rkhunter

在网络安全中经常会遇到rootkit

	case "$OPTTYPE" in
	1)
		OPTVAR=`echo "${OPTVAR}" | tr -d '" 	' | tr -d "'"`
		;;
	2)
		OPTVAR=`echo "${OPTVAR}" | tr ',' ' ' | tr '	' ' ' | tr -s '	'`
		OPTVAR=`echo "${OPTVAR}" | sed -e 's/^"\(.*\)"$/\1/' | sed -e "s/^'\(.*\)'$/\1/"`
		OPTVAR=`echo ${OPTVAR}`
		;;
	*)
		echo "Error: Invalid option type in get_option function: $*" >&2
		;;
	esac


	echo "${OPTVAR}"

	return 0
}


get_temp_file() {

	#
	# This function will create an empty, unique temporary file.
	#
	# It takes one argument which is the pathname for the file,
	# excluding the suffix. The function will return the pathname
	# in TEMPFILE.
	#

	TEMPFILE=""

	TEMPFILE_BASE=$1


	if [ -n "${MKTEMP_CMD}" ]; then
		TEMPFILE=`${MKTEMP_CMD} ${TEMPFILE_BASE}.XXXXXX`
	elif [ -n "$RANDOM" ]; then
		TEMPFILE="${TEMPFILE_BASE}.$RANDOM"
	elif [ $BSDOS -eq 1 ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%s`"
	elif [ -n "`date +%N%s 2>/dev/null | grep '^[0-9][0-9]*$'`" ]; then
		TEMPFILE="${TEMPFILE_BASE}.`date +%N%s%N`"
	else
		TEMPFILE="${TEMPFILE_BASE}.`date +%Y%m%d%H%M%S`"
	fi


	#
	# Remove the file just in case it does already exist!
	#

	rm -f ${TEMPFILE} >/dev/null 2>&1

	return
}


suckit_extra_checks() {

	#
	# This function carries out some extra checks of the suckit rootkit.
	# There are 3 extra checks, but we only display the result after
	# all the checks have completed. As such we store the result of
	# each check in a variable, and display the final result based on
	# the value of those variables.
	#

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --log-indent 2 --nl ROOTKIT_ADD_SUCKIT_LOG
	fi


	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	#
	# The first check tests the link count of the /sbin/init file.
	# We use the NLINKS variable to indicate the test result:
	#	-1 means that no stat command was available
	#	 0 means that the stat command gave an error
	#	 1 is okay
	#	>1 means that suckit may be installed
	#

	NLINKS=-1

	if [ -n "${STAT_CMD}" ]; then
		if [ -n "`echo \"${STAT_CMD}\" | grep '\.pl$'`" ]; then
			NLINKS=`${STAT_CMD} --nlink /sbin/init 2>/dev/null`
		else
			NLINKS=`${STAT_CMD} -t /sbin/init 2>/dev/null | cut -d' ' -f9`
		fi

		test -z "${NLINKS}" && NLINKS=0

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ $NLINKS -eq 0 ]; then
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_LINK
			elif [ $NLINKS -eq 1 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_ADD_SUCKIT_LINK
			else
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_LINK
			fi
		fi
	else
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_ADD_SUCKIT_LINK
	fi


	#
	# The next test checks to see if certain files are being
	# hidden. These files have the '.xrk' or '.mem' suffix.
	# The HIDDEN variable will be used to indicate the result:
	#	<null> is okay
	#	'xrk' means that the 'xrk' suffix is hidden
	#	'mem' means that the 'mem' suffix is hidden
	#

	HIDDEN=""

	for EXT in xrk mem; do
		get_temp_file "${RKHTMPDIR}/suckitexttest"

		touch ${TEMPFILE}
		rm -f ${TEMPFILE}.${EXT} >/dev/null 2>&1
		mv ${TEMPFILE} ${TEMPFILE}.${EXT}

		if [ ! -f "${TEMPFILE}.${EXT}" ]; then
			if [ -n "${HIDDEN}" ]; then
				HIDDEN="${HIDDEN} and ${EXT}"
			else
				HIDDEN=${EXT}
			fi
		fi

		rm -f "${TEMPFILE}.${EXT}" >/dev/null 2>&1
	done

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		if [ -z "${HIDDEN}" ]; then
			display --to LOG --type PLAIN --result NONE_FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
		else
			display --to LOG --type PLAIN --result FOUND --log-indent 4 ROOTKIT_ADD_SUCKIT_EXT
		fi
	fi


