#!/bin/sh

#################################################################################
#
#  Rootkit Hunter 
# ----------------
#
# Copyright Michael Boelen ( michael AT rootkit DOT nl )
#
# This software is GPL and free to use. See LICENSE file for
# use of this software.
#
#################################################################################
# [More info at the end of this file]
#################################################################################
#
# Program information
PROGRAM_NAME="Rootkit Hunter"
PROGRAM_version="1.2.8"
PROGRAM_releasedate="14 Feb 2006"
PROGRAM_author="Michael Boelen"
PROGRAM_copyright="Copyright 2003-2006, ${PROGRAM_author}"
PROGRAM_license="
${PROGRAM_NAME} ${PROGRAM_version}, ${PROGRAM_copyright}

${PROGRAM_NAME} comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to redistribute it under the terms of the GNU General
Public License. See LICENSE for details.
"

PROGRAM_extrainfo=""

# Run as cronjob?
CRONJOB=0
CHECK=0

# Debugging
DEBUG=1
DEBUGLOG=0
CATLOGFILE=0

VERSIONCHECK=0
UPDATE=0
NOARGS=1
NOCOLORS=0

# Skip MD5 check
MD5CHECK_SKIP=0
# Skip passwd/group check
PASSWDCHECK_SKIP=0
# Application check
APPLICATION_CHECK=1

# Patched software versions?
USE_PATCHED_SOFTWARE=0

PREVIOUSTEXT=""

# SunOS improvement
if [ "`uname`" = "SunOS" ]; then
  if [ "$RANDOM" = "$RANDOM" ]; then
    echo "WARN: Found Bourne-Shell -> Switching now to /b"
    exec /bin/ksh $0 $*
    exit 0
  fi
fi

export PERL_BADLANG=0

# echo alias for AIX/OpenBSD/SunOS
case `uname` in
        AIX|OpenBSD|SunOS)
        # What is the default shell
        if print >/dev/null 2>&1
          then
            alias echo='print'
            E=""
            ECHOOPT="--"
            MYSHELL=ksh
          else
            E="-e"
            ECHOOPT=""
            MYSHELL=bash
        fi
        ;;
        *) E="-e" ; ECHOOPT="" ; MYSHELL=bash ;;
esac

# The stub for localization
lmsg_()
{
	PARGS=
	F_="$1"
	shift

	for i in `echo "$F_" | sed -e 's/\(%%\)*//g' -e 's/[^%]*\(%[[:digit:]]\)\{0,1\}/\1/g' -e 's/%/ /g' 2>/dev/null`; do
		PARGS="$PARGS \"\$$i\""
	done

	F="`echo "$F_" | sed -e 's/\([^%]\)%\(\(%%\)*\)[[:digit:]]/\1\2%s/g' -e 's/^%\(\(%%\)*\)[[:digit:]]/\1%s/g' 2>/dev/null`"
	eval "printf -- \"\$F\" $PARGS"
}

if [ "use_`( lmsg "%1" lmsg ) 2>/dev/null`" = "use_lmsg" ]; then
	alias _='lmsg rkhunter'
else
	alias _=lmsg_
fi

#ATTENTIONWORDS="`_ BAD | od -tx1 -An | tr -d " \n"`"
#ATTENTIONWORDS="${ATTENTIONWORDS}|`_ Warning | od -tx1 -An | tr -d " \n"`"
#ATTENTIONWORDS="${ATTENTIONWORDS}|`_ WARNING | od -tx1 -An | tr -d " \n"`"
#ATTENTIONWORDS="${ATTENTIONWORDS}|`_ Watch | od -tx1 -An | tr -d " \n"`"
ATTENTIONWORDS="`_ BAD`|`_ Warning`|`_ WARNING`|`_ Watch`"

{ which sh; if [ "0" -eq "$?" ]; then which send-mail; else hash send-mail; fi } >/dev/null 2>&1

if [ "0" -eq "0$?" ]; then
	alias mail=send-mail
fi

# Be quiet (only show warnings)
QUIET=0

# Show only warnings
SHOWWARNINGSONLY=0
PERFORMKNOWNBAD=0

# Almost every system has a root of '/', but just in case of..
ROOTDIR="/"

# One way to detect our active directory (autoconf based)
#MYDIR=`dirname "$0" 2>/dev/null` || 
#echo X$0 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
#          /^X\(\/\/\)[^/].*/{ s//\1/; q; }
#          /^X\(\/\/\)$/{ s//\1/; q; }
#          /^X\(\/\).*/{ s//\1/; q; }
#          s/.*/./; q'

# Quick scanning (instead of full scan)
QUICKSCAN=0

# Report mode (do not show footer and make a 'professional' report)
REPORTMODE=0

# Set prefix for binaries (usefull when using chrooted enviroments)
BINPREFIX=""

# Wait after every test
PAUSEAFTERTESTS=1

# Wait after warning (--skip-keypress will deactive this)
WAITONWARNING=1

# Operating system is Gentoo? (check will be performed later)
GENTOO=0

# Allow SSH root login (default: NOT allowed)
ALLOW_SSH_ROOT_USER="0"

# Check parameters
PARAMCOUNT=$#
if [ $# -ge 1 ]; then
  NOARGS=0
 else
  NOARGS=1
fi

while [ $# -ge 1 ]; do
  case $1 in
      --allow-ssh-root-user)
          ALLOW_SSH_ROOT_USER="1"
	  ;;
      -c | --checkall) 
	  CHECK=1
	  ;;
      --bindir)
          shift
	  BINPATHS=$1
          ;;
      --configfile)
          shift
	  CONFIGFILE=$1
	  ;;
      --cronjob)
          CHECK=1
	  CRONJOB=1
          PAUSEAFTERTESTS=0
	  WAITONWARNING=0
	  ;;
      --createlogfile | --createlog | --create-log | --create-logfile)
	  DEBUG=1
          DEBUGLOG=1
	  ;;
      --dbdir)
          shift
	  DB_PATH=$1
	  ;;
      --disable-md5-check | --disable-md5check | --dmc)
          MD5CHECK_SKIP=1
	  ;;
      --disable-passwd-check | --dpc)
          PASSWDCHECK_SKIP=1
          ;;
      --display-logfile|displaylogfile|display-log|displaylog)
          CATLOGFILE=1
          ;;
      -h | --help | -?)
          NOARGS=1
          ;;
      --nocolors)
          NOCOLORS=1
	  ;;
      -q | --quiet)
          QUIET=1
          ;;
      --quick)
          QUICKSCAN=1
          ;;
      --report-mode | --reportmode)
          QUIET=1
          REPORTMODE=1
	  ;;
      --report-warnings-only)
          SHOWWARNINGSONLY=1
          QUIET=1
	  DEBUG=1
	  DEBUGLOG=1
          ;;
      -r | --rootdir)
          shift
	  ROOTDIR=$1
          ;;
      --scan-knownbad-files)
          PERFORMKNOWNBAD=1
          ;;
      --skip-application-check | --skipapplicationcheck | --skip-applicationcheck)
          APPLICATION_CHECK=0
          ;;
      --skip-keypress | --skipkeypress | -sk)
          # Don't wait after every test
          PAUSEAFTERTESTS=0
	  # Don't wait after warnings
	  WAITONWARNING=0
	  ;;
      --tmpdir)
          shift
	  TMPDIR=$1
          ;;
      --version)
          echo $ECHOOPT "${PROGRAM_NAME} ${PROGRAM_version}"
          exit 0
          ;;
      --update)
          UPDATE=1
          ;;
      --versioncheck)
          VERSIONCHECK=1
	  ;;
      *)
          echo "Fatal: Invalid option $1"
	  exit 1
	  ;;
  esac
  shift
done

if [ "${DEBUGLOG}" -eq 0 ]
  then
    # Through the drain...
    DEBUGFILE="/dev/null"
  else
    if [ -d "/var/log" ]
      then
        DEBUGFILE="/var/log/rkhunter.log"
      else
        echo "`_ "/var/log doesn't exists... no log file created"`"
	DEBUGFILE="/dev/null"
    fi
    # Clear debug file
    if [ -f ${DEBUGFILE} ]; then
      rm -f ${DEBUGFILE}
    fi
    touch ${DEBUGFILE}
    if [ -f ${DEBUGFILE} ]; then
      chmod 550 ${DEBUGFILE}
    fi

fi

if [ "${DEBUGFILE}" = "" ]; then
    DEBUGFILE="/dev/null"
fi

INFECTED_COUNT=0
INFECTED_NAMES=""
SCANNED_COUNT=0
MD5_COUNT=0
MD5_DIFFERENT=0

FOUNDFILE=0
FOUNDRCSIGNS=0

# Initialize grsec (grsec check)
GRSECINSTALLED=0

# Warnings
WARNING=0

if [ "${CRONJOB}" -eq 1 ]; then
  COLORS=0
  # Do not wait in cronjob mode
  PAUSEAFTERTESTS=0
  WAITONWARNING=0
 else
  if [ "${NOCOLORS}" -eq 1 ]
    then
      COLORS=0
    else
      COLORS=1
  fi
fi

if [ ${QUICKSCAN} -eq 1 -a "${CHECK}" -eq 0 ]
  then
    echo "Wrong parameter use: Quickscan option active, but scan option (-c) is missing..."
fi

# Integrity tests
STRINGSFAILED=0

if [ "${COLORS}" -eq 1 ]; then
  # Colors
  NORMAL="[0;39m" 
  warning="[33;55;1m"		# warning (red)
  YELLOW="[1;33m"		# yellow
  WHITE="[1;37m"		# white
  OK="[1;32m"			# green (OK)
  BAD="[1;31m"		# red (BAD)
  DARKGRAY="[1;30m"
  green="[1;32m"		# green
  red="[1;31m"		# red
fi

# Checking hostname
hostname=`hostname`

# Check timestamp (start)
case `uname` in
  AIX|SunOS)
      BEGINTIME=$SECONDS
      ;;
  *)
      BEGINTIME=`date +%s`
      ;;
esac

filelist="/bin/ps /bin/ls"

# Messages
FOUNDTRACES="
         --------------------------------------------------------------------------------
`_ "         Found parts of this rootkit/trojan by checking the default files and directories
         Please inspect the available files, by running this check with the parameter
         --createlogfile and check the log file (current file: %1)." "$DEBUGFILE"`
	     --------------------------------------------------------------------------------
	     "

# Default column width
defaultcolumn="60"

# Use parameters
arg1="$1"
arg2="$2"
arg3="$3"

# Initialise default status
STATUS="0"
EGREP="egrep"


STATE=load
TOTAL_PROGRESS_VAL=100
CURRENT_PROGRESS_VAL=0
START_TIME="`LC_ALL=en date "+%a, %e %b %Y %T %z"`"

inc_progress()
{
	INC_PROGRESS_VAL="$1"
	CURRENT_PROGRESS_VAL="$(($CURRENT_PROGRESS_VAL + $INC_PROGRESS_VAL))"
	[ "0$CURRENT_PROGRESS_VAL" -gt "0$TOTAL_PROGRESS_VAL" ] && TOTAL_PROGRESS_VAL=$(($CURRENT_PROGRESS_VAL))
	save_state
}

inc_to_total()
{
	TOTAL_PROGRESS_VAL="$(($TOTAL_PROGRESS_VAL + $1))"
}

save_state()
{
	[ -z "$RKHUNTER_STATE_FILE" ] &&
		return

	cat >"${RKHUNTER_STATE_FILE}.work" <<EOF
State: $STATE
Warning: $WARNING
Progress: $(((100 * $CURRENT_PROGRESS_VAL) / $TOTAL_PROGRESS_VAL))%
Start-Time: $START_TIME
Update-Time: `LC_ALL=en date "+%a, %e %b %Y %T %z"`
EOF

	# using 'cp' instead of 'mv' for more atomicity and permission keeping
	cp "${RKHUNTER_STATE_FILE}.work" "${RKHUNTER_STATE_FILE}"
	rm "${RKHUNTER_STATE_FILE}.work"
}

##################################################################################################
#
# Global functions
#
##################################################################################################

    # Jump: set position
    jump()
      {
        counter=${SIZE}
      }

    # Waitkeypress: wait for a keypress after some events
    waitkeypress()
      {
        if [ "${WAITONWARNING}" -eq 1 -o "${PAUSEAFTERTESTS}" -eq 1 ]; then
	  if [ ${QUIET} -eq 0 ]
	    then 
	      echo ""
	      echo "[Press <ENTER> to continue]"
	      read a
	  fi
	fi
      }

    # Debugdate: insert date/time
    debugdate()
      {
        sdate=`date "+[%H:%M:%S] "`
        echo -n "${sdate}"
      }

    # Keypresspause: wait for a keypress, only if option is set
    keypresspause()
      {
        if [ "${PAUSEAFTERTESTS}" -eq 1 -a "${QUIET}" -eq 0 ]; then
	  echo ""
	  echo "[Press <ENTER> to continue]"
	  read a

	fi
      }

    # Logtext: add text to logfile
    logtext()
      {
        # Add date/time to logfile
        if [ ! "$1" = "--nodate" ]; then
          debugdate >> ${DEBUGFILE}
        fi

        NE1="n"
        [ "$1" = "-n" ] && NE1="y"
        [ "$1" = "-e" ] && NE1="y"

        if [ "$NE1" = "y" ]
          then
            if [ "$MYSHELL" = "ksh" ]
              then
                [ "$1" = "-n" ] &&  echo -n "$2" >> $DEBUGFILE || echo $ECHOOPT $2 >> $DEBUGFILE
              else
                echo $1 "$2" >> $DEBUGFILE
            fi
          else
            if [ "$1" = "--nodate" ]
              then
                  echo $ECHOOPT "$2" >> ${DEBUGFILE}
              else
                  echo $ECHOOPT "$1" >> ${DEBUGFILE}
            fi
        fi
      }

    # Displaytext: display text to STDOUT
    displaytext()
      {
	DODISPLAY=0
	FOUNDWARNING=0

        #FOUNDWARNING1=`echo $ECHOOPT "$1" | od -tx1 -An | tr -d " \n" | egrep "$ATTENTIONWORDS"`
        #FOUNDWARNING2=`echo "$2" | od -tx1 -An | tr -d " \n" | egrep "$ATTENTIONWORDS"`
        #FOUNDWARNING3=`echo "$3" | od -tx1 -An | tr -d " \n" | egrep "$ATTENTIONWORDS"`
        FOUNDWARNING1=`echo $ECHOOPT "$1" | egrep "$ATTENTIONWORDS"`
        FOUNDWARNING2=`echo "$2" | egrep "$ATTENTIONWORDS"`
        FOUNDWARNING3=`echo "$3" | egrep "$ATTENTIONWORDS"`

	if [ ! "${FOUNDWARNING1}" = "" -o ! "${FOUNDWARNING2}" = "" -o ! "${FOUNDWARNING3}" = "" ]
	  then
	    FOUNDWARNING=1
	    WARNING=1
	fi
	
        if [ "${QUIET}" -eq 1 ]
          then
	    if [ ${FOUNDWARNING} -eq 1 ]
              then
                DODISPLAY=1
		echo "Line: ${PREVIOUSTEXT}"
            fi
          else
            DODISPLAY=1
        fi
        if [ "${DODISPLAY}" -eq 1 ]; then
          NE1="n"
          [ "$1" = "-n" ] && NE1="y"
          [ "$1" = "-e" ] && NE1="y"
           if [ "$NE1" = "y" ]
            then
              if [ "$MYSHELL" = "ksh" ] 
                  then
                    [ "$1" = "-n" ] && echo -n "$2" || echo $ECHOOPT "$2"
		    PREVIOUSTEXT="$2"
                  else
		    echo $ECHOOPT $1 "$2"
		    PREVIOUSTEXT="$2"
              fi
            else
              echo $ECHOOPT "$1"
	      PREVIOUSTEXT="$1"
          fi
        fi
      }

    insertlayout()
      {
        if [ "${CRONJOB}" -eq 0 ]; then
	    LAYOUT="\033[${jump}C"
	  else
	    LAYOUT="  "
	fi
      }
      
    scanrootkit()
      {
	if [ "${ROOTKIT_TESTS}" = "" ]
	  then
	    ROOTKIT_TESTS="${SCAN_ROOTKIT}"
	  else
	    ROOTKIT_TESTS="${ROOTKIT_TESTS}, ${SCAN_ROOTKIT}"
	fi
        SCAN_STATUS=0
	JUMPCOL=`expr ${defaultcolumn} - 12`
	SIZE=`echo \'${SCAN_ROOTKIT}\' | wc -c | tr -s ' ' | tr -d ' '`
	jump=`expr ${JUMPCOL} - ${SIZE}`
	displaytext -n "   `_ "Rootkit '%1'..." "${SCAN_ROOTKIT}"` "
	logtext "*** Start scan ${SCAN_ROOTKIT} ***"

        for I in $SCAN_FILES; do
	  SCANNED_COUNT=`expr ${SCANNED_COUNT} + 1`
	  I=`echo ${I} | tr -s '%' ' '`	
	  logtext -n "  - File ${I}... " >> ${DEBUGFILE}
	  if [ -f "${I}" ]; then
	      logtext --nodate "WARNING! Exists." >> ${DEBUGFILE}        
	      SCAN_STATUS=1
	      # Set warning value, to exit the with a nonzero state
	      WARNING=1
	    else
	      logtext --nodate "OK. Not found." >> ${DEBUGFILE}
	  fi        
        
        done

	for I in $SCAN_DIRS; do
	  I=`echo ${I} | tr -s '%' ' '`
	  logtext -n "  - Directory ${I}... "
	  if [ -d "${I}" ]; then
	      logtext --nodate "WARNING! Exists."
	      SCAN_STATUS=1
	    else
	      logtext --nodate "OK. Not found."
	  fi        
	done

