
Thu Nov 22 20:21:30 EST 2007
$ man wtmp
Reformatting page. Please Wait... done
File Formats utmp(4)
NAME
utmp, wtmp - utmp and wtmp database entry formats
SYNOPSIS
#include <utmp.h>
/var/adm/utmp
/var/adm/wtmp
DESCRIPTION
The utmp and wtmp database files are obsolete and are no
longer present on the system. They have been superseded by
the extended database contained in the utmpx and wtmpx data-
base files. See utmpx(4).
It is possible for /var/adm/utmp to reappear on the system.
This would most likely occur if a third party application
that still uses utmp recreates the file if it finds it miss-
ing. This file should not be allowed to remain on the sys-
tem. The user should investigate to determine which applica-
tion is recreating this file.
SEE ALSO
utmpx(4)
SunOS 5.8 Last change: 22 Feb 1999 1
Then we have chkutmp.c which also checks entry data in /var/adm/utmp which
also does not exist HOWEVER the source has this in it :
#if defined(__sun)
#define UTMP "/var/adm/utmpx"
#define UT_LINESIZE 12
#define UT_NAMESIZE 8
#define PS_CMD 0
There we see that we get a conditional define to correct our focus to utmpx
as opposed to the obsolete utmp. No such defines exist in chkwtmp.c to
correct the situation.
The chklastlog.c source has a define for MAX_ID of 99999 when in fact the
MAXUID is now 2147483647 as defined in sys/param.h for Solaris 8 upwards. I
may compile that static anyways and then run it while I also have an active
user on the system with a uid of 1048575 just to see if those process slide
under the radar of this code. Give me some time with that.
I don't see how I can compile this for Solaris in good faith. As a package
it does not seem appropriate for modern Solaris.
Have any thoughts on this ?
Dennis
More information about the users
mailing list