	#
	# Finally we perform a check using the skdet command, if it
	# is present. The SKDET variable will be used to indicate
	# the result:
	#	-1 means that skdet is not available
	#	 0 means that skdet found nothing
	#	 1 means that skdet found something
	#	 2 means that the version of skdet is unknown
	#
	# The variable SKDET_OUTPUT will contain any output from
	# the command.
	#

	SKDET=-1
	SKDET_OUTPUT=""
	SKDET_CMD=`find_cmd skdet`

	if [ -n "${SKDET_CMD}" ]; then
		#
		# We need to check the skdet version first.
		#

		SKDET=0
		SKDETOPT=""
		SKDETVER=`${SKDET_CMD} -v 2>&1 | grep '^skdet.v' | awk -F'.' '{ print $1 }'`

		case "${SKDETVER}" in
		*v0)
			SKDETOPT="-a"
			;;
		*v1)
			SKDETOPT="-c"
			;;
		*)
			SKDET=2
			SKDET_OUTPUT=`${SKDET_CMD} -v 2>&1`
			;;
		esac

		if [ $SKDET -eq 0 ]; then
			SKDET_OUTPUT=`${SKDET_CMD} ${SKDETOPT} 2>&1 | tr -s ' ' | grep -i 'invis'`

			test -n "${SKDET_OUTPUT}" && SKDET=1
		fi

		if [ $VERBOSE_LOGGING -eq 1 ]; then
			if [ $SKDET -eq 0 ]; then
				display --to LOG --type PLAIN --result OK --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
			else
				display --to LOG --type PLAIN --result WARNING --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
			fi
		fi
	elif [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --result SKIPPED --log-indent 4 ROOTKIT_ADD_SUCKIT_SKDET
		display --to LOG --type INFO NOT_FOUND_CMD "skdet"
	fi


	#
	# Now we can display the results.
	#

	if [ $NLINKS -eq 1 -a -z "${HIDDEN}" -a $SKDET -le 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result OK --color GREEN --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}Suckit Rookit (extra checks), "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 --log-indent 2 ROOTKIT_ADD_SUCKIT

		if [ $NLINKS -eq -1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_NOCMD
		elif [ $NLINKS -eq 0 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_ERR
		elif [ $NLINKS -gt 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_LINK_FOUND "$NLINKS"
		fi

		if [ -n "${HIDDEN}" ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_EXT_FOUND "${HIDDEN}"
		fi

		if [ $SKDET -eq 1 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_FOUND "${SKDET_OUTPUT}"
		elif [ $SKDET -eq 2 ]; then
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_ADD_SUCKIT_SKDET_VER "${SKDET_OUTPUT}"
		fi
	fi

	return
}


scanrootkit() {

	#
	# This function performs the actual check for a rootkit.
	# It uses the variables SCAN_ROOTKIT, SCAN_FILES, SCAN_DIRS
	# and SCAN_KSYMS. These will have been set before the
	# function is called.
	#

	SCAN_STATUS=0

	ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`

	if [ $VERBOSE_LOGGING -eq 1 ]; then
		display --to LOG --type PLAIN --nl ROOTKIT_FILES_DIRS_NAME_LOG "${SCAN_ROOTKIT}"
	fi


	#
	# First check to see if any of the known files exist.
	#

	FILE_FOUND=""

	for RKHTMPVAR2 in ${SCAN_FILES}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		if [ -f "${RKHTMPVAR}" ]; then
			#
			# We first check to see if the file is whitelisted. Note that we use
			# the un-translated file name. This allows us to check for filenames
			# with spaces, but without causing problems for our space-delimited test.
			#

			RKHTMPVAR3=`echo "${RKHTMPVAR2}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" ${RKHTMPVAR3} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL "${RKHTMPVAR}" rootkit
			else
				SCAN_STATUS=1
				FILE_FOUND="${FILE_FOUND} ${RKHTMPVAR2}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_FILE "${RKHTMPVAR}"
		fi
	done