	# Scan ksyms file
	if [ ! "${SCAN_KSYMS}" = "" -a -f ${ROOTDIR}proc/ksyms ]
	  then
	    SEARCHTEXT=`cat ${ROOTDIR}proc/ksyms | grep ${SCAN_KSYMS}`
	    if [ ! "${SEARCHTEXT}" = "" ]
	      then
	        logtext "WARNING! Found ${SCAN_KSYMS}"
	      else
	        logtext "ksyms file seems to be clean"
	    fi

	fi

        if [ "${SCAN_STATUS}" -eq 1 ]
	  then
	    insertlayout
	    displaytext -e "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	    INFECTED_COUNT=`expr ${INFECTED_COUNT} + 1`
	    INFECTED_NAMES="${INFECTED_NAMES}${SCAN_ROOTKIT} "
	    displaytext "${FOUNDTRACES}"
	    
    	    # Run routine
	    waitkeypress

          else
	    insertlayout
	    displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	fi
      }

    scanrootkit_suckit_extra_checks()
      {
        if [ "${OPERATING_SYSTEM}" = "Linux" ]
	  then
	    if [ ${STATFOUND} -eq 1 ]
	      then
    	        # Let's check the amount of links /sbin/init has
		unset i;
	        i=`stat -t /sbin/init | cut -d ' ' -f9`
	        case ${i} in
		       1) ;;
		       *) logtext "WARNING! ${SCAN_ROOTKIT} /sbin/init linkage"
		          SCAN_STATUS=1;;
	        esac
	        # Let's check xrk or mem hiding
		# Easiest way to define random?
		__RANDOM=$$$(date +%s)
	        umask 027
	        for ext in xrk mem; do
	               randf="${TMPDIR}/${__RANDOM}.${ext}"
	               test -f ${randf} || \
	               ( touch ${randf} && test -f ${randf} && rm -f ${randf} ||\
	                logtext "WARNING! ${SCAN_ROOTKIT} ${ext} hiding" )
	        done
	        # If we've got skdet (check Debian), let's use it too
	        which skdet 2>/dev/null >/dev/null && skdet
	     else
	      logtext "Info: Extended suckit tests skipped, due to missing stat binary"       
	   fi
	  else
	    logtext "Info: Extended suckit tests skipped for this operating system (no Linux architecture)"
	fi
     }


logtext "Running ${PROGRAM_NAME} ${PROGRAM_version} on ${hostname}"
logtext "${PROGRAM_license}"


##################################################################################################
#
# Configuration file
#
##################################################################################################



# Check configuration file
if [ "${CONFIGFILE}" = "" ]
  then
    if [ -f /etc/rkhunter.conf ]
      then
        CONFIGFILE="/etc/rkhunter.conf"
      else
        CONFIGFILE="/usr/local/etc/rkhunter.conf"
    fi
fi

# Can we found the configuration file?
if [ ! -f ${CONFIGFILE} ]
  then
    echo "Fatal error: can't find configuration file (${CONFIGFILE})"
    exit 1
fi

# Is the installation directory available in the configuration file? 
MYDIR=`cat ${CONFIGFILE} | grep 'INSTALLDIR=' | sed s/INSTALLDIR=//`
if [ "${MYDIR}" = "" ]
  then
    echo "Fatal error: can't find INSTALLDIR option in configuration file (${CONFIGFILE})"
    exit 1
fi

logtext "Info: Shell ${SHELL}"

logtext "------------------------ Configuration check --------------------------"
logtext "Parsing configuration file (${CONFIGFILE})"

MAILONWARNING=`cat ${CONFIGFILE} | egrep '^MAIL-ON-WARNING=' | sed s/MAIL-ON-WARNING=//`

if [ "${MAILONWARNING}" = "" ]
  then
    logtext "Info: No mail-on-warning address configured"
  else
    logtext "Info: Sending warnings to ${MAILONWARNING}"
fi  

if [ "${TMPDIR}" = "" ]
  then
    # Search in configuration file
    TMPDIR=`cat ${CONFIGFILE} | egrep '^TMPDIR=' | sed s/TMPDIR=//`
    
    # If not available in configuration file, make it static
    if [ "${TMPDIR}" = "" ]
      then
        TMPDIR="${MYDIR}/lib/rkhunter/tmp"
    fi
    
fi

logtext "Info: Using ${TMPDIR} as temporary directory"

if [ "${TMPDIR}" = "/tmp" ]
  then
    logtext "Warning: using /tmp as your temporary directory is a very bad idea, because"
    logtext "it will contain some import system files! Please choose another directory in"
    logtext "your configuration file, or as TMPDIR parameter!"
    displaytext "Warning! Using /tmp as your temporary directory can be a security risk!"
    displaytext "See logfile for more information about this issue."
fi


##################################################################################################


# Place where database files can be found
if [ "${DB_PATH}" = "" ]
  then
    # Search in configuration file
    DB_PATH=`cat ${CONFIGFILE} | egrep '^DBDIR=' | sed s/DBDIR=//`
    
    # If not available in configuration file, make it static
    if [ "${DB_PATH}" = "" ]
      then
        DB_PATH="${MYDIR}/lib/rkhunter/db"
    fi
fi

logtext "Info: Using ${DB_PATH} as database directory"


##################################################################################################

# Don't read configuration file if parameter has been used
if [ ! "${ALLOW_SSH_ROOT_USER}" = "1" ]
  then
    ALLOW_SSH_ROOT_USER=`cat ${CONFIGFILE} | egrep '^ALLOW_SSH_ROOT_USER=' | sed s/ALLOW_SSH_ROOT_USER=//`
    if [ "${ALLOW_SSH_ROOT_USER}" = "" ]; then
      ALLOW_SSH_ROOT_USER="0"
    fi
fi    

if [ "${ALLOW_SSH_ROOT_USER}" = "1" ]
  then
    logtext "Info: Explicit option set to allow root logins within SSH (don't mark test BAD when"
    logtext "rkhunter finds it in the SSH configuration file)"
fi

# Places where all binaries are stored
# If binary path is empty (no --bindir parameter used), fill in a static value
if [ "${BINPATHS}" = "" ]
  then
    BINPATHS="/usr/sbin /usr/bin /usr/local/bin /usr/local/sbin /bin /sbin /sw/bin /usr/local/libexec /usr/libexec"
fi
logtext "Info: Using '${BINPATHS}' as binary directory"


# File with mirrors
MIRRORFILE="${DB_PATH}/mirrors.dat"


##################################################################################################
#
# Application checks
#
##################################################################################################

FINDFOUND=0;
IFCONFIGFOUND=0; IPFOUND=0
LYNXFOUND=0; LSATTRFOUND=0; LSFOUND=0; LSMODFOUND=0; LSOFFOUND=0
MD5FOUND=0;
NMAPFOUND=0
PERLFOUND=0; PRELINKFOUND=0; PSFOUND=0;
STATFOUND=0; STRINGSFOUND=0
WGETFOUND=0


logtext "-------------------------- Application scan ---------------------------"

for I in ${BINPATHS}; do


  J=${I}"/find";      	if [ -f ${J} ]; then logtext "Found ${J}"; FINDFOUND=1;    	 FINDBINARY=${J};      	fi
  J=${I}"/ip";      	if [ -f ${J} ]; then logtext "Found ${J}"; IPFOUND=1;    	 IPBINARY=${J};      	fi
  J=${I}"/ifconfig";	if [ -f ${J} ]; then logtext "Found ${J}"; IFCONFIGFOUND=1;      IFCONFIGBINARY=${J};   fi
  J=${I}"/lynx";    	if [ -f ${J} ]; then logtext "Found ${J}"; LYNXFOUND=1;	 	 LYNXBINARY=${J};       fi
  J=${I}"/ls";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSFOUND=1;   	 LSBINARY=${J};         fi
  J=${I}"/lsattr";     	if [ -f ${J} ]; then logtext "Found ${J}"; LSATTRFOUND=1;  	 LSATTRBINARY=${J};     fi
  J=${I}"/lsmod";      	if [ -f ${J} ]; then logtext "Found ${J}"; LSMODFOUND=1;    	 LSMODBINARY=${J};      fi
  J=${I}"/lsof";    	if [ -f ${J} ]; then logtext "Found ${J}"; LSOFFOUND=1;    	 LSOFBINARY=${J};       fi
  J=${I}"/md5";     	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
  J=${I}"/md5sum";  	if [ -f ${J} ]; then logtext "Found ${J}"; MD5FOUND=1;     	 MD5BINARY=${J};        fi
  J=${I}"/nmap";    	if [ -f ${J} ]; then logtext "Found ${J}"; NMAPFOUND=1;    	 NMAPBINARY=${J};       fi
  J=${I}"/prelink";   	if [ -f ${J} ]; then logtext "Found ${J}"; PRELINKFOUND=1; 	 PRELINKBINARY=${J};    fi
  J=${I}"/ps";      	if [ -f ${J} ]; then logtext "Found ${J}"; PSFOUND=1;      	 PSBINARY=${J};         fi
  J=${I}"/stat"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STATFOUND=1;	   	 STATBINARY=${J};       fi
  J=${I}"/strings"; 	if [ -f ${J} ]; then logtext "Found ${J}"; STRINGSFOUND=1; 	 STRINGSBINARY=${J};    fi
  J=${I}"/wget";    	if [ -f ${J} ]; then logtext "Found ${J}"; WGETFOUND=1;    	 WGETBINARY=${J};       fi
  
  # Perl
  J=${I}"/perl";
  if [ -f ${J} ]; then
    PERLFOUND=1
    PERLBINARY=${J}
    #PERLVERSION=`${J} -V:version | tr -d "version" | tr -d '=' | tr -d "'" | tr -d ";" `
    PERLVERSION=`${J} -V:version | ${J} -pi -e "s/^version='(.*)';$/\1/"`
    logtext "Found ${J} (version ${PERLVERSION})"
  fi

done


if [ "${WGETFOUND}" -eq 1 ]; then
  logtext "Info: WGET found" >> ${DEBUGFILE}
 else
  logtext "Info: WGET not found" >> ${DEBUGFILE}
fi

if [ "${NMAPFOUND}" -eq 1 ]; then
  logtext "Info: NMAP found" >> ${DEBUGFILE}
 else
  logtext "Info: NMAP not found" >> ${DEBUGFILE}
fi

if [ "${LSOFFOUND}" -eq 1 ]; then
  logtext "Info: LSOF found" >> ${DEBUGFILE}
 else
  logtext "Info: LSOF not found" >> ${DEBUGFILE}
fi

if [ "${IPFOUND}" -eq 1 ]; then
  logtext "Info: ip found" >> ${DEBUGFILE}
 else
  logtext "Info: ip not found" >> ${DEBUGFILE}
fi



logtext "Application scan ended"

if [ ! "${MD5BINARY}" = "" ]
  then
    md5=${MD5BINARY}
fi


BACKDOORPORTS="2006"

#################################################################################
#
# Default rootkit files and directories
#
#################################################################################
#

# 55808 Variant A
W55808A_FILES="${ROOTDIR}tmp/.../r ${ROOTDIR}tmp/.../a"

# AjaKit
AJAKIT_FILES="
${ROOTDIR}dev/tux/.addr
${ROOTDIR}dev/tux/.proc
${ROOTDIR}dev/tux/.file
${ROOTDIR}lib/.libgh-gh/cleaner
${ROOTDIR}lib/.libgh-gh/Patch/patch
${ROOTDIR}lib/.libgh-gh/sb0k
"

AJAKIT_DIRS="
${ROOTDIR}dev/tux
${ROOTDIR}lib/.libgh-gh
"

AJAKIT_KSYMS=""

# aPa Kit
APAKIT_FILES="${ROOTDIR}usr/share/.aPa"
APAKIT_DIRS=""
APAKIT_KSYMS=""

# Apache Worm
APACHEWORM_FILES="${ROOTDIR}bin/.log"

# Ambient (ark) Rootkit
ARK_FILES="${ROOTDIR}usr/lib/.ark? ${ROOTDIR}dev/ptyxx/.log ${ROOTDIR}dev/ptyxx/.file"
ARK_DIRS="${ROOTDIR}dev/ptyxx"

# Balaur Rootkit 2.0 (LRK5 based)
BALAUR_FILES="
${ROOTDIR}usr/lib/liblog.o
"
BALAUR_DIRS="
${ROOTDIR}usr/lib/.kinetic
${ROOTDIR}usr/lib/.egcs
${ROOTDIR}usr/lib/.wormie
"

BALAUR_KSYMS=""

# Beastkit
BEASTKIT_FILES="${ROOTDIR}usr/sbin/arobia ${ROOTDIR}usr/sbin/idrun ${ROOTDIR}usr/lib/elm/arobia/elm ${ROOTDIR}usr/lib/elm/arobia/elm/hk ${ROOTDIR}usr/lib/elm/arobia/elm/hk.pub ${ROOTDIR}usr/lib/elm/arobia/elm/sc ${ROOTDIR}usr/lib/elm/arobia/elm/sd.pp ${ROOTDIR}usr/lib/elm/arobia/elm/sdco ${ROOTDIR}usr/lib/elm/arobia/elm/srsd"
BEASTKIT_DIRS="${ROOTDIR}lib/ldd.so/bktools"

# beX2
BEX_FILES=""
BEX_DIRS="${ROOTDIR}/usr/include/bex"
BEX_KSYMS=""

# BOBkit
BOBKIT_FILES="
${ROOTDIR}usr/sbin/ntpsx
${ROOTDIR}usr/lib/.../ls
${ROOTDIR}usr/lib/.../netstat
${ROOTDIR}usr/lib/.../lsof
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shdcfg
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shhk
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-pw
${ROOTDIR}usr/lib/.../bkit-ssh/bkit-shrs
${ROOTDIR}usr/lib/.../uconf.inv
${ROOTDIR}usr/lib/.../psr
${ROOTDIR}usr/lib/.../find
${ROOTDIR}usr/lib/.../pstree
${ROOTDIR}usr/lib/.../slocate
${ROOTDIR}usr/lib/.../du
${ROOTDIR}usr/lib/.../top
"

BOBKIT_DIRS="
${ROOTDIR}usr/lib/...
${ROOTDIR}usr/lib/.../bkit-ssh
${ROOTDIR}usr/lib/.bkit-
${ROOTDIR}tmp/.bkp
"

# BiNIK Worm (Slapper.B variant)
CINIK_DIRS="${ROOTDIR}tmp/.font-unix/.cinik"
CINIK_FILES="${ROOTDIR}tmp/.cinik"

# Danny-Boy's Abuse Kit
DANNYBOY_FILES="${ROOTDIR}dev/mdev ${ROOTDIR}usr/lib/libX.a"
DANNYBOY_DIRS=""
DANNYBOY_KSYMS=""

# Devil
DEVIL_FILES="
${ROOTDIR}var/lib/games/.src
${ROOTDIR}dev/dsx
${ROOTDIR}dev/caca
"

# Dica (T0rn variant)
DICA_FILES="
${ROOTDIR}lib/.sso
${ROOTDIR}lib/.so
${ROOTDIR}var/run/...dica/clean
${ROOTDIR}var/run/...dica/xl
${ROOTDIR}var/run/...dica/xdr
${ROOTDIR}var/run/...dica/psg
${ROOTDIR}var/run/...dica/secure
${ROOTDIR}var/run/...dica/rdx
${ROOTDIR}var/run/...dica/va
${ROOTDIR}var/run/...dica/cl.sh
${ROOTDIR}usr/bin/.etc
"

DICA_DIRS="
${ROOTDIR}var/run/...dica
${ROOTDIR}var/run/...dica/mh
${ROOTDIR}var/run/...dica/scan
"

DICA_KSYMS=""

