[Rkhunter-users] Possible bug in do_system_startup_file_checks()

Sun, 13 Dec 2009 23:21:59 -0800 

Hi,

I've looked thru the code of rkhunter 1.3.6 and it seems to me that 
pre-processing is too much aggressive in do_system_startup_file_checks() :

<code>

   #
   # Since we are going to be checking a lot of files
   # for strings that are static, we may as well do
   # some pre-processing of the string, and then we
   # only need to spend time if a string is found.
   #

   RCSTRINGS=""

   IFS=$IFSNL

   for RKHTMPVAR in ${RCLOCAL_STRINGS}; do
       RKHTMPVAR=`echo ${RKHTMPVAR} | sed -e 's/^[     ]*//'`

       STR=`echo ${RKHTMPVAR} | cut -d: -f1`
       STRING=`echo ${STR} | sed -e 's/\./\\\./g'`
       RCSTRINGS="${RCSTRINGS} ${STRING}"
       INFO=`echo ${RKHTMPVAR} | cut -d: -f2`

       ROOTKIT_COUNT=`expr ${ROOTKIT_COUNT} + 1`
   done

   IFS=$RKHIFS

   RCSTRINGS=`echo ${RCSTRINGS}`


   for FNAME in ${RC_PATHS}; do
       for STRING in ${RCSTRINGS}; do
           if [ -n "`grep "${STRING}" ${FNAME} | egrep -v '^[     ]*#'`" 
]; then
               RKHTMPVAR=`echo "${FNAME}" | sed -e 's/\./\\\./g'`

               if [ -n "`echo \"${RTKT_FILE_WHITELIST}\" | grep \" 
${RKHTMPVAR} \"`" ]; then
                   display --to LOG --type INFO FILE_PROP_WL "${FNAME}" 
startup_malware
               else
                   FOUND=1
                   FOUNDSTRINGS="${FOUNDSTRINGS}%${FNAME}:${STR}:${INFO}"
               fi
           fi
       done
   done

</code>

In the computation of FOUNDSTRINGS, I believe that ${STR} and ${INFO} 
are always evaluated to the last element of RCLOCAL_STRINGS 
(/usr/bin/.etc:Dica-Kit Rootkit for 1.3.6) and not to the values related 
to STRING.

Furthermore, I think the white list should be a 
RTKT_RCFILE_STRING_WHITELIST : suppose a file is white listed because it 
is known to contain a innocuous "sshdd", for example. If, then, it's 
infected with "/usr/bin/.etc", the result of the test will be "None 
found" in green on the screen.
In my mind, the RTKT_RCFILE_STRING_WHITELIST should contains couples of 
RCfile:String.

Cordially,

Patrick

------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to