	#
	# Next check to see if any of the directories exist.
	#

	DIR_FOUND=""

	for RKHTMPVAR2 in ${SCAN_DIRS}; do
		RKHTMPVAR=`echo "${RKHTMPVAR2}" | tr '%' ' '`

		if [ -d "${RKHTMPVAR}" ]; then
			#
			# We first check to see if the directory is whitelisted. Note that we use
			# the un-translated directory name. This allows us to check for directory
			# names with spaces, but without causing problems for our space-delimited test.
			#

			RKHTMPVAR3=`echo "${RKHTMPVAR2}" | sed -e 's/\./\\\./g'`

			if [ -n "`echo \"${RTKT_DIR_WHITELIST}\" | grep \" ${RKHTMPVAR3} \"`" ]; then
				display --to LOG --type INFO FILE_PROP_WL_DIR "${RKHTMPVAR}" rootkit
			else
				SCAN_STATUS=1
				DIR_FOUND="${DIR_FOUND} ${RKHTMPVAR2}"
			fi

			test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${RKHTMPVAR}"
		elif [ $VERBOSE_LOGGING -eq 1 ]; then
			display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_DIR "${RKHTMPVAR}"
		fi
	done


	#
	# Next check the ksyms or kallsyms file.
	#

	KSYM_FOUND=""

	if [ -n "${SCAN_KSYMS}" ]; then
		for KS in ${SCAN_KSYMS}; do
			if [ -n "${KSYMS_FILE}" ]; then
				KSYM=`echo "${KS}" | sed -e 's/\./\\\./g'`

				if [ -n "`grep \"${KSYM}\" ${KSYMS_FILE}`" ]; then
					SCAN_STATUS=1
					KSYM_FOUND="${KSYM_FOUND} ${KS}"

					test $VERBOSE_LOGGING -eq 1 && display --to LOG --type PLAIN --result FOUND  --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
				elif [ $VERBOSE_LOGGING -eq 1 ]; then
					display --to LOG --type PLAIN --result NOT_FOUND --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
				fi
			elif [ $VERBOSE_LOGGING -eq 1 ]; then
				display --to LOG --type PLAIN --result SKIPPED --log-indent 2 ROOTKIT_FILES_DIRS_KSYM "${KS}"
			fi
		done
	fi


	#
	# Now display the results.
	#

	if [ $SCAN_STATUS -eq 0 ]; then
		display --to SCREEN+LOG --type PLAIN --result NOT_FOUND --color GREEN --screen-indent 4 NAME "${SCAN_ROOTKIT}"
	else
		ROOTKIT_FAILED_COUNT=`expr ${ROOTKIT_FAILED_COUNT} + 1`
		ROOTKIT_FAILED_NAMES="${ROOTKIT_FAILED_NAMES}${SCAN_ROOTKIT}, "

		display --to SCREEN+LOG --type WARNING --result WARNING --color RED --screen-indent 4 NAME "${SCAN_ROOTKIT}"


		#
		# Log any files, directories or ksyms found.
		#

		for RKHTMPVAR in ${FILE_FOUND}; do
			RKHTMPVAR=`echo "${RKHTMPVAR}" | tr '%' ' '`
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_FILE_FOUND "${RKHTMPVAR}"
		done

		for RKHTMPVAR in ${DIR_FOUND}; do
			RKHTMPVAR=`echo "${RKHTMPVAR}" | tr '%' ' '`
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_DIR_FOUND "${RKHTMPVAR}"
		done

		for RKHTMPVAR in ${KSYM_FOUND}; do
			display --to LOG --type PLAIN --log-indent 9 ROOTKIT_FILES_DIRS_KSYM_FOUND "${RKHTMPVAR}"
		done
	fi

	return
}


check_required_commands() {

	#
	# This function checks that some required commands are
	# present on the system. The function takes one argument
	# which is a list of directories to look in.
	#

	for CMD in ${REQCMDS}; do
		SEEN=0

		for DIR in $1; do
			if [ -f "${DIR}/${CMD}" -a -x "${DIR}/${CMD}" ]; then
				SEEN=1
				break
			fi
		done

		if [ $SEEN -eq 0 ]; then
			echo "The command '$CMD' must be present on the system in order to run rkhunter."
			exit 1
		fi
	done