# Dreams
DREAMS_FILES="
${ROOTDIR}dev/ttyoa
${ROOTDIR}dev/ttyof
${ROOTDIR}dev/ttyop
${ROOTDIR}usr/bin/sense
${ROOTDIR}usr/bin/sl2
${ROOTDIR}usr/bin/logclear
${ROOTDIR}usr/bin/(swapd)
${ROOTDIR}usr/bin/snfs
${ROOTDIR}usr/lib/libsss
"

DREAMS_DIRS="${ROOTDIR}dev/ida/.hpd"
DREAMS_KSYMS=""

# Duarawkz
DUARAWKZ_FILES="${ROOTDIR}usr/bin/duarawkz/loginpass"
DUARAWKZ_DIRS="${ROOTDIR}usr/bin/duarawkz"
DUARAWKZ_KSYMS=""

# Flea Linux rootkit
FLEA_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/security/.config/ssh/ssh_host_key
${ROOTDIR}lib/security/.config/ssh/ssh_host_key.pub
${ROOTDIR}lib/security/.config/ssh/ssh_random_seed
${ROOTDIR}usr/bin/ssh2d
${ROOTDIR}usr/lib/ldlibns.so
${ROOTDIR}usr/lib/ldlibpst.so
${ROOTDIR}usr/lib/ldlibdu.so
${ROOTDIR}usr/lib/ldlibct.so
"

FLEA_DIRS="${ROOTDIR}lib/security/.config/ssh ${ROOTDIR}dev/..0 ${ROOTDIR}dev/..0/backup"
FLEA_KSYMS=""

# FreeBSD Rootkit
FREEBSD_RK_FILES="
${ROOTDIR}usr/lib/.fx/sched_host.2
${ROOTDIR}usr/lib/.fx/random_d.2
${ROOTDIR}usr/lib/.fx/set_pid.2
${ROOTDIR}usr/lib/.fx/cons.saver
${ROOTDIR}usr/lib/.fx/adore/adore/adore.ko
${ROOTDIR}bin/sysback
${ROOTDIR}usr/local/bin/sysback
"

FREEBSD_RK_DIRS="${ROOTDIR}usr/lib/.fx ${ROOTDIR}usr/lib/.fx/adore"

# Fuckit Rootkit
FUCKIT_FILES="
${ROOTDIR}dev/proc/fuckit/hax0r
${ROOTDIR}dev/proc/fuckit/hax0rshell
${ROOTDIR}dev/proc/fuckit/config/lports
${ROOTDIR}dev/proc/fuckit/config/rports
${ROOTDIR}dev/proc/fuckit/config/rkconf
${ROOTDIR}dev/proc/fuckit/config/password
${ROOTDIR}dev/proc/fuckit/config/progs
${ROOTDIR}dev/proc/system-bins/init
"

# GasKit Rootkit
GASKIT_FILES="${ROOTDIR}dev/dev/gaskit/sshd/sshdd"
GASKIT_DIRS="${ROOTDIR}dev/dev ${ROOTDIR}dev/dev/gaskit ${ROOTDIR}dev/dev/gaskit/sshd"

# Heroin LKM
HEROIN_FILES=""
HEROIN_DIRS=""
HEROIN_KSYMS="heroin"

# HjC Kit
HJCKIT_FILES=""
HJCKIT_DIRS="${ROOTDIR}dev/.hijackerz"
HJCKIT_KSYMS=""

# ignoKit
IGNOKIT_FILES="
${ROOTDIR}lib/defs/p
${ROOTDIR}lib/defs/q
${ROOTDIR}lib/defs/r
${ROOTDIR}lib/defs/s
${ROOTDIR}lib/defs/t
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/defs/p
${ROOTDIR}usr/lib/.libigno/pkunsec
${ROOTDIR}usr/lib/.libigno/.igno/psybnc/psybnc
"

IGNOKIT_DIRS="
${ROOTDIR}usr/lib/.libigno
${ROOTDIR}usr/lib/.libigno/.igno/
"

IGNOKIT_KSYMS=""

# ImperalsS-FBRK (FreeBSD Rootkit)
IMPFRB_DIRS="${ROOTDIR}dev/fd/.88 ${ROOTDIR}dev/fd/.99"

# Irix Rootkit (for Irix 6.x)
IRIXRK_FILES=""
IRIXRK_DIRS="
${ROOTDIR}dev/pts/01
${ROOTDIR}dev/pts/01/backup
${ROOTDIR}dev/pts/01/etc
${ROOTDIR}dev/pts/01/tmp
"
IRIXRK_KSYMS=""

# Kitko
KITKO_FILES=""
KITKO_DIRS="${ROOTDIR}usr/src/redhat/SRPMS/..."
KITKO_KSYMS=""

# Knark
KNARK_FILES="${ROOTDIR}proc/knark/pids"
KNARK_DIRS="${ROOTDIR}proc/knark"
KNARK_KSYMS=""

# Lion Worm
LION_FILES="
${ROOTDIR}bin/in.telnetd
${ROOTDIR}bin/mjy
${ROOTDIR}usr/man/man1/man1/lib/.lib/mjy
${ROOTDIR}usr/man/man1/man1/lib/.lib/in.telnetd
${ROOTDIR}usr/man/man1/man1/lib/.lib/.x
${ROOTDIR}dev/.lib/lib/scan/1i0n.sh
${ROOTDIR}dev/.lib/lib/scan/hack.sh
${ROOTDIR}dev/.lib/lib/scan/bind
${ROOTDIR}dev/.lib/lib/scan/randb
${ROOTDIR}dev/.lib/lib/scan/scan.sh
${ROOTDIR}dev/.lib/lib/scan/pscan
${ROOTDIR}dev/.lib/lib/scan/star.sh
${ROOTDIR}dev/.lib/lib/scan/bindx.sh
${ROOTDIR}dev/.lib/lib/scan/bindname.log
${ROOTDIR}dev/.lib/lib/1i0n.sh
${ROOTDIR}dev/.lib/lib/lib/netstat
${ROOTDIR}dev/.lib/lib/lib/dev/.1addr
${ROOTDIR}dev/.lib/lib/lib/dev/.1logz
${ROOTDIR}dev/.lib/lib/lib/dev/.1proc
${ROOTDIR}dev/.lib/lib/lib/dev/.1file
"

# Lockit (a.k.a. LJK2)
LOCKIT_FILES="
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_config
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_host_key
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
${ROOTDIR}usr/lib/libmen.oo/.LJK2/ssh_random_seed*
${ROOTDIR}usr/lib/libmen.oo/.LJK2/sshd_config
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backdoor/RK1bd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/du
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ifconfig
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/inetd.conf
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/locate
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/login
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ls
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/netstat
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/ps
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/pstree
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/rc.sysinit
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/syslogd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/tcpd
${ROOTDIR}usr/lib/libmen.oo/.LJK2/backup/top
${ROOTDIR}usr/lib/libmen.oo/.LJK2/clean/RK1sauber
${ROOTDIR}usr/lib/libmen.oo/.LJK2/clean/RK1wted
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hack/RK1parser
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hack/RK1sniff
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1addr
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1dir
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1log
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/.RK1proc
${ROOTDIR}usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/README.modules
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
${ROOTDIR}usr/lib/libmen.oo/.LJK2/modules/RK1phide
${ROOTDIR}usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh
"

LOCKIT_DIRS="${ROOTDIR}usr/lib/libmen.oo/.LJK2"
LOCKIT_KSYMS=""

# MRK (MiCrobul RootKit?, based on Devil RootKit )
MRK_FILES="
${ROOTDIR}dev/ida/.inet/pid
${ROOTDIR}dev/ida/.inet/ssh_host_key
${ROOTDIR}dev/ida/.inet/ssh_random_seed
${ROOTDIR}dev/ida/.inet/tcp.log
"

MRK_DIRS="
${ROOTDIR}dev/ida/.inet
${ROOTDIR}var/spool/cron/.sh
"

# Ni0 Rootkit
NIO_FILES="
${ROOTDIR}var/lock/subsys/...datafile.../...net...
${ROOTDIR}var/lock/subsys/...datafile.../...port...
${ROOTDIR}var/lock/subsys/...datafile.../...ps...
${ROOTDIR}var/lock/subsys/...datafile.../...file...
"

NIO_DIRS="
${ROOTDIR}tmp/waza
${ROOTDIR}var/lock/subsys/...datafile...
${ROOTDIR}usr/sbin/es
"

NIO_KSYMS=""

# RootKit for SunOS / NSDAP
NSDAP_FILES="
${ROOTDIR}usr/lib/vold/nsdap/.kit
${ROOTDIR}usr/lib/vold/nsdap/defines
${ROOTDIR}usr/lib/vold/nsdap/patcher
${ROOTDIR}usr/lib/vold/nsdap/pg
${ROOTDIR}usr/lib/vold/nsdap/cleaner
${ROOTDIR}usr/lib/vold/nsdap/utime
${ROOTDIR}usr/lib/vold/nsdap/crypt
${ROOTDIR}usr/lib/vold/nsdap/findkit
${ROOTDIR}usr/lib/vold/nsdap/sn2
${ROOTDIR}usr/lib/vold/nsdap/sniffload
${ROOTDIR}usr/lib/vold/nsdap/runsniff
${ROOTDIR}usr/lib/lpset
"
NSDAP_DIRS="${ROOTDIR}usr/lib/vold/nsdap"
NSDAP_KSYMS=""

# Ohhara Rootkit
OHHARA_FILES="${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../in.smbd.log"
OHHARA_DIRS="
${ROOTDIR}var/lock/subsys/...datafile...
${ROOTDIR}var/lock/subsys/...datafile.../...datafile...
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../bin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../usr/bin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../usr/sbin
${ROOTDIR}var/lock/subsys/...datafile.../...datafile.../lib/security
"

# Optic Kit (Tux variant)
OPTICKIT_DIRS="${ROOTDIR}dev/tux ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf ${ROOTDIR}usr/bin/ssh2d"

# Oz Rootkit
OZ_FILES="${ROOTDIR}dev/.oz/.nap/rkit/terror"
OZ_DIRS="${ROOTDIR}dev/.oz"

PORTACELO_FILES="
/var/lib/.../.ak
/var/lib/.../.hk
/var/lib/.../.rs
/var/lib/.../.p
/var/lib/.../getty
/var/lib/.../lkt.o
/var/lib/.../show
/var/lib/.../nlkt.o
/var/lib/.../ssshrc
/var/lib/.../sssh_equiv
/var/lib/.../sssh_known_hosts
/var/lib/.../sssh_pid
~/.sssh/known_hosts
"

# R3dstorm Toolkit
REDSTORM_FILES="
/var/log/tk02/see_all
/bin/.../sshd/sbin/sshd1
/bin/.../hate/sk
/bin/.../see_all
"

REDSTORM_DIRS="
/var/log/tk02
/var/log/tk02/old
/bin/...
"

REDSTORM_KSYMS=""

# RH-Sharpe's rootkit
RHSHARPES_FILES="
${ROOTDIR}bin/lps
${ROOTDIR}usr/bin/lpstree
${ROOTDIR}usr/bin/ltop
${ROOTDIR}usr/bin/lkillall
${ROOTDIR}usr/bin/ldu
${ROOTDIR}usr/bin/lnetstat
${ROOTDIR}usr/bin/wp
${ROOTDIR}usr/bin/shad
${ROOTDIR}usr/bin/vadim
${ROOTDIR}usr/bin/slice
${ROOTDIR}usr/bin/cleaner
${ROOTDIR}usr/include/rpcsvc/du
"
RHSHARPES_DIRS=""
RHSHARPES_KSYMS=""

# RSHA's rootkit
RSHA_FILES="
${ROOTDIR}bin/kr4p
${ROOTDIR}usr/bin/n3tstat
${ROOTDIR}usr/bin/chsh2
${ROOTDIR}usr/bin/slice2
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc
${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr
"

RSHA_DIRS="
${ROOTDIR}etc/rc.d/rsha
${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib
"

RSHA_KSYMS=""

# Shutdown
SHUTDOWN_DIRS="${ROOTDIR}usr/man/man5/..%%/.dir/ ${ROOTDIR}usr/man/man5/..%%/.dir/scannah ${ROOTDIR}etc/rc.d/rc0.d/..%%/.dir"
SHUTDOWN_FILES="${ROOTDIR}usr/man/man5/..%%/.dir/scannah/asus ${ROOTDIR}usr/man/man5/..%%/.dir/see ${ROOTDIR}usr/man/man5/..%%/.dir/nscd ${ROOTDIR}usr/man/man5/..%%/.dir/alpd ${ROOTDIR}etc/rc.d/rc.local%%"

# Scalper (FreeBSD.Scalper.Worm)
SCALPER_FILES="${ROOTDIR}tmp/.a ${ROOTDIR}tmp/.uua"

# SHV4
SHV4_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/libext-2.so.7
${ROOTDIR}lib/lidps1.so
${ROOTDIR}usr/sbin/xntps
"

SHV4_DIRS="${ROOTDIR}lib/security/.config ${ROOTDIR}lib/security/.config/ssh"

# SHV5
SHV5_FILES="
${ROOTDIR}etc/sh.conf
${ROOTDIR}dev/srd0
"

SHV5_DIRS="/usr/lib/libsh"
SHV5_KSYMS=""

# Sin Rootkit
SINROOTKIT_FILES="
${ROOTDIR}dev/.haos/haos1/.f/Denyed
${ROOTDIR}dev/ttyoa
${ROOTDIR}dev/ttyof
${ROOTDIR}dev/ttyop
${ROOTDIR}dev/ttyos
${ROOTDIR}usr/lib/.lib 
${ROOTDIR}usr/lib/sn/.X
${ROOTDIR}usr/lib/sn/.sys
${ROOTDIR}usr/lib/ld/.X
${ROOTDIR}usr/man/man1/...
${ROOTDIR}usr/man/man1/.../.m
${ROOTDIR}usr/man/man1/.../.w
"

SINROOTKIT_DIRS="${ROOTDIR}usr/lib/sn ${ROOTDIR}usr/lib/man1/... ${ROOTDIR}dev/.haos"

# Slapper
SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.uubugtraq ${ROOTDIR}tmp/.bugtraq.c ${ROOTDIR}tmp/httpd ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b"

# Sneakin Rootkit
SNEAKIN_DIRS="${ROOTDIR}tmp/.X11-unix/.../rk"

# Suckit Rootkit
SUCKIT_FILES="
${ROOTDIR}sbin/initsk12
${ROOTDIR}sbin/initxrk
${ROOTDIR}usr/bin/null
${ROOTDIR}usr/share/locale/sk/.sk12/sk
${ROOTDIR}etc/rc.d/rc0.d/S23kmdac
${ROOTDIR}etc/rc.d/rc1.d/S23kmdac
${ROOTDIR}etc/rc.d/rc2.d/S23kmdac
${ROOTDIR}etc/rc.d/rc3.d/S23kmdac
${ROOTDIR}etc/rc.d/rc4.d/S23kmdac
${ROOTDIR}etc/rc.d/rc5.d/S23kmdac
${ROOTDIR}etc/rc.d/rc6.d/S23kmdac
"

SUCKIT_DIRS="
${ROOTDIR}dev/sdhu0/tehdrakg
${ROOTDIR}etc/.MG
${ROOTDIR}usr/share/locale/sk/.sk12
${ROOTDIR}usr/lib/perl5/site_perl/i386-linux/auto/TimeDate/.packlist
"

# SunOS Rootkit
SUNOSROOTKIT_FILES="
${ROOTDIR}etc/ld.so.hash
${ROOTDIR}lib/libext-2.so.7
${ROOTDIR}usr/bin/ssh2d
${ROOTDIR}bin/xlogin
${ROOTDIR}usr/lib/crth.o
${ROOTDIR}usr/lib/crtz.o
${ROOTDIR}sbin/login
${ROOTDIR}lib/security/.config/sn
${ROOTDIR}lib/security/.config/lpsched
${ROOTDIR}dev/kmod
${ROOTDIR}dev/dos
"

# Superkit
SUPERKIT_FILES="${ROOTDIR}usr/man/.sman/sk"
SUPERKIT_DIRS=""
SUPERKIT_KSYMS=""

# Telnet Backdoor
TBD_FILES="${ROOTDIR}usr/lib/.tbd"

# TeLeKiT 
TELEKIT_FILES="
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/sniff
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/telnetd
${ROOTDIR}usr/man/man3/.../TeLeKiT/bin/teleulo
${ROOTDIR}usr/man/man3/.../cl
${ROOTDIR}dev/ptyr
${ROOTDIR}dev/ptyp
${ROOTDIR}dev/ptyq
${ROOTDIR}dev/hda06
${ROOTDIR}usr/info/libc1.so
"

TELEKIT_DIRS="${ROOTDIR}usr/man/man3/... ${ROOTDIR}usr/man/man3/.../lsniff ${ROOTDIR}usr/man/man3/.../TeLeKiT"
TELEKIT_KSYMS=""

# Torn (and misc)
TORN_FILES="
${ROOTDIR}dev/.lib/lib/lib/t0rns
${ROOTDIR}dev/.lib/lib/lib/du
${ROOTDIR}dev/.lib/lib/lib/ls
${ROOTDIR}dev/.lib/lib/lib/t0rnsb
${ROOTDIR}dev/.lib/lib/lib/ps
${ROOTDIR}dev/.lib/lib/lib/t0rnp
${ROOTDIR}dev/.lib/lib/lib/find
${ROOTDIR}dev/.lib/lib/lib/ifconfig
${ROOTDIR}dev/.lib/lib/lib/pg
${ROOTDIR}dev/.lib/lib/lib/ssh.tgz
${ROOTDIR}dev/.lib/lib/lib/top
${ROOTDIR}dev/.lib/lib/lib/sz
${ROOTDIR}dev/.lib/lib/lib/login
${ROOTDIR}dev/.lib/lib/lib/in.fingerd
${ROOTDIR}dev/.lib/lib/lib/1i0n.sh
${ROOTDIR}dev/.lib/lib/lib/pstree
${ROOTDIR}dev/.lib/lib/lib/in.telnetd
${ROOTDIR}dev/.lib/lib/lib/mjy
${ROOTDIR}dev/.lib/lib/lib/sush
${ROOTDIR}dev/.lib/lib/lib/tfn
${ROOTDIR}dev/.lib/lib/lib/name
${ROOTDIR}dev/.lib/lib/lib/getip.sh
${ROOTDIR}usr/info/.torn/sh*
${ROOTDIR}usr/src/.puta/                                                                                      
${ROOTDIR}usr/src/.puta/.1addr
${ROOTDIR}usr/src/.puta/.1file
${ROOTDIR}usr/src/.puta/.1proc
${ROOTDIR}usr/src/.puta/.1logz
${ROOTDIR}usr/info/.t0rn/                  
"

TORN_DIRS="
${ROOTDIR}dev/.lib/
${ROOTDIR}dev/.lib/lib/
${ROOTDIR}dev/.lib/lib/lib/
${ROOTDIR}dev/.lib/lib/lib/dev/
${ROOTDIR}dev/.lib/lib/scan/
${ROOTDIR}usr/src/.puta/
${ROOTDIR}usr/man/man1/man1/
${ROOTDIR}usr/man/man1/man1/lib/
${ROOTDIR}usr/man/man1/man1/lib/.lib/
${ROOTDIR}usr/man/man1/man1/lib/.lib/.backup/
"

TROJANIT_FILES="
${ROOTDIR}bin/.ls
${ROOTDIR}bin/.ps
${ROOTDIR}bin/.netstat
${ROOTDIR}usr/bin/.nop
${ROOTDIR}usr/bin/.who
"

TPACK_FILES=""
TPACK_DIRS=""

# Tuxtendo (Tuxkit)
TUXTENDO_FILES="
${ROOTDIR}dev/tux/.addr
${ROOTDIR}dev/tux/.cron
${ROOTDIR}dev/tux/.file
${ROOTDIR}dev/tux/.log
${ROOTDIR}dev/tux/.proc
${ROOTDIR}dev/tux/backup/crontab
${ROOTDIR}dev/tux/backup/df
${ROOTDIR}dev/tux/backup/dir
${ROOTDIR}dev/tux/backup/find
${ROOTDIR}dev/tux/backup/ifconfig
${ROOTDIR}dev/tux/backup/locate
${ROOTDIR}dev/tux/backup/netstat
${ROOTDIR}dev/tux/backup/ps
${ROOTDIR}dev/tux/backup/pstree
${ROOTDIR}dev/tux/backup/syslogd
${ROOTDIR}dev/tux/backup/tcpd
${ROOTDIR}dev/tux/backup/top
${ROOTDIR}dev/tux/backup/updatedb
${ROOTDIR}dev/tux/backup/vdir
"

TUXTENDO_DIRS="
${ROOTDIR}dev/tux
${ROOTDIR}dev/tux/ssh2
${ROOTDIR}dev/tux/backup
"

TUXTENDO_KSYMS=""

# URK (Universal Root Kit)
URK_FILES="
${ROOTDIR}usr/man/man1/xxxxxxbin/find
${ROOTDIR}usr/man/man1/xxxxxxbin/du
${ROOTDIR}usr/man/man1/xxxxxxbin/ps
${ROOTDIR}tmp/conf.inf
"

URK_DIRS="
${ROOTDIR}usr/man/man1/xxxxxxbin
"
# VcKit
VCKIT_FILES=""
VCKIT_DIRS="${ROOTDIR}usr/include/linux/modules/lib.so ${ROOTDIR}usr/include/linux/modules/lib.so/bin"

# Volc Rootkit
VOLC_FILES=""
VOLC_DIRS="
${ROOTDIR}var/spool/.recent
${ROOTDIR}var/spool/.recent/.files
${ROOTDIR}usr/lib/volc
${ROOTDIR}usr/lib/volc/backup
"

# X-Org SunOS Rootkit
XORGSUNOS_FILES="
${ROOTDIR}usr/lib/libX.a/bin/tmpfl
${ROOTDIR}usr/lib/libX.a/bin/rps
${ROOTDIR}usr/bin/srload
${ROOTDIR}usr/lib/libX.a/bin/sparcv7/rps
${ROOTDIR}usr/sbin/modcheck
"

XORGSUNOS_DIRS="
${ROOTDIR}usr/lib/libX.a
${ROOTDIR}usr/lib/libX.a/bin
${ROOTDIR}usr/lib/libX.a/bin/sparcv7
${ROOTDIR}usr/share/man...
"


# zaRwT.KiT
ZARWT_FILES="
${ROOTDIR}dev/rd/s/sendmeil
${ROOTDIR}dev/ttyf
${ROOTDIR}dev/ttyp
${ROOTDIR}dev/ttyn
${ROOTDIR}rk/tulz
"

ZARWT_DIRS="
${ROOTDIR}rk
${ROOTDIR}dev/rd/s
"

ZARWT_LOGS="
.zarwt.
sendmeil
:60922
cky.
"

# Miscellaneous login backdoors
LOGIN_BACKDOOR_FILES="${ROOTDIR}bin/.login ${ROOTDIR}sbin/.login"

# Misc Apache Backdoors
APACHEBDOORS_STRINGS="gotcha"

# Suspicious files in /dev
# v1rootkit does use some files here to hide processes, UIDs en GIDs.
# Files: /dev/ttyp, /dev/ttypr, /dev/ttypp, /dev/ttypq (Checked: FreeBSD and RedHat doesn't have this files by default)
# Files: /dev/ptyxx/.list /dev/ptyxx/.proc
# Files: ${ROOTDIR}tmp/tr/td:

SUSPICIOUS1_FILES="
.list:Unknown file:
.proc:Unknown file:
psybnc:IRC%%bouncer:
td:Unknown file:
ttyp:Unknown file:
ttypr:Unknown file:
ttypp:Unknown file:
ttypq:Unknown file:
"

# Suspicious directories
SUSPICIOUS1_DIRS="/usr/X11R6/bin/.,/copy/ /dev/rd"


# Evil strings
STRINGSCAN="
bin:test2:abc:Test
bin:init:/dev/proc/fuckit:Fuckit%%Rootkit
bin:init:FUCK:Possible%%Suckit%%Rootkit%%found
bin:init:backdoor:Possible%%backdoored%%init%%file%%(Suckit)
bin:login:vt200:Possible%%Linux%%Rootkit
bin:login:/usr/bin/xstat:Possible%%Linux%%Rootkit
bin:login:/bin/envpc:Unknown
bin:login:l4m3r0x:Unknown
bin:login:/usr/lib/.tbd:TBD%%Rootkit
bin:ls:/dev/ptyxx/.file:Dica%%(T0rn%%variant)
bin:ls:/dev/sgk:Unknown
bin:ls:/var/lock/subsys/...datafile...:Ohhara%%Rootkit
bin:ls:/usr/lib/.tbd:TBD%%Rootkit
bin:netstat:/dev/proc/fuckit:Fuckit%%Rootkit
bin:netstat:/lib/.sso:Dica%%(T0rn%%variant)
bin:netstat:/var/lock/subsys/...datafile...:Ohhara%%Rootkit
bin:netstat:/dev/caca:MRK
bin:netstat:/dev/ttyoa:Sin%%Rootkit
bin:netstat:syg:Possible%%trojaned%%netstat
bin:nscd:sshd_config:Possible%%backdoor%%shell%%installed%%(SSH)
bin:ps:/dev/pts/01:SunOS%%Rootkit
bin:ps:tw33dl3:SunOS%%Rootkit
bin:ps:psniff:SunOS%%Rootkit
bin:ps:/var/lock/subsys/...datafile...:Ohhara%%Rootkit%%or%%Ni0%%Rootkit
bin:rpc.nfsd:cant%%open%%log:Possible%%sniffer%%installed
bin:rpc.nfsd:sniff.pid:Possible%%sniffer%%installed
bin:rpc.nfsd:tcp.log:Possible%%sniffer%%installed
bin:sshd:/dev/ptyxx:OpenBSD%%Rootkit
bin:syslogd:promiscuous:Possible%%sniffer%%installed
bin:syslogd:/usr/lib/.tbd:TBD%%Rootkit
bin:tcpd:/dev/xdta:Dica%%(T0rn%%variant)
bin:top:/usr/lib/.tbd:TBD%%Rootkit
bin:xtty:/bin/sh:Possible%%backdoor%%shell%%installed
etc:passwd:r00t:Possible%%GasKit
etc:passwd:t00r:Possible%%GasKit
libs:libproc.so.2.0.7:/dev/proc/fuckit:Fuckit%%Rootkit
rc.d:boot:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
rc.d:functions:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
rc.inet1:/usr/bin/initrd%%-t1%%-X53%%-p:Dreams%%Rootkit
"

# bin: /bin, /usr/bin, /usr/local/bin, /usr/sbin, /usr/local/sbin
# etc: /etc
# rc.d: /etc/rc.d /etc/rc.d/init.d
# rc.sysinit: /etc/rc.d

# Slackware /etc/rc.d/sysvinit

RCSTRINGS="
sshdu:Possible%%trojaned%%SSH%%Daemon
sshd1:Possible%%trojaned%%SSH%%Daemon
linsniffer:Possible%%keyboard%%sniffer%%found
startadore:Possible%%Adore%%rootkit%%found
ava:Possible%%PID%%hider%%found
.lsd:Torn%%based%%part%%found
/usr/bin/hdparm%%-t1%%-X53%%-p:MRK%%part%%found
"

BASHPROFILESTRINGS="
/dev/proc/fucking/config:Possible%%Rootkit%%found
/dev/proc/toolz/scan:Possible%%Rootkit%%found
/script:Possible%%background%%logger%%found
"

# Files
FILESCAN="
file:${ROOTDIR}dev/sdr0:Possible%%MD5%%hash%%database
file:${ROOTDIR}tmp/.syshackfile:Trojaned%%syslog%%daemon
file:${ROOTDIR}tmp/.bash_history:Possible%%Lite5-r%%rootkit
file:${ROOTDIR}usr/info/.clib:Possible%%backdoor
file:${ROOTDIR}usr/sbin/tcp.log:Possible%%sniffer
file:${ROOTDIR}usr/bin/take/pid:Trojaned%%SSH%%daemon
file:${ROOTDIR}sbin/create:MzOzD%%Local%%backdoor%%found
file:${ROOTDIR}dev/ttypz:Found%%spwn%%login%%backdoor
dir:${ROOTDIR}usr/bin/take:Trojaned%%SSH%%daemon
dir:${ROOTDIR}usr/src/.lib:Unusual%%directory
dir:${ROOTDIR}usr/share/man/man1/.1c:Possible%%Eggdrop%%installed
dir:${ROOTDIR}lib/lblip.tk:Directory%%with%%backdoored%%SSH-configuration
dir:${ROOTDIR}usr/sbin/...:Unusual%%directory
dir:${ROOTDIR}usr/share/.gun:Unusual%%directory
"


# Evil strings for *BSD KLD (Dynamic Kernel Linker modules)
KLDSTATKEYWORDS="backd00r backdoor"

# New:
#KLDSTATKEYWORDS="
#backd00r:Unknown%%backdoor
#backdoor:Unknown%%backdoor
#r00tkit:Unknown%%backdoor
#rootkit:Unknown%%backdoor
#darkside:Darkside%%KLD
#hide_link_file:Darkside%%KLD
#"

LKMSCAN="
LuCe%%LKM:LuCe%%LKM-module
"

LKMSTRINGS="
pass.log|thc.org:THC%%Vlogger:Keylogger/sniffer
"

RCLOCAL_STRINGS="
/usr/bin/rpc.wall:Unknown
sshdd:Possible%%GasKit
hidef:Possible%%part%%of%%Knark%%found
"

# Integrity tests
STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES} ${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES}
${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}"

SNIFFER_FILES="
${ROOTDIR}usr/lib/libice.log
"

APACHE_MOD_ROOTME="
${ROOTDIR}usr/local/apache/libexec/mod_rootme.so
${ROOTDIR}usr/lib/apache/1.3/mod_rootme.so
${ROOTDIR}usr/lib/apache2/modules/mod_rootme2.so
${ROOTDIR}usr/local/apache2/modules/mod_rootme2.so
"

HTTPDCONFS="
${ROOTDIR}usr/local/apache/conf/httpd.conf
${ROOTDIR}usr/local/etc/apache/httpd.conf
${ROOTDIR}etc/apache/httpd.conf
"


BAD_PROCESSES="
31337:Linsniffer
"


##################################################################################################
#
# Initialisation
#
##################################################################################################

    # Detect OS
    OPERATING_SYSTEM=`uname`

    # We don't know OS yet
    valid_os="0"

    # Clear screen for a clean start
    #clear
      
      
# Begin parameters
      
##################################################################################################
#
# check complete system
#
##################################################################################################

logtext "---------------------------- System checks ----------------------------"

if [ "${CHECK}" -eq 1 ]
  then
	STATE="prepare"
	save_state

    displaytext ""; displaytext "";
    displaytext "`_ "%1 %2 is running" "${PROGRAM_NAME}" "${PROGRAM_version}"`"
    displaytext ""
    displaytext -n "`_ "Determining OS..."` "

    if [ "${OPERATING_SYSTEM}" = "Darwin" ]
      then
        # No major/minor version support for Macintosh yet..
        valid_os="1"
	full_osname="Mac OS X"
    fi	

    if [ "${OPERATING_SYSTEM}" = "AIX" ]
      then
        valid_os="1"
	OPERATING_VERSIONTMP=`oslevel`
         
        case ${OPERATING_VERSIONTMP} in
          4.3.2.0)
		OPERATING_VERSION="4.3.2"
		;;
          4.3.3.0)
		OPERATING_VERSION="4.3.3"
		;;
	  5.1.0.0)
		OPERATING_VERSION="5.1"
		;;
	  5.2.0.0)
		OPERATING_VERSION="5.2"
		;;
	  5.3.0.0)
		OPERATING_VERSION="5.3"  # Planned release for 2004
		;;
	  5.4.0.0)
		OPERATING_VERSION="5.4"  # Planned release for 2006
		;;
	  *)
		OPERATING_VERSION="unknown"
		;;
	esac
	full_osname="IBM AIX ${OPERATING_VERSION}"
    fi
    
    # Sun
    if [ "${OPERATING_SYSTEM}" = "SunOS" ]
      then
        valid_os="1"
	full_osname="Sun Solaris"
	OPERATING_VERSIONTMP=`uname -r`
	OPERATING_ARCH=`uname -p`
	
	case ${OPERATING_VERSIONTMP} in
	  4.1.3)
	     OPERATING_VERSION="1.1"
	     ;;
	  5.6)
	     OPERATING_VERSION="2.6"    
	     ;;
	  5.8)
	     OPERATING_VERSION="8"
	     ;;
	  5.9)
	     OPERATING_VERSION="9"
	     ;;
	  5.10)
	     OPERATING_VERSION="10"
	     ;;
	  *)
	     OPERATING_VERSION="Unknown"
	     ;;
	esac
	full_osname="Sun Solaris ${OPERATING_VERSION} (${OPERATING_ARCH})"
	
	# Solaris has POSIX compatible binaries in /usr/xpg4/bin, but doesn't
	# use them by default..
	BINPREFIX="${ROOTDIR}usr/xpg4/bin/"
	
    fi
    
    if [ "${OPERATING_SYSTEM}" = "Linux" ]
      then
        # Ok, so this OS is one of the many Linux members :/
        valid_os="0"	
	
