zk rootkit

[Bret Hughes]

On Fri, 2003-11-21 at 09:50, Andy Green wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Friday 21 November 2003 12:18, Grosswiler Roger wrote:
> > hy guys,
> >
> > letting chkrootkit on my server lets me know, that i have a 'possible
> > installation of the zk rootkit on my server. does anybody know, how i can
> > find out about this rootkit, where the files are and what i can do against
> > it?
> 
> I get the same report here, its a script problem I believe, not any kind of 
> backdoor.  Here's the bit of the script
> 
>    if [ -f ${ROOTDIR}usr/bin/run -o -f ${ROOTDIR}etc/sysconfig/console/load.zk 
> ]; then
>          echo "Possible ZK rootkit installed"
> 
> Here's what happens when you run that
> 

you are not running the same thing.

the [ -f filename ] is a test to see if a file is a regular file and
exists.  the -o is an operator to the test function not passed to run. 
infact [ is a symbolic link to test  
[exhibitor1 at test1 console]$ locate [
/usr/share/man/man1/[.1.gz
/usr/bin/[
[exhibitor1 at test1 console]$ cd /usr/bin
[exhibitor1 at test1 bin]$ ll [
lrwxrwxrwx    1 root     root            4 Nov  8 00:25 [ -> test

see man test or man bash

on my fedora test box:

[exhibitor1 at test1 bin]$ export ROOTDIR="/"
[exhibitor1 at test1 bin]$ echo $ROOTDIR
/
[exhibitor1 at test1 bin]$ [ -f ${ROOTDIR}usr/bin/run -o -f
${ROOTDIR}etc/sysconfig/console/load.zk ]
[exhibitor1 at test1 bin]$ echo $?
1

the return code indicates that neither test was true.

 
what the line from the script that you posted says is if /usr/bin/run
exists as a regular file OR /etc/sysconfig/console/load.zk exists as a
regular file then echo ...

> [agreen at fastcat console]$ /usr/bin/run -o -f /etc/sysconfig/console/load.zk
> /usr/bin/run: invalid option -- o
> 
what this line says is run the file /usr/bin/run and pass it the rest as
arguments.

> Here's what's in the bad place
> 
> [agreen at fastcat audio]$ cd /etc/sysconfig/console
> [agreen at fastcat console]$ ll
> total 0


Bret