	return
}


check_commands() {

	#
	# We check for some commands used in the tests. If the command
	# is found then a variable including the command name is set.
	# These commands are not 'required', so nothing happens if the
	# command is not found. The commands can be defined in the
	# configuration file, and a value of 'DISABLED' will cause a
	# command to not exist. A value of 'BUILTIN' may be used for
	# the 'stat' and 'readlink' commands, to indicate that the
	# supplied scripts should be used. We have to handle the 'stat'
	# command in a special way so that the perl module does not get
	# used if the command is to be disabled.
	#

	for CMD in ${CMDLIST}; do
		RKHTMPVAR=`echo ${CMD} | tr '[a-z]' '[A-Z]'`
		RKHTMPVAR="${RKHTMPVAR}_CMD"


		#
		# See if the user has defined the command in
		# the configuration file.
		#

		CFG_CMD=`get_option 2 single "${RKHTMPVAR}"` || exit 1

		if [ -n "${CFG_CMD}" ]; then
			if [ "${CFG_CMD}" = "DISABLED" -o "${CFG_CMD}" = "BUILTIN" ]; then
				eval ${RKHTMPVAR}=\"${CFG_CMD}\"
			else
				#
				# Check that the command is executable.
				#

				MCMD=`echo "${CFG_CMD}" | cut -d' ' -f1`

				if [ -n "`find_cmd ${MCMD}`" ]; then
					eval ${RKHTMPVAR}=\"${CFG_CMD}\"
				else
					CFG_CMD=""
				fi
			fi
		fi


		#
		# If the command has not been predefined, or is not
		# executable, then go find the command to use.
		#

		test -z "${CFG_CMD}" && eval ${RKHTMPVAR}=`find_cmd ${CMD}`
	done


	#
	# If we cannot find a 'stat' command, or the supplied script is to
	# be used, then we must check to see if perl is available. If it is,
	# then the supplied 'stat' script can be used.
	#

	if [ -n "${PERL_CMD}" -a "${PERL_CMD}" != "DISABLED" ]; then
		if [ -z "${STAT_CMD}" -o "${STAT_CMD}" = "BUILTIN" ]; then
			if [ -r "${SCRIPT_PATH}/check_modules.pl" ]; then
				MOD_INSTALLED=`${PERL_CMD} ${SCRIPT_PATH}/check_modules.pl File::stat Getopt::Long 2>&1 | grep 'NOT installed'`
			else
				MOD_INSTALLED="module not found"
			fi

			if [ -z "${MOD_INSTALLED}" -a -r "${SCRIPT_PATH}/stat.pl" ]; then
				STAT_CMD="${PERL_CMD} ${SCRIPT_PATH}/stat.pl"
			else
				STAT_CMD=""
			fi
		fi
	elif [ "${STAT_CMD}" = "BUILTIN" ]; then
		STAT_CMD=""
	fi


	#
	# If the readlink command cannot be found, or it does not support
	# the '-f' option, then we must use the supplied shell script.
	#

	if [ -z "${READLINK_CMD}" -o "${READLINK_CMD}" = "BUILTIN" ]; then
		test -x "${SCRIPT_PATH}/readlink.sh" && READLINK_CMD="${SCRIPT_PATH}/readlink.sh"
	elif [ -n "`${READLINK_CMD} -f ${SCRIPT_PATH}/readlink.sh 2>&1 >/dev/null`" ]; then
		if [ -x "${SCRIPT_PATH}/readlink.sh" ]; then
			READLINK_CMD="${SCRIPT_PATH}/readlink.sh"
		else
			READLINK_CMD=""
		fi
	fi


	#
	# Finally we must remove all the DISABLED commands.
	#

	for CMD in ${CMDLIST}; do
		RKHTMPVAR=`echo ${CMD} | tr '[a-z]' '[A-Z]'`
		RKHTMPVAR="${RKHTMPVAR}_CMD"
		RKHTMPVAR2=`eval echo "\\$${RKHTMPVAR}"`

		test "${RKHTMPVAR2}" = "DISABLED" -o "${RKHTMPVAR2}" = "BUILTIN" && eval ${RKHTMPVAR}=\"\"
	done

	return
}