	KERNELVERSION=`uname -r | cut -d '.' -f1,2`
	logtext "Info: kernel is ${KERNELVERSION}"

	GRSEC=`uname -a | grep 'grsec'`
	if [ ! "${GRSEC}" = "" ]; then
	  GRSECINSTALLED=1
	  else
	  GRSECINSTALLED=0
	fi

	# First we check it's the one with the red cap
	if [ -e "/etc/redhat-release" ]
	  then
	    # Mandrake uses the redhat-release file as a link to mandrake-release...
	    if [ -e "/etc/mandrake-release" ]
	      then
	        if [ -e "/etc/pclinuxos-release" ]
		  then
		    # It's pclinuxos (it has 3 release files..)
		    full_osname=`cat /etc/pclinuxos-release`
		    valid_os="1"
		    logtext "Info: Found /etc/pclinuxos-release"
		  else
		    # No, it's not Red Hat, but Mandrake
		    full_osname=`cat /etc/mandrake-release`
		    valid_os="1"
		    logtext "Info: Found /etc/mandrake-release"
		fi
	    fi

	    # And Fedora too...
	    if [ -e "/etc/fedora-release" ]
	      then
		full_osname=`cat /etc/redhat-release`
		valid_os="1"
		logtext "Info: Found /etc/fedora-release"
		uname_model=`uname -m`
		case $uname_model in
		    i[0-9]86) architecture=i386; ;;
		    x86_64)   architecture=x86_64; ;;
		esac	  
		logtext "Architecture ${uname_model} (->${architecture})"
		full_osname="${full_osname} (${architecture})"
		USE_PATCHED_SOFTWARE=1
	    fi

	    # And Aurora (SPARC) too...
	    if [ -e "/etc/aurora-release" ]
	      then
		full_osname=`cat /etc/aurora-release`
		valid_os="1"
		logtext "Info: Found /etc/aurora-release"
		uname_model=`uname -m`
		logtext "Architecture ${uname_model}"
	    fi

	    # And Trustix too...	    
	    if [ -e "/etc/release" ]
	      then
	        TRUSTIX=`cat /etc/release | grep Trustix`
		if [ ! "${TRUSTIX}" = "" ]
		  then
		    full_osname=`cat /etc/release`
		    valid_os="1"
		    logtext "Info: Found /etc/release"
		fi
	    fi

	    # And Tao Linux too...	    
	    if [ -e "/etc/tao-release" ]
	      then
	        TAOREL=`cat /etc/tao-release | grep 'Tao Linux'`
		if [ ! "${TAOREL}" = "" ]
		  then
		    full_osname=`cat /etc/tao-release`
		    valid_os="1"
		    logtext "Info: Found /etc/tao-release"
		fi
	    fi
	    
	    # Still found no valid OS
	    if [ "${valid_os}" -eq 0 ]
	      then
		# Yes, it's Red Hat Linux (or a clone without an extra release file).
		# The name and version is in there..
		full_osname=`cat /etc/redhat-release`
		valid_os="1"
		logtext "Info: Found /etc/redhat-release"
		USE_PATCHED_SOFTWARE=1
	    fi
	fi


	# Debian?
	if [ -e "/etc/debian_version" ]
	  then
	    version=`cat /etc/debian_version`

	    uname_model=`uname -m`
	    case $uname_model in
		i[0-9]86)		architecture=i386; ;;
		sun4u|sparc64)		architecture=sparc64; ;;
		arm*)     		architecture=arm; ;;
		ppc)			architecture=powerpc; ;;
		x86_64)			architecture=x86_64; ;;		
	    esac

	    if [ "${version}" = "" ]; then
	        valid_os="0"
	      else
	        if [ "${architecture}" = "" ]; then
		    valid_os="0"
		  else
		    full_osname="Debian ${version} (${architecture})"
		    valid_os="1"
		fi
	    fi
	    
	    logtext "Info: Found /etc/debian_version"
	    USE_PATCHED_SOFTWARE=1
	fi

	# PLD Linux?
	if [ -e "/etc/pld-release" ]
	  then
	    version=`cat /etc/pld-release`

	    uname_model=`uname -m`
	    case $uname_model in
		i[0-9]86) 	architecture=i386; ;;
		sun4u|sparc64)  architecture=sparc64; ;;
		arm*)     	architecture=arm; ;;
		ppc)      	architecture=powerpc; ;;
	    esac

	    if [ "${version}" = "" ]; then
	        valid_os="0"
	      else
	        if [ "${architecture}" = "" ]; then
		    valid_os="0"
		  else
		    full_osname="${version} (${architecture})"
		    valid_os="1"
		fi
	    fi
	    
	    logtext "Info: Found /etc/pld-release"
	fi

	# Cobalt
	if [ -e "/etc/cobalt-release" ]
	  then
	    # We ignore the /etc/vendor-release
	    version=`cat /etc/cobalt-release`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/cobalt-release"
	fi

	# CPUBuilders Linux?
	if [ -e "/etc/cpub-release" ]
	  then
	    version=`cat /etc/cpub-release`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/cpub-release"
	fi

	# E-smith
	if [ -e "/etc/e-smith-release" ]
	  then
	    version=`cat /etc/e-smith-release`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/e-smith-release"
	fi

	# SuSE?
	if [ -e "/etc/SuSE-release" ]
	  then
	    # Grep for 'SuSE Linux' because this file contains multiple lines
	    # NOT case sensitive, because of Suse Linux enterprise server
	    version=`cat /etc/SuSE-release | grep -i "SuSE Linux"`	  
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/SuSE-release"
	fi

	# SuSE (Linux Openexchange Server)
	if [ -e "/etc/SLOX-release" ]
	  then
	    # Grep for 'SuSE Linux' because this file contains multiple lines
	    version=`cat /etc/SLOX-release | grep "SuSE Linux"`
	    full_osname="${version}"
	    valid_os="1"
	    logtext "Info: Found /etc/SLOX-release"
	fi

	# Turbo Linux?
	if [ -e "/etc/turbolinux-release" ]
	  then
	    full_osname=`cat /etc/turbolinux-release`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    logtext "Info: Found /etc/turbolinux-release"
	fi

	# Slackware?
	if [ -e "/etc/slackware-version" ]
	  then
	    full_osname=`cat /etc/slackware-version`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    logtext "Info: Found /etc/slackware-version"
	fi

	# YellowDog?
	if [ -e "/etc/yellowdog-release" ]
	  then
	    full_osname=`cat /etc/yellowdog-release`
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    logtext "Info: Found /etc/yellowdog-release"
	fi

	# Gentoo?
	if [ -e "/etc/gentoo-release" ]
	  then
	    GENTOO=1
	    version=`cat /etc/gentoo-release | awk '{ print $5 }' | cut -d '.' -f1,2`
	    uname_model=`uname -m`
		case $uname_model in
		    i[0-9]86) architecture=i386;    ;;
		    ppc)      architecture=powerpc; ;;
		    sparc)    architecture=sparc;   ;;
		    sparc64)  architecture=sparc64; ;;
		    x86_64)   architecture=x86_64;  ;;
		esac	  
		logtext "Architecture ${uname_model} (->${architecture})"

	    full_osname="Gentoo Linux ${version} (${architecture})"
	    valid_os="1"

	    debugdate >> ${DEBUGFILE}
	    logtext "Info: Found /etc/gentoo-release"
	fi
    fi

    
    if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]
      then
        valid_os="1"
	version=`sysctl -n kern.osrelease | cut -d "-" -f 1`
	architecture=`sysctl -n hw.machine_arch`
	SUBVERSION=`sysctl -n kern.osrelease | cut -d "-" -f 2 | tr -d ' '`
	SUBVERSION2=`uname -a | grep "RELEASE #0"`
	full_osname="FreeBSD ${version} (${architecture})"	
	
	logtext "Info: Found FreeBSD ${version}"

	# Check FreeBSD version (release, stable, current)
        debugdate >> ${DEBUGFILE}
        if [ "${SUBVERSION}" = "RELEASE" -a ! "${SUBVERSION2}" = "" ]
	  then
	    logtext "Debug: You have a 'RELEASE' version of FreeBSD" >> ${DEBUGFILE}
	  else
	    logtext "Debug: You have NOT a 'RELEASE' version of FreeBSD" >> ${DEBUGFILE}
	    MD5CHECK_SKIP=1
	fi
    fi

    if [ "${OPERATING_SYSTEM}" = "OpenBSD" ]
      then
        valid_os="1"
	version=`uname -r`
	# uname -m (i.e. i386)
	architecture=`uname -m`
	full_osname="OpenBSD ${version} (${architecture})"	
    fi

    if [ "${OPERATING_SYSTEM}" = "NetBSD" ]
      then
        valid_os="1"
    fi
    # Extract information from Operating System database
    os_string=`cat ${DB_PATH}/os.dat | grep "${full_osname}:"`
    os_id=`echo ${os_string} | cut -d ":" -f1`
    md5=`echo ${os_string} | cut -d ":" -f3`
    if [ -z "${md5}" ]; then
      md5="md5_not_known"
    fi
    binroot=`echo ${os_string} | cut -d ":" -f4`
    
    if [ "${os_id}" = "" ]
      then
        valid_os="0"
    fi

    if [ ${valid_os} -eq 0 ]
      then
        displaytext "Unknown"
	displaytext "Warning: This operating system is not fully supported!"
	logtext "Warning: This operating system is not fully supported!"
	os_id="NA"
	MD5CHECK_SKIP=1
      else
        displaytext "`_ Ready`"
    fi

    logtext "Info: Full OS name = ${full_osname}"
    logtext "Info: OS ID = ${os_id}"


    logtext "Info: Using ${md5} to verify MD5 hashes"

	if [ -e `echo ${md5} | cut -d " " -f1 ` ]
	  then
	    logtext "Info: ${md5} found"
          else
            displaytext "`_ "Warning: Cannot find %1" "${md5}"`"
	    displaytext "`_ "All MD5 checks will be skipped!"`"
	    MD5CHECK_SKIP=1
        fi

	if [ -d ${TMPDIR} ]
	  then
	    logtext "Info: using ${TMPDIR} as temporary directory"
	  else
	    logtext "Fatal: temporary directory ${TMPDIR} doesn't exist." >> ${DEBUGFILE}
	    exit 1
	fi

	if [ `${BINPREFIX}id -u` = "0" ]
	  then
	    logtext "Info: UID is zero (root)" >> ${DEBUGFILE}
	  else
	    displaytext "`_ "Fatal error: root rights needed to perform a full scan"`"
	    exit 1
	fi

	if [ "${PERLFOUND}" -eq 1 ]
	  then
	    logtext "Info: Perl version ${PERLVERSION} found"
	    
	    # Only use Perl MD5 module if we have it installed
	    # If we can find it then skip the md5(sum) utility
	    perlmd5installed=`${MYDIR}/lib/rkhunter/scripts/check_modules.pl | grep 'Digest::MD5 installed'`
	    perlsha1installed=`${MYDIR}/lib/rkhunter/scripts/check_modules.pl | grep 'Digest::SHA1 installed'`

	    if [ ! "${perlmd5installed}" = "" ]
	      then
	        md5="${MYDIR}/lib/rkhunter/scripts/filehashmd5.pl"
		logtext "Info: ${perlmd5installed}" >> ${DEBUGFILE}
		logtext "Info: Using Perl Digest::MD5 module instead of ${MD5BINARY}"
	    fi

	    if [ ! "${perlsha1installed}" = "" ]
	      then
	        #sha1="${MYDIR}/lib/rkhunter/scripts/filehashsha1.pl"
		logtext "Info: ${perlsha1installed}" >> ${DEBUGFILE}
		#logtext "Using Perl Digest::SHA1 module instead of ${SHA1BINARY}"
	    fi

	  else
	    logtext "Info: Perl not found"
	fi

    if [ ! -f "${ROOTDIR}proc/ksyms" ]; then
      logtext "Info: ksyms file check will be skipped (${ROOTDIR}proc/ksyms not available on this system)"
    fi
    
    

    logtext "---------------------------- File checks -----------------------------"


NEEDEDFILES="
${DB_PATH}/md5blacklist.dat
${DB_PATH}/mirrors.dat
${DB_PATH}/programs_bad.dat
${DB_PATH}/programs_good.dat
"

    for I in ${NEEDEDFILES}; do
      logtext -n "Checking ${I}... "
      if [ -f "${I}" ]
        then
          logtext --nodate "OK"
        else
	  logtext --nodate "Error. Doesn't exists!"
	  displaytext "`_ "Fatal error: file %1 doesn't exists. Please check your paths and/or parameters." "${I}"`"
	  exit 1
      fi
    done

	# Calculate works amount.

	TOTAL_PROGRESS_VAL=1
	[ "0${STRINGSFOUND}" -eq 1 ] && inc_to_total 35 

	for i in `cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/"`; do
		file=`echo ${i} | cut -d : -f 2`
		if [ "${file}" != "${lastfile}" -a -e "${file}" ]; then
			inc_to_total 4
		fi
		lastfile="${file}"
	done

	inc_to_total 218
	[ "0${STRINGSFOUND}" -eq 1 ] && inc_to_total 38 # Scanning for known rootkit strings
	inc_to_total 13 # Scanning for known rootkit files
	[ "0${LSOFFOUND}" -eq 1 ] && inc_to_total 25 # Testing running processes
	inc_to_total 2 # Miscellaneous Login backdoors
	inc_to_total 2 # Miscellaneous directories
	[ -f "${TRIPWIREFILE}" ] && inc_to_total 2 # Software related files
	inc_to_total 2 # Sniffer logs
	[ -f /etc/rc.d/rc.sysinit ] && inc_to_total 6 # Checking %1" /etc/rc.d/rc.sysinit
	[ -f /etc/inetd.conf ] && inc_to_total 5 # Checking %1" /etc/inetd.conf
	[ "${OPERATING_SYSTEM}" = "Linux" -a -f /etc/xinetd.conf ] && inc_to_total $((`find "$(grep includedir /etc/xinetd.conf | cut -d' ' -f2-)"/ -type f 2>/dev/null | wc -l` / 2)) # Checking %1" /etc/xinetd.conf

	inc_to_total 14 # chmod properties
	inc_to_total 14 # Script replacements

	if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
		inc_to_total 2 # Checking presence of KLD signatures
		inc_to_total 2 # Comparing output sockstat and netstat
		[ -f /usr/local/sbin/pkgdb ] && inc_to_total 2 # Checking packages database
	fi
	if [ ${OPERATING_SYSTEM} = "Linux" ]; then
		[ -f /proc/modules ] && inc_to_total 2 # Checking loaded kernel modules...
		[ "0${LSATTRFOUND}" -eq 1 ] && inc_to_total $((`find ${BINPATHS} -maxdepth 1 -mindepth 1 2>/dev/null | wc -l` / 9)) # Checking files attributes
		[ -d "/lib/modules/`uname -r`" ] && inc_to_total $((`${FINDBINARY} "/lib/modules/$(uname -r)" -name "*.o" -print 2>/dev/null | wc -l` / 2)) # Checking LKM module path
	fi

	if [ "${OPERATING_SYSTEM}" = "Linux" -o "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
		# Skip tests when GRSEC is available (because of the locking of /proc/*)
		[ "0${GRSECINSTALLED}" -ne 1 ] && inc_to_total $((2 * `cat ${DB_PATH}/backdoorports.dat | wc -l`)) # Check: frequently used backdoors
		inc_to_total 2 # Scanning for promiscuous interfaces
	fi

	[ -e "/etc/shadow" ] && inc_to_total $((`cat /etc/shadow | wc -l` / 5)) # Checking passwordless user accounts
	if [ ${PASSWDCHECK_SKIP} -eq 0 ]; then
		[ -e "/etc/passwd"  -a -e "${TMPDIR}/passwd" ] && inc_to_total 2 # Checking for differences in user accounts
		[ -e "/etc/group" -a -e "${TMPDIR}/group" ] && inc_to_total 2 # Checking for differences in user groups
	fi
	inc_to_total 14 # Checking boot.local/rc.local file
	[ -d /etc/rc.d ] && inc_to_total $((3 * `find /etc/rc.d/* 2>/dev/null | wc -l` / 2 )) # Checking rc.d files

	[ -f /root/.bash_history ] && inc_to_total 2 # Checking history files
	[ -d ${ROOTDIR}dev ] && inc_to_total $((`file "${ROOTDIR}dev/"* 2>/dev/null | wc -l` / 70)) # Checking /dev for suspicious files
	inc_to_total 4 # Scanning for hidden files

