On Fri, 2003-11-21 at 09:50, Andy Green wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Friday 21 November 2003 12:18, Grosswiler Roger wrote:
> > hy guys,
> >
> > letting chkrootkit on my server lets me know, that i have a 'possible
> > installation of the zk rootkit on my server. does anybody know, how i can
> > find out about this rootkit, where the files are and what i can do against
> > it?
>
> I get the same report here, its a script problem I believe, not any kind of
> backdoor. Here's the bit of the script
>
> if [ -f ${ROOTDIR}usr/bin/run -o -f ${ROOTDIR}etc/sysconfig/console/load.zk
> ]; then
> echo "Possible ZK rootkit installed"
>
> Here's what happens when you run that
>
you are not running the same thing.
the [ -f filename ] is a test to see if a file is a regular file and
exists. the -o is an operator to the test function not passed to run.
infact [ is a symbolic link to test
[exhibitor1@test1 console]$ locate [
/usr/share/man/man1/[.1.gz
/usr/bin/[
[exhibitor1@test1 console]$ cd /usr/bin
[exhibitor1@test1 bin]$ ll [
lrwxrwxrwx 1 root root 4 Nov 8 00:25 [ -> test
see man test or man bash
on my fedora test box:
[exhibitor1@test1 bin]$ export ROOTDIR="/"
[exhibitor1@test1 bin]$ echo $ROOTDIR
/
[exhibitor1@test1 bin]$ [ -f ${ROOTDIR}usr/bin/run -o -f
${ROOTDIR}etc/sysconfig/console/load.zk ]
[exhibitor1@test1 bin]$ echo $?
1
the return code indicates that neither test was true.
what the line from the script that you posted says is if /usr/bin/run
exists as a regular file OR /etc/sysconfig/console/load.zk exists as a
regular file then echo ...
> [agreen@fastcat console]$ /usr/bin/run -o -f /etc/sysconfig/console/load.zk
> /usr/bin/run: invalid option -- o
>
what this line says is run the file /usr/bin/run and pass it the rest as
arguments.
> Here's what's in the bad place
>
> [agreen@fastcat audio]$ cd /etc/sysconfig/console
> [agreen@fastcat console]$ ll
> total 0
Bret
