On Thu, 26 Sept 2024 at 11:21, Vincent Lefevre <vinc...@vinc17.net> wrote:
> It is difficult to regard
> Checking `bindshell'... not found
> Checking `bindshell'... WARNING
> WARNING: Potential bindshell installed: infected ports: 60001
> as equivalent with filtering.
I think this is probably possible with a filter - even sed can
consider multiple lines if you try hard enough, but indeed, not
simple.
> the $netstat and $OPT values
> seem to be hardcoded in /sbin/chkrootkit, so that it is not
> possible to override them in /etc/chkrootkit/chkrootkit.conf.
> For instance, one should be able to use
>
> { /usr/bin/ss -anp | /usr/bin/grep -v
> '^udp.*:60001[[:space:]].*"mosh-server"'; }
Indeed --- $netstat and $OPT are implementation details - you
wouldn't be able to put a pipe in a variable anyway.
It would technically work to use -p and provide a custom 'ss' command
that runs that pipeline: you'd also need to provide copies of
everything else in $cmdlist -- perhaps it would works to use symlinks.
But i suppose there could be a separate option to exclude things from
this check: the options are:
- an option to change the range of ports that are checked (ie to
change $PORT to a list that does not include 6001): easy, but it would
be a blanket "dont check that port"
- an option to do custom filtering of the results -- this would be
likely be limited eg, to one word arguments to grep