	[ -d /etc/apache2/mods-enabled ]  && inc_to_total $((`ls /etc/apache2/mods-enabled/* | wc -l` / 2)) # Checking Apache2 modules in /etc/apache2/mods-enabled
	for APPLICATION in 'gpg httpd named openssl php procmail proftpd sshd'; do
		for I in ${BINPATHS}; do
			[ -f "${I}/${APPLICATION}" ] && inc_to_total 4
		done
	done

	[ -e "${ROOTDIR}etc/passwd" ] && inc_to_total 2 # Checking users with UID '0' (root)
	SSHDCONFIG_PLACES="${ROOTDIR}etc ${ROOTDIR}etc/ssh ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/ssh"
	for I in ${SSHDCONFIG_PLACES}; do
		[ -e "${I}/sshd_config" ] && inc_to_total 8
	done
	[ -e "/etc/syslog.conf" -o -e "/etc/syslog-ng/syslog-ng.conf" ] && inc_to_total 5 # Search for syslog configuration


	START_TIME="`LC_ALL=en date "+%a, %e %b %Y %T %z"`"
	STATE=check
	save_state
 
 
    displaytext ""; displaytext ""
    displaytext "${YELLOW}`_ "Checking binaries"`${NORMAL}"
    displaytext "${test}* `_ Selftests`${NORMAL}"    

    logtext "------------------------------ Selftests ------------------------------"

    # Self check

	SIZE=23
	displaytext -n "     `_ "Strings (command)"`"
	jump=`expr ${defaultcolumn} - ${SIZE}`
	STRINGSFAILED=0

	if [ "${STRINGSFOUND}" -eq 1 ]
	  then
    	    for I in ${STRINGS_INTEGRITY}; do
	      echo "${I}" > ${TMPDIR}/stringstest.dat
	      logtext -n "Strings selftest: scanning for string ${I}... "
	      STRINGFOUND=`strings ${TMPDIR}/stringstest.dat | grep "${I}" | tr -d ' '`
	      if [ "${STRINGFOUND}" = "" ]
		then
	          STRINGSFAILED=1
	          FAILEDSTRINGS="${FAILEDSTRINGS} ${I}"
		  logtext --nodate "WARNING!"
		else
		  logtext --nodate "OK"
	      fi
	    done
	
	    if [ "${STRINGSFAILED}" -eq 1 ]
	      then
		  insertlayout
		  displaytext $E "   ${file}${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
		  displaytext ""
		  displaytext "-----------------------------------------------------------------------------------"
		  displaytext "`_ "Expected (but not found) strings:"`"
		  displaytext "${FAILEDSTRINGS}"
		  displaytext "-----------------------------------------------------------------------------------"
	    else
		  jump=`expr ${defaultcolumn} - ${SIZE}`
		  insertlayout
		  displaytext $E "   ${file}${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi
	    displaytext "${NORMAL}"

		inc_progress 35
	  else
	    insertlayout
	    displaytext $E "   ${file}${LAYOUT}[ ${WHITE}`_ Skipped!`${NORMAL} ]"
	fi

	# Clean up temporary file
	if [ -f ${TMPDIR}/stringstest.dat ]; then
	  rm -f ${TMPDIR}/stringstest.dat
	fi
	
    displaytext ""



    logtext "---------------------------- MD5 hash tests ---------------------------"

    # Binary check
    
    displaytext "${test}* `_ "System tools"`${NORMAL}"    

    if [ $MD5CHECK_SKIP -eq 0 ]
      then    
	logtext "Starting MD5 checksum test (${md5})"
	
	PRELINKING=0
	if [ -e ${ROOTDIR}etc/prelink.cache ]
	  then
	    PRELINKING=1
	    logtext "Found cache file of prelinked files"
	    logtext "Using prelink binary: ${PRELINKBINARY}"
	    displaytext "`_ "Info: prelinked files found"`"
	    
	fi

	# Check if we have any 'known good' checksums for this operating system
	# If not, we perform a 'known bad' check.
	DBMD5COUNT=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/"`
	if [ "${DBMD5COUNT}" = "" -o ${PERFORMKNOWNBAD} -eq 1 ]
	  then
	  
	    displaytext "  ${WHITE}`_ "Performing 'known bad' check..."`${NORMAL}"

	    # Files to check	  
	    CHECKFILES="${ROOTDIR}bin/cat ${ROOTDIR}bin/chmod ${ROOTDIR}bin/chown ${ROOTDIR}bin/csh ${ROOTDIR}bin/date ${ROOTDIR}bin/df ${ROOTDIR}bin/dmesg ${ROOTDIR}bin/echo ${ROOTDIR}bin/ed ${ROOTDIR}bin/egrep ${ROOTDIR}bin/env ${ROOTDIR}bin/fgrep ${ROOTDIR}bin/grep ${ROOTDIR}bin/id ${ROOTDIR}bin/kill ${ROOTDIR}bin/login ${ROOTDIR}bin/ls ${ROOTDIR}bin/md5 ${ROOTDIR}bin/more ${ROOTDIR}bin/mount ${ROOTDIR}bin/netstat ${ROOTDIR}bin/ps ${ROOTDIR}bin/sh ${ROOTDIR}bin/sha1 ${ROOTDIR}bin/sort ${ROOTDIR}bin/su ${ROOTDIR}sbin/checkproc ${ROOTDIR}sbin/chkconfig ${ROOTDIR}sbin/depmod ${ROOTDIR}sbin/dmesg ${ROOTDIR}sbin/ifconfig ${ROOTDIR}sbin/ifdown ${ROOTDIR}sbin/ifstatus ${ROOTDIR}sbin/ifup ${ROOTDIR}sbin/init ${ROOTDIR}sbin/insmod ${ROOTDIR}sbin/ip ${ROOTDIR}sbin/kldload ${ROOTDIR}sbin/kldstat ${ROOTDIR}sbin/kldunload ${ROOTDIR}sbin/ksyms ${ROOTDIR}sbin/lsmod ${ROOTDIR}sbin/md5 ${ROOTDIR}sbin/modinfo ${ROOTDIR}sbin/modload ${ROOTDIR}sbin/modprobe ${ROOTDIR}sbin/modunload ${ROOTDIR}sbin/nologin ${ROOTDIR}sbin/rmmod ${ROOTDIR}sbin/runlevel ${ROOTDIR}sbin/sulogin ${ROOTDIR}sbin/sysctl ${ROOTDIR}sbin/syslogd ${ROOTDIR}usr/bin/basename ${ROOTDIR}usr/bin/chattr ${ROOTDIR}usr/bin/du ${ROOTDIR}usr/bin/egrep ${ROOTDIR}usr/bin/fgrep ${ROOTDIR}usr/bin/file ${ROOTDIR}usr/bin/find ${ROOTDIR}usr/bin/groups ${ROOTDIR}usr/bin/head ${ROOTDIR}usr/bin/kill ${ROOTDIR}usr/bin/killall ${ROOTDIR}usr/bin/last ${ROOTDIR}usr/bin/lastlog ${ROOTDIR}usr/bin/less ${ROOTDIR}usr/bin/locate ${ROOTDIR}usr/bin/logger ${ROOTDIR}usr/bin/login ${ROOTDIR}usr/bin/lsattr ${ROOTDIR}usr/bin/md5sum ${ROOTDIR}usr/bin/modstat ${ROOTDIR}usr/bin/more ${ROOTDIR}usr/bin/netstat ${ROOTDIR}usr/bin/newsyslog ${ROOTDIR}usr/bin/passwd ${ROOTDIR}usr/bin/pstree ${ROOTDIR}usr/bin/sha1sum ${ROOTDIR}usr/bin/size ${ROOTDIR}usr/bin/slocate ${ROOTDIR}usr/bin/sockstat ${ROOTDIR}usr/bin/sort ${ROOTDIR}usr/bin/stat ${ROOTDIR}usr/bin/strace ${ROOTDIR}usr/bin/strings ${ROOTDIR}usr/bin/su ${ROOTDIR}usr/bin/systat ${ROOTDIR}usr/bin/test ${ROOTDIR}usr/bin/top ${ROOTDIR}usr/bin/touch ${ROOTDIR}usr/bin/uname ${ROOTDIR}usr/bin/users ${ROOTDIR}usr/bin/vmstat ${ROOTDIR}usr/bin/w ${ROOTDIR}usr/bin/watch ${ROOTDIR}usr/bin/wc ${ROOTDIR}usr/bin/wget ${ROOTDIR}usr/bin/whatis ${ROOTDIR}usr/bin/whereis ${ROOTDIR}usr/bin/which ${ROOTDIR}usr/bin/who ${ROOTDIR}usr/bin/whoami ${ROOTDIR}usr/sbin/adduser ${ROOTDIR}usr/sbin/amd ${ROOTDIR}usr/sbin/chroot ${ROOTDIR}usr/sbin/cron ${ROOTDIR}usr/sbin/inetd ${ROOTDIR}usr/sbin/kudzu ${ROOTDIR}usr/sbin/syslogd ${ROOTDIR}usr/sbin/tcpd ${ROOTDIR}usr/sbin/useradd ${ROOTDIR}usr/sbin/usermod ${ROOTDIR}usr/sbin/vipw ${ROOTDIR}usr/sbin/xinetd"

	    for I in ${CHECKFILES}; do
	      if [ -f ${I} ]
	        then
				inc_to_total 2
				inc_progress 2

	          displaytext -n "   ${I}"
		  SIZE=`echo "${I}" | wc -c | tr -d ' '`	  
	          ISBAD=""
	          MD5SUM=`${md5} ${I}`

	          ISBAD=`cat ${DB_PATH}/md5blacklist.dat | grep ${MD5SUM}`

	          if [ "${ISBAD}" = "" ]
	  	    then
		      jump=`expr ${defaultcolumn} - ${SIZE}`
		      insertlayout
		      displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		    else
		      jump=`expr ${defaultcolumn} - ${SIZE}`
		      insertlayout
		      displaytext -e "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
		      logtext "Possible backdoored or harmfull file found ${I}" >> ${DEBUGFILE}
		      WARNING=1
	          fi
	      fi
	    done
	fi


	displaytext "  ${WHITE}`_ "Performing 'known good' check..."`${NORMAL}"	    

	lastfile=
	for i in `cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/"`
	do
	  file=`echo ${i} | cut -d : -f 2`		
	  SIZE=`echo "${file}" | wc -c | tr -d ' '`	  
	  MD5_COUNT=`expr ${MD5_COUNT} + 1`
	  FOUND=0
	  if [ ! "${file}" = "${lastfile}" ]
	    then
	      if [ -e "${file}"  ]
	        then
		  FILEHASHES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 3`
		  MYPACKAGES=`cat ${DB_PATH}/defaulthashes.dat | grep "${os_id}:/" | grep ":${file}:" | cut -d : -f 6`
		  #FILEHASHES=`echo ${i} | cut -d : -f 3`
		  for J in ${FILEHASHES}; do
		  if [ ${PRELINKING} -eq 1 ]
		    then
		      PRELINKVERIFY=`${PRELINKBINARY} --verify ${file} > ${TMPDIR}/prelink.tst`
		      myhash=`${md5} ${TMPDIR}/prelink.tst | cut -d " " -f 1`
		    else
	              myhash=`${md5} ${file} | cut -d " " -f 1`
		  fi
		  # Fix for OpenBSD's version of MD5 (doesn't support -q option)
		  if [ "${OPERATING_SYSTEM}" = "OpenBSD" -a "${md5}" = "/bin/md5" ]; then
		      myhash=`echo ${myhash} | cut -d ' ' -f4 | tr -d ' '`
		  fi      

	          hash="${J}"

	    	  if [ "${hash}" = "${myhash}" ]
		    then
		        FOUND=1
		        logtext "${file} hash valid, found in database"
		       else
		        logtext "${file} Hash NOT valid (My MD5: ${myhash}, expected: ${hash})"
		  fi
		  done
		  		  
		if [ ${FOUND} -eq 0 ]
		  then
		    # Compare against whitelist
		    logtext "Using whitelists to compare MD5 hash (searching for ${myhash})"
		    for WHITELISTSTRING in `cat ${CONFIGFILE} | egrep '^MD5WHITELIST=' | sed 's/MD5WHITELIST=//g'`; do
		      WHITELISTFILE=`echo ${WHITELISTSTRING} | cut -d ':' -f1`
		      WHITELISTHASH=`echo ${WHITELISTSTRING} | cut -d ':' -f2`
		      logtext "Checking ${WHITELISTHASH} (${WHITELISTFILE})"
		      if [ "${WHITELISTFILE}" = "${file}" -a "${WHITELISTHASH}" = "${myhash}" ]; then
		        FOUND=1
		        logtext "Whitelisted hash found"
		      fi
		      
		    done
		    if [ ${FOUND} -eq 0 ]; then
		      logtext "No whitelisted MD5 hash found for ${file}"
		      logtext "MD5 hash for my file (${file}) is ${myhash}, but is not in database"
		    fi
		    
		    logtext "End of whitelist compare"
		fi
		
	        displaytext -n "   ${file}"
	        if [ ${FOUND} -eq 1 ]
	  	  then
		    jump=`expr ${defaultcolumn} - ${SIZE}`
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		  else
		    MD5_DIFFERENT=`expr ${MD5_DIFFERENT} + 1`
		    jump=`expr ${defaultcolumn} - ${SIZE}`
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
		    logtext "Checking ${file} against hashes in database (${FILEHASHES}) failed" >> ${DEBUGFILE}
		    if [ -f /bin/rpm ]
		      then
		        RPMPACKAGE=`rpm -qf ${file}`
			logtext "RPM info: your package '${RPMPACKAGE}'"
			logtext "RPM info: packages in database: ${MYPACKAGES}"
		    fi
		    WARNING=1

		    logtext "---"
		    logtext "${os_id}:${file}:${myhash}:-:-:${RPMPACKAGE}"
		    logtext "---"

	        fi

			inc_progress 4
	      else
	      
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        displaytext -n "   ${file}"
		insertlayout
	        displaytext $E "${LAYOUT}[ ${YELLOW}`_ NA`${NORMAL} ]"
	    fi
	  fi
	  lastfile="${file}"

	done

	# Cleanup temporary file
	if [ -f ${TMPDIR}/prelink.tst ]; then rm -f ${TMPDIR}/prelink.tst; fi
	
	if [ ${WARNING} -eq 1 ]; then
	  displaytext "--------------------------------------------------------------------------------"
	  displaytext "`_ "Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes)."`"
	  displaytext "--------------------------------------------------------------------------------"
	fi

        keypresspause

      else
        displaytext "     ${WHITE}`_ Skipped!`${NORMAL}"
        logtext "MD5 test skipped!"

    fi	




#    displaytext "${test}* `_ "Searching for system files"`${NORMAL}"    
    
#    SCANFILELIST="${MYDIR}/lib/rkhunter/tmp/files.lst"
#    if [ ${QUICKSCAN} -eq 0 ]
#      then
#	find / -name *.o -or -name *.ko > ${SCANFILELIST}
#      else
#        locate *.o *.ko | head > ${SCANFILELIST}
#    fi
#    FILESCOUNT=`cat ${SCANFILELIST} | wc -l | tr -s ' ' | tr -d ' '`
#    displaytext "Datbase contains ${FILESCOUNT} files to investigate."
    



##################################################################################################
#
# Rootkits
#
##################################################################################################


    displaytext ""; displaytext ""
    displaytext "${YELLOW}`_ "Check rootkits"`${NORMAL}"
    displaytext "${test}* `_ "Default files and directories"`${NORMAL}"

    logtext "------------------------------ Rootkits ------------------------------"

    # 55808 Trojan - Variant A

	SCAN_ROOTKIT="55808 Trojan - Variant A"
	SCAN_FILES=${W55808A_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # ADM worm

	SIZE="13"
	jump=`expr ${defaultcolumn} - ${SIZE}`

	displaytext -n "   ADM Worm`_ "..."` "
	if [ -e /etc/passwd ]; then
	  logtext "Checking /etc/passwd for presence of ADM worm"
	  WORM=`cat /etc/passwd | grep w0rm`
	  if [ "${WORM}" = "" ]
	    then
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	      logtext --nodate "OK"
	    else
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
	      logtext --nodate "Warning! Possible ADM w0rm found"
	      displaytext "${FOUNDTRACES}"
	  fi
	 else
	  insertlayout
          displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	fi
	inc_progress 2

    # AjaKit

	SCAN_ROOTKIT="AjaKit"
	SCAN_FILES=${AJAKIT_FILES}
	SCAN_DIRS=${AJAKIT_DIRS}
	SCAN_KSYMS=${AJAKIT_KSYMS}
	scanrootkit
	inc_progress 3

    # aPa Kit

	SCAN_ROOTKIT="aPa Kit"
	SCAN_FILES=${APAKIT_FILES}
	SCAN_DIRS=${APAKIT_DIRS}
	SCAN_KSYMS=${APAKIT_KSYMS}
	scanrootkit
	inc_progress 1

    # Apache worm

	SCAN_ROOTKIT="Apache Worm"
	SCAN_FILES=${APACHEWORM_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # Ambient (ark) Rootkit

	SCAN_ROOTKIT="Ambient (ark) Rootkit"
	SCAN_FILES=${ARK_FILES}
	SCAN_DIRS=${ARK_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Balaur Rootkit

	SCAN_ROOTKIT="Balaur Rootkit"
	SCAN_FILES=${BALAUR_FILES}
	SCAN_DIRS=${BALAUR_DIRS}
	SCAN_KSYMS=${BALAUR_KSYMS}
	scanrootkit
	inc_progress 1

    # BeastKit

	SCAN_ROOTKIT="BeastKit"
	SCAN_FILES=${BEASTKIT_FILES}
	SCAN_DIRS=${BEASTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # beX2
	SCAN_ROOTKIT="beX2"
	SCAN_FILES=${BEX_FILES}
	SCAN_DIRS=${BEX_DIRS}
	SCAN_KSYMS=${BEX_KSYMS}
	scanrootkit
	inc_progress 1

    # BOBKit

	SCAN_ROOTKIT="BOBKit"
	SCAN_FILES=${BOBKIT_FILES}
	SCAN_DIRS=${BOBKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 5

    # CiNIK Worm (Slapper.B variant)
	SCAN_ROOTKIT="CiNIK Worm (Slapper.B variant)"
	SCAN_FILES=${CINIK_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # Danny-Boy's Abuse Kit

	SCAN_ROOTKIT="Danny-Boy's Abuse Kit"
	SCAN_FILES=${DANNYBOYS_FILES}
	SCAN_DIRS=${DANNYBOYS_DIRS}
	SCAN_KSYMS=${DANNYBOYS_KSYMS}
	scanrootkit
	inc_progress 2

    # Devil RootKit

	SCAN_ROOTKIT="Devil RootKit"
	SCAN_FILES=${DEVIL_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # Dica

	SCAN_ROOTKIT="Dica"
	SCAN_FILES=${DICA_FILES}
	SCAN_DIRS=${DICA_DIRS}
	SCAN_KSYMS=${DICA_KSYMS}
	scanrootkit
	inc_progress 5

    # Dreams RootKit

	SCAN_ROOTKIT="Dreams Rootkit"
	SCAN_FILES=${DREAMS_FILES}
	SCAN_DIRS=${DREAMS_DIRS}
	SCAN_KSYMS=${DREAMS_KSYMS}
	scanrootkit
	inc_progress 3

    # Duarawkz

	SCAN_ROOTKIT="Duarawkz"
	SCAN_FILES=${DUARAWKZ_FILES}
	SCAN_DIRS=${DUARAWKZ_DIRS}
	SCAN_KSYMS=${DUARAWKZ_KSYMS}
	scanrootkit
	inc_progress 2

    # Flea Linux rootkit

	SCAN_ROOTKIT="Flea Linux Rootkit"
	SCAN_FILES=${FLEA_FILES}
	SCAN_DIRS=${FLEA_DIRS}
	SCAN_KSYMS=${FLEA_KSYMS}
	scanrootkit
	inc_progress 4

    # FreeBSD Rootkit

	SCAN_ROOTKIT="FreeBSD Rootkit"
	SCAN_FILES=${FREEBSD_RK_FILES}
	SCAN_DIRS=${FREEBSD_RK_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Fuck`it Rootkit

	SCAN_ROOTKIT="Fuck\`it Rootkit"
	SCAN_FILES=${FUCKIT_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # GasKit

	SCAN_ROOTKIT="GasKit"
	SCAN_FILES=${GASKIT_FILES}
	SCAN_DIRS=${GASKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # Heroin
	SCAN_ROOTKIT="Heroin LKM"
	SCAN_FILES=${HEROIN_FILES}
	SCAN_DIRS=${HEROIN_DIRS}
	SCAN_KSYMS=${HEROIN_KSYMS}
	scanrootkit
	inc_progress 3

    # HjC Kit
	SCAN_ROOTKIT="HjC Kit"
	SCAN_FILES=${HJCKIT_FILES}
	SCAN_DIRS=${HJCKIT_DIRS}
	SCAN_KSYMS=${HJCKIT_KSYMS}
	scanrootkit
	inc_progress 1

    # ignoKit

	SCAN_ROOTKIT="ignoKit"
	SCAN_FILES=${IGNOKIT_FILES}
	SCAN_DIRS=${IGNOKIT_DIRS}
	SCAN_KSYMS=${IGNOKIT_KSYMS}
	scanrootkit
	inc_progress 6

    # ImperalsS-FBRK

	SCAN_ROOTKIT="ImperalsS-FBRK"
	SCAN_FILES=""
	SCAN_DIRS=${IMPFRB_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # Irix Rootkit
    
	SCAN_ROOTKIT="Irix Rootkit"
	SCAN_FILES=${IRIXRK_FILES}
	SCAN_DIRS=${IRIXRK_DIRS}
	SCAN_KSYMS=${IRIXRK_KSYMS}
	scanrootkit
	inc_progress 3
    
    # Kitko

	SCAN_ROOTKIT="Kitko"
	SCAN_FILES=${KITKO_FILES}
	SCAN_DIRS=${KITKO_DIRS}
	SCAN_KSYMS=${KITKO_KSYMS}
	scanrootkit
	inc_progress 2

    # Knark

	SCAN_ROOTKIT="Knark"
	SCAN_FILES=${KNARK_FILES}
	SCAN_DIRS=${KNARK_DIRS}
	SCAN_KSYMS=${KNARK_KSYMS}
	scanrootkit
	inc_progress 3

    # Li0n Worm

	SCAN_ROOTKIT="Li0n Worm"
	SCAN_FILES=${LION_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 10

    # Lockit / LJK2

	SCAN_ROOTKIT="Lockit / LJK2"
	SCAN_FILES=${LOCKIT_FILES}
	SCAN_DIRS=${LOCKIT_DIRS}
	SCAN_KSYMS=${LOCKIT_KSYMS}
	scanrootkit
	inc_progress 12
    
    # MRK (MiCrobul RootKit?)

	SCAN_ROOTKIT="MRK"
	SCAN_FILES=${MRK_FILES}
	SCAN_DIRS=${MRK_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Ni0 Rootkit

	SCAN_ROOTKIT="Ni0 Rootkit"
	SCAN_FILES=${NIO_FILES}
	SCAN_DIRS=${NIO_DIRS}
	SCAN_KSYMS=${NIO_KSYMS}
	scanrootkit
	inc_progress 3

    # RootKit for SunOS / NSDAP

	SCAN_ROOTKIT="RootKit for SunOS / NSDAP"
	SCAN_FILES=${NSDAP_FILES}
	SCAN_DIRS=${NSDAP_DIRS}
	SCAN_KSYMS=${NSDAP_KSYMS}
	scanrootkit
	inc_progress 5

    # Optic Kit Worm

	SCAN_ROOTKIT="Optic Kit (Tux)"
	SCAN_FILES=""
	SCAN_DIRS=${OPTICKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Oz Rootkit

	SCAN_ROOTKIT="Oz Rootkit"
	SCAN_FILES=${OZ_FILES}
	SCAN_DIRS=${OZ_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Portacelo

	SCAN_ROOTKIT="Portacelo"
	SCAN_FILES=${PORTACELO_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # R3dstorm Toolkit

	SCAN_ROOTKIT="R3dstorm Toolkit"
	SCAN_FILES=${REDSTORM_FILES}
	SCAN_DIRS=${REDSTORM_DIRS}
	SCAN_KSYMS=${REDSTORM_KSYMS}
	scanrootkit
	inc_progress 4

    # RH-Sharpe's rootkit

	SCAN_ROOTKIT="RH-Sharpe's rootkit"
	SCAN_FILES=${RHSHARPES_FILES}
	SCAN_DIRS=${RHSHARPES_DIRS}
	SCAN_KSYMS=${RHSHARPES_KSYMS}
	scanrootkit
	inc_progress 5

    # RSHA's rootkit

	SCAN_ROOTKIT="RSHA's rootkit"
	SCAN_FILES=${RSHA_FILES}
	SCAN_DIRS=${RSHA_DIRS}
	SCAN_KSYMS=${RSHA_KSYMS}
	scanrootkit
	inc_progress 5

    # Sebek LKM (Honeypot)

	STATUS=0
	SIZE=10

	if [ ${DEBUG} -eq 1 ]; then
	   logtext "Debug: Sebek LKM"
	fi
	displaytext -n "   Sebek LKM"

	# Search for signs of Sebek in ksyms file
	if [ -f /proc/ksyms ]; then
	  if `${EGREP} -i 'adore|sebek' < /proc/ksyms >/dev/null 2>&1`; then
	    STATUS=1
	  fi
        fi

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	    displaytext "${FOUNDTRACES}"
	fi
	inc_progress 1

    # Scalper Worm

	SCAN_ROOTKIT="Scalper Worm"
	SCAN_FILES=${SCALPER_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Shutdown

	SCAN_ROOTKIT="Shutdown"
	SCAN_FILES=${SHUTDOWN_FILES}
	SCAN_DIRS=${SHUTDOWN_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # SHV4 Rootkit

	SCAN_ROOTKIT="SHV4"
	SCAN_FILES=${SHV4_FILES}
	SCAN_DIRS=${SHV4_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # SHV5 Rootkit

	SCAN_ROOTKIT="SHV5"
	SCAN_FILES=${SHV5_FILES}
	SCAN_DIRS=${SHV5_DIRS}
	SCAN_KSYMS=${SHV5_KSYMS}
	scanrootkit
	inc_progress 3

    # Sin Rootkit

	SCAN_ROOTKIT="Sin Rootkit"
	SCAN_FILES=${SINROOTKIT_FILES}
	SCAN_DIRS=${SINROOTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 5

    # Slapper

	SCAN_ROOTKIT="Slapper"
	SCAN_FILES=${SLAPPER_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Sneakin Rootkit

	SCAN_ROOTKIT="Sneakin Rootkit"
	SCAN_FILES=""
	SCAN_DIRS=${SNEAKIN_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # Suckit Rootkit

	SCAN_ROOTKIT="Suckit Rootkit"
	SCAN_FILES=${SUCKIT_FILES}
	SCAN_DIRS=${SUCKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	scanrootkit_suckit_extra_checks
	inc_progress 6

    # SunOS Rootkit

	SCAN_ROOTKIT="SunOS Rootkit"
	SCAN_FILES=${SUNOSROOTKIT_FILES}
	SCAN_DIRS=${SUNOSROOTKIT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 5

    # Superkit

	SCAN_ROOTKIT="Superkit"
	SCAN_FILES=${SUPERKIT_FILES}
	SCAN_DIRS=${SUPERKIT_DIRS}
	SCAN_KSYMS=${SUPERKIT_KSYMS}
	scanrootkit
	inc_progress 2

    # TBD (Telnet BackDoor)

	SCAN_ROOTKIT="TBD (Telnet BackDoor)"
	SCAN_FILES=${TBD_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 2

    # TeLeKiT

	SCAN_ROOTKIT="TeLeKiT"
	SCAN_FILES=${TELEKIT_FILES}
	SCAN_DIRS=${TELEKIT_DIRS}
	SCAN_KSYMS=${TELEKIT_KSYMS}
	scanrootkit
	inc_progress 3


    # T0rn Rootkit

	SCAN_ROOTKIT="T0rn Rootkit"
	SCAN_FILES=${TORN_FILES}
	SCAN_DIRS=${TORN_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 12

    # Trojanit Kit

	SCAN_ROOTKIT="Trojanit Kit"
	SCAN_FILES=${TROJANIT_FILES}
	SCAN_DIRS=""
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # Tuxtendo

	SCAN_ROOTKIT="Tuxtendo"
	SCAN_FILES=${TUXTENDO_FILES}
	SCAN_DIRS=${TUXTENDO_DIRS}
	SCAN_KSYMS=${TUXTENDO_KSYMS}
	scanrootkit
	inc_progress 12

    # URK (Universal Root Kit)

	SCAN_ROOTKIT="URK"
	SCAN_FILES=${URK_FILES}
	SCAN_DIRS=${URK_DIRS}
	SCAN_KSYMS=${URK_KSYMS}
	scanrootkit
	inc_progress 3

    # VcKit

	SCAN_ROOTKIT="VcKit"
	SCAN_FILES=${VCKIT_FILES}
	SCAN_DIRS=${VCKIT_DIRS}
	SCAN_KSYMS=${VCKIT_KSYMS}
	scanrootkit
	inc_progress 3

    # Volc Rootkit
    
	SCAN_ROOTKIT="Volc Rootkit"
	SCAN_FILES=${VOLC_FILES}
	SCAN_DIRS=${VOLC_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 3

    # X-Org SunOS Rootkit

	SCAN_ROOTKIT="X-Org SunOS Rootkit"
	SCAN_FILES=${XORGSUNOS_FILES}
	SCAN_DIRS=${XORGSUNOS_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4

    # zaRwT.KiT
    
	SCAN_ROOTKIT="zaRwT.KiT Rootkit"
	SCAN_FILES=${ZARWT_FILES}
	SCAN_DIRS=${ZARWT_DIRS}
	SCAN_KSYMS=""
	scanrootkit
	inc_progress 4



##################################################################################################
#
# Malware
#
##################################################################################################

    displaytext ""
    displaytext "${test}* `_ "Suspicious files and malware"`${NORMAL}"

    logtext "------------------------------ Malware ------------------------------"

    logtext "Start scan for common used known (and unknown) rootkit files..."

    SIZE=35
    displaytext -n "   `_ "Scanning for known rootkit strings"`"
    logtext "[Start string tests]"

    if [ ${STRINGSFOUND} -eq 1 ]; then
      FOUND=0    
        FILEBINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin"
	for I in ${STRINGSCAN}; do
	  TYPE=`echo $I | cut -d ':' -f1`
	  FILE=`echo $I | cut -d ':' -f2`
	  FILESTRING=`echo $I | cut -d ':' -f3`
	  INFO=`echo $I | cut -d ':' -f4`
	  FOUNDFILE=0
	  FILE=`echo ${FILE} | sed 's/%%/ /g'`
	  FILESTRING=`echo ${FILESTRING} | sed 's/%%/ /g'`
	  INFO=`echo ${INFO} | sed 's/%%/ /g'`
	  case ${TYPE} in
	    bin)
	      for I in ${FILEBINPATHS}; do 
	        FILENAME="${I}/${FILE}"
	        if [ -f $FILENAME ]; then
		  FOUNDSTRING=`${STRINGSBINARY} $FILENAME | grep "${FILESTRING}"`
		  if [ "${FOUNDSTRING}" = "" ]; then
		    logtext "${FILENAME} clean (string: $FILESTRING)"
		    else
		    logtext "Warning: ${FILENAME} NOT clean (string: $FILESTRING)"
		    FOUND=1
		  fi
		fi  
	      done
	      ;;
	  esac

		inc_progress 1
	done
	if [ ${FOUND} -eq 1 ]; then
	  jump=`expr ${defaultcolumn} - ${SIZE}`
	  insertlayout
	  displaytext $E "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"	  
	  displaytext "`_ "Warning: Found unexpected strings in some files! See logfile for more details"`"
	  logtext "Warning: Found unexpected strings in some files!"
	  else
	  jump=`expr ${defaultcolumn} - ${SIZE}`
	  insertlayout
	  displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	  
	  logtext "All files are OK"
	fi
      else
	jump=`expr ${defaultcolumn} - ${SIZE}`
        insertlayout
        displaytext $E "${LAYOUT}[ ${YELLOW}`_ Skipped`${NORMAL} ]"
	logtext "Skipped stringtest (rootkit strings), due to missing \`strings\`"
    fi

    logtext "[End string tests]"

    SIZE=33
    displaytext -n "   `_ "Scanning for known rootkit files"`"

	for I in ${FILESCAN}; do
	  TYPE=`echo $I | cut -d ':' -f1`
	  FILE=`echo $I | cut -d ':' -f2`
	  INFO=`echo $I | cut -d ':' -f3`
	  FOUNDFILE=0
	  FILE=`echo ${FILE} | sed 's/%%/ /g'`
	  INFO=`echo ${INFO} | sed 's/%%/ /g'`
	  
	  logtext -n "Scanning for presence of ${FILE} (${TYPE})... "
	  case ${TYPE} in
	    dir)
	      if [ -d "${FILE}" ]; then
		  FOUNDFILE=1
		  logtext --nodate "WARNING! Found possible bad directory"
		else
		  logtext --nodate "OK (not found)"
	      fi
	      ;;
	    file)
	      if [ -f "{$FILE}" ]; then
		  FOUNDFILE=1
		  logtext --nodate "WARNING! Found possible bad file"
		else
		  logtext --nodate "OK (not found)"
	      fi
	      ;;
	  esac
	    
		inc_progress 1
	done

	if [ ${FOUNDFILE} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    INFECTED_COUNT=`expr ${INFECTED_COUNT} + 1`
	    INFECTED_NAMES="${INFECTED_NAMES} / ${INFO} "
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
            displaytext "
            -------------------------------------------------------------------------
            `_ "Warning found file %1" "${FILE}"`
            `_ "Information: %1" "${INFO}"`
            -------------------------------------------------------------------------
	    "

	fi

    logtext "-------------------------- Open files tests ---------------------------"

SUSP_FILES_INFO="
adore.so:Adore%%LKM%%rootkit
mod_rootme.so:Apache%%mod_rootme%%backdoor
phide_mod.o:PID%%hider%%LKM
lbk.ko:LBK%%FreeBSD%%kernel%%module
vlogger.o:THC-Vlogger%%kernel%%module
cleaner.o:Cleaner%%kernel%%module
mod_klgr.o:klgr,%%keyboard%%logger%%(kernel%%module)
hydra:THC-Hydra%%(password%%capture)
hydra.restore:THC-Hydra%%(password%%capture)
"

    displaytext -n "   `_ "Testing running processes..."` "
    logtext -n "Scanning running processes... "
    SIZE="30"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    
    if [ ${LSOFFOUND} -eq 1 ]
      then
	SUSP_FILES="backdoor"
	# Add more suspicious files to the check
	for I in ${SUSP_FILES_INFO}; do
	  FILENAME=`echo ${I} | cut -d':' -f1`
	  SUSP_FILES="${SUSP_FILES}|${FILENAME}"
	done
	logtext "Check for strings (filenames): ${SUSP_FILES}"
	SEARCHFILES=`${LSOFBINARY} -F n | sort | uniq | grep '^n/' | sed 's/^n//' | egrep "${SUSP_FILES}"`
	if [ ! "${SEARCHFILES}" = "" ]; then
	  insertlayout
	  displaytext -e "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
	  logtext --nodate "Bad"
          logtext "Warning! Found possible harmfull files. Please inspect"
          logtext "Warning! Output of test: ${SEARCHFILES}"
         else
	  insertlayout
	  displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]" 
	  logtext --nodate "OK"
        fi
	logtext "Scanned for '${SUSP_FILES}'"
		inc_progress 25
      else
	insertlayout
	displaytext -e "${LAYOUT}[ ${YELLOW}`_ Skipped`${NORMAL} ]"
	logtext --nodate "Skipped"
	
    fi


    logtext "----------------------- Login backdoors check -------------------------"
	  

    # Miscellaneous Login backdoors

	STATUS=0
	SIZE=30
	
	displaytext -n "   `_ "Miscellaneous Login backdoors"`"

	for I in ${LOGIN_BACKDOORS_FILES}
	  do
            if [ -d ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
               logtext "${I} found! Possible part of a rootkit/trojan."
	      fi
            fi
	    if [ ${DEBUG} -eq 1 ]; then
              logtext "${I} clean"
	    fi
          done

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	fi
	inc_progress 2

#	STATUS=0
#	SIZE=17
#	echo -n "   Suspicious files"	
#
#	for I in ${SUSPICIOUS1_FILES}
#	  do
#	    J=`echo ${I} | cut -d ':' -f1`
#	    FINDFILE=`locate -i /${J}`
#            if [ ! "${FINDFILE}" = "" ]; then
#	        echo ${FINDFILE}
#                STATUS=1
#                logtext "${J} found! Possible part of a rootkit/trojan." >> ${DEBUGFILE}
#		FOUNDFILES="${FOUNDFILES}, "
#	      else
#	        logtext "${J} clean"
#            fi
#          done
#
#	if [ ${STATUS} -eq 0 ]
#	  then
#	    jump=`expr ${defaultcolumn} - ${SIZE}`
#	    insertlayout
#	    echo $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"
#	  else
#	    jump=`expr ${defaultcolumn} - ${SIZE}`
#	    insertlayout
#	    echo $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
#	    echo "Found files:"
#	    echo "${FOUNDFILES}"
#	fi

	STATUS=0
	SIZE=26
	
	displaytext -n "   `_ "Miscellaneous directories"`"

	for I in ${SUSPICIOUS1_DIRS}; do
	    logtext -n "Checking ${I}... "
            if [ -f ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
              logtext --nodate "[ WARNING! ] Possible part of a rootkit/trojan." >> ${DEBUGFILE}
	      fi
	     else
	      logtext --nodate "[ OK ] Not found" >> ${DEBUGFILE}
            fi

        done

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	fi
	inc_progress 2

    # Software related files

	STATUS=0
	SIZE=23
	FOUND=0

	displaytext -n "   `_ "Software related files"`"
	logtext "Scanning for software related files and intrusions..."

	TRIPWIREFILE="${ROOTDIR}var/lib/tripwire/`uname`.twd"
	
	if [ -f "${TRIPWIREFILE}" ]
	  then
	    FOUND=1
	    if [ "`cat ${TRIPWIREFILE} | grep \"Tripwire segment-faulted !\"`" = "" ]
	      then
		jump=`expr ${defaultcolumn} - ${SIZE}`
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	      else
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
		logtext "The file ${TRIPWIREFILE} contains a very suspicious text string, which"
		logtext "can indicate the presence of the SHV5 rootkit."
	    fi
		inc_progress 2
	fi
	
	# No traces found
	if [ ${FOUND} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	  
	fi
	

    # Sniffer logs

	STATUS=0
	SIZE=13

	displaytext -n "   `_ "Sniffer logs"`"

	for I in ${SNIFFER_FILES}; do
	    logtext -n "Checking ${I}... "
            if [ -f ${I} ]; then
              STATUS=1
	      if [ ${DEBUG} -eq 1 ]; then
              logtext "[ WARNING! ] Possible sniffer log found." >> ${DEBUGFILE}
	      fi
	     else
	      logtext "[ OK ] Not found" >> ${DEBUGFILE}
            fi
        done
	
	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	fi
	inc_progress 2

keypresspause

    displaytext ""
    displaytext "${test}* `_ "Trojan specific characteristics"`${NORMAL}"

    displaytext "   shv4"
    
    SIZE="32"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     `_ "Checking %1" /etc/rc.d/rc.sysinit`"
    if [ -f /etc/rc.d/rc.sysinit ]
      then
        # Insert end-of-line
        displaytext ""
        SIZE="11"
        jump=`expr ${defaultcolumn} - ${SIZE}`

        displaytext -n "       `_ "Test %1" 1`"
        if [ "`grep 'in.inetd' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	fi
		inc_progress 2

        displaytext -n "       `_ "Test %1" 2`"
        if [ "`grep 'bin/xchk' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (possible Optic Kit / Tuxkit) ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	fi
		inc_progress 2

        displaytext -n "       `_ "Test %1" 3`"
        if [ "`grep 'bin/xsf' /etc/rc.d/rc.sysinit`" ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (possible Optic Kit / Tuxkit) ]"
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	fi
		inc_progress 2

       else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}`_ "Not found"`${NORMAL} ]"
    fi

    SIZE="27"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     `_ "Checking %1" /etc/inetd.conf`"

    if [ -f /etc/inetd.conf ]
      then

        FOUND=0
	if [ -e /etc/inetd.conf ]; then
	   grep /bin/csh /etc/inetd.conf > /dev/null && FOUND=1
           grep /bin/bash /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/tcsh /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/ksh /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/bash /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/sh /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/ash /etc/inetd.conf > /dev/null && FOUND=1
	   grep /bin/zsh /etc/inetd.conf > /dev/null && FOUND=1
	   grep in.cfinger /etc/inetd.conf > /dev/null && FOUND=1
	fi

        if [ ${FOUND} -eq 1 ]; then
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	   logtext "Possible bad string found in /etc/inetd.conf. Please check this file manually."
	  else
	   insertlayout
	   displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"

		inc_progress 5
	fi
       else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}`_ "Not found"`${NORMAL} ]"
    fi

    SIZE="28"
    jump=`expr ${defaultcolumn} - ${SIZE}`
    displaytext -n "     `_ "Checking %1" /etc/xinetd.conf`"

    # Only check when operating system is Linux and we have a xinetd configuration
    if [ "${OPERATING_SYSTEM}" = "Linux" -a -f /etc/xinetd.conf ]
      then
        FOUND=0
	logtext "Operating system is Linux and /etc/xinetd.conf found. Starting xinetd configuration scan..."
	
        incl=`grep includedir /etc/xinetd.conf | cut -d" " -f2-`
        if [ "$incl" ]
        then
          I=`find $incl/ -type f`
          WARNINGMSG=""
          for J in ${I}; do
            svc=`grep ".*service." ${J} | grep -v "^#" | cut -d" " -f2-`
            FOUNDSERVICES=`grep ".*disable.*=.*yes" ${J} | grep -ve "#"`
	    if [ "${FOUNDSERVICES}" = "" ]; then
	      logtext "Info: Service ${J} enabled"	            
	    fi
          done
        fi
	if [ ${FOUND} -eq 0 ]
	  then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	    logtext "xinetd.conf seems to be clean"
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	    displaytext "${WARNINGMSG}"
	    logtext "There were warnings found while testing xinetd.conf"
	fi

	logtext "End of xinetd configuration scan"

		inc_progress $((`find $incl/ -type f | wc -l` / 2))
      else
        insertlayout
	displaytext $E "${LAYOUT}[ ${OK}`_ Skipped`${NORMAL} ]"
	logtext "Skipped xinetd tests (not Linux or file doesn't exists)"  
    fi

    displaytext ""
    displaytext "${test}* `_ "Suspicious file properties"`${NORMAL}"

    displaytext "   ${WHITE}`_ "chmod properties"`${NORMAL}"
    
    FILES="
    ${ROOTDIR}bin/ps
    ${ROOTDIR}bin/ls
    ${ROOTDIR}usr/bin/w
    ${ROOTDIR}usr/bin/who
    ${ROOTDIR}bin/netstat
    ${ROOTDIR}usr/bin/netstat
    ${ROOTDIR}bin/login"
    
    for I in ${FILES}; do

       # Calculate string length
	SIZE=`echo "${I}" | wc -c | tr -d ' '`
	SIZE=`expr ${SIZE} + 11`	  
	jump=`expr ${defaultcolumn} - ${SIZE}`
	if [ -f ${I} ]; then
	    displaytext -n "     `_ "Checking %1" "${I}"`"

    	    RIGHTS=`ls -l ${I} | cut -c 1-10`
	    if [ "${RIGHTS}" = "-rwxrwxrwx" ]; then
	        insertlayout
		displaytext -e "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "chmod 777 found, possible trojaned"`) ]"
	      else
	        insertlayout
		displaytext -e "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
	    fi
          else
	    logtext "Checking ${I}... Not found"
	fi
		inc_progress 2
    done

    displaytext "   ${WHITE}`_ "Script replacements"`${NORMAL}"

    for I in ${FILES}; do

       # Calculate string length
	SIZE=`echo "${I}" | wc -c | tr -d ' '`
	SIZE=`expr ${SIZE} + 11`	  
	jump=`expr ${defaultcolumn} - ${SIZE}`
	if [ -f ${I} ]
          then

	    displaytext -n "     `_ "Checking %1" "${I}"`"

            FILEOK=true
            case "${OPERATING_SYSTEM}" in
	     AIX)
               file ${I} | grep -q "shell script" && FILEOK=false
	       ;;
	    SunOS)
	       file ${I} | grep "shell script" 2>/dev/null
	       ;;
            *)
               file -b ${I} | grep -q "shell script" && FILEOK=false 
	       ;;
            esac

	    if ! $FILEOK
	      then
	        insertlayout
		displaytext -e "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
		displaytext "(`_ "script replacement found, possible trojaned"`)"
		logtext "Checking ${I}... [ WARNING ]"
		logtext "Possible script replacement found. Please inspect this file (check the file type, contents and size)"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}`_ Clean`${NORMAL} ]"
		logtext "Checking ${I}... [ OK ]"		
	    fi
          else
	    logtext "Checking ${I}... Not found"
	fi
		inc_progress 2
    done


    displaytext ""
    displaytext "${test}* `_ "OS dependant tests"`${NORMAL}"

	if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]
          then
    	    displaytext "   ${WHITE}FreeBSD${NORMAL}"
	    SIZE=38
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    displaytext -n "     `_ "Checking presence of KLD signatures"`"
	    STATUS=0
	
	    for I in ${KLDSTATKEYWORDS}; do
	      PRESENCE=`kldstat -v | grep ${I}`
	      if [ ! "${PRESENCE}" = "" ]; then
		STATUS=1
		FOUNDKEYS="${FOUNDKEYS}${I} "
	      fi
	    done

	    if [ "${STATUS}" -eq 1 ]
	      then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "found terms: %1" "${FOUNDKEYS}"`) ]"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi

		inc_progress 2

    logtext "--------------------- Netstat / Sockstat checks -----------------------"

	    SIZE=40
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    
	    displaytext -n "     `_ "Comparing output sockstat and netstat"`"
	    logtext -n "Comparing output of sockstat and netstat... "
	    SOCKSTAT=`sockstat | grep '*:*' | cut -c 1-55 | grep '*:' | cut -c 39-47 | tr -d ' ' | sort| grep -v '*' | uniq`
	    NETSTAT=`netstat -an | grep -v 'TIME_WAIT' | grep -v 'ESTABLISHED' | grep -v 'SYN_SENT' | grep -v 'CLOSE_WAIT' | grep -v 'LAST_ACK' | grep -v 'SYN_RECV' | grep -v 'CLOSING' | cut -c 1-44 | grep '*.' | cut -c 24-32 | tr -d ' ' | tr -d '\t' | grep -v '*' | sort | uniq`

	    if [ "${SOCKSTAT}" = "${NETSTAT}" ]; then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		logtext "OK"
	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
		logtext "WARNING!"
		logtext "Sockstat tested output: ${SOCKSTAT}"
		logtext "Netstat tested output: ${NETSTAT}"
	    fi

		inc_progress 2

    logtext "---------------------- Packages database check ------------------------"


	    if [ -f /usr/local/sbin/pkgdb ]
	      then
	        SIZE=29
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        displaytext -n "     `_ "Checking packages database"`"

	        RESULT=`/usr/local/sbin/pkgdb -Fa -v | grep "Skipped."`

    	        if [ "${RESULT}" = "" ]; then
		  insertlayout
	          displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		  logtext "OK"
	         else
		  insertlayout
	          displaytext $E "${LAYOUT}[ ${YELLOW}`_ "Please check"`${NORMAL} ]"
		  logtext "Your package databases seems to have inconsistenties. Please run pkgdb -F to"
		  logtext "do manually checking. Although this isn't a security issue, you need to be sure"
		  logtext "your applications are using the correct dependancies"
	        fi

			inc_progress 2
	    fi
	    

#	    KLDLOADS=`grep -r 'kldload' /etc/*`
#	    for I in "${KLDLOADS}"; do
#	      echo "${I}"
#	    done


	fi

	if [ ${OPERATING_SYSTEM} = "Linux" ]
	  then
	    temp1=""; temp2=""
	    displaytext ""
    	    displaytext "   ${WHITE}Linux${NORMAL}"

	    SIZE=37
	    jump=`expr ${defaultcolumn} - ${SIZE}`

	    displaytext -n "     `_ "Checking loaded kernel modules..."` "

	    # Is /proc/modules file available?
	    if [ -f /proc/modules ]
	      then
    	        if [ "${KERNELVERSION}" = "2.2" -o "${KERNELVERSION}" = "2.4" ]
	          then
		    # show information found in /proc/modules (Linux-only) and get rid of the spaces
			temp1=`cat /proc/modules | sort | tr -d ' '`
	    
	    	    # show output from lsmod. Throw away spaces, because they don't match the content
		    # of /proc/modules
		    temp2=`${LSMODBINARY} | grep -v "Size  Used by" | sort | tr -d ' '`
	          else
	    	    if [ "${KERNELVERSION}" = "2.6" ]
		      then
			temp1=`cat /proc/modules | sort | tr -s ' ' | cut -d " " -f1`
			temp2=`${LSMODBINARY} | grep -v "Size  Used by" | sort | tr -s ' ' | cut -d " " -f1`
		    fi
		fi
		inc_progress 2
	    fi
	    
	    if [ ! "${temp1}" = "" ]
	      then
		if [ "${temp1}" = "${temp2}"  ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	          else
	            insertlayout
	    	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "found difference in output"`) ]"
	        fi
	      else
	        displaytext "${WHITE}`_ Skipped!`${NORMAL}"
		logtext "Info: no /proc/modules found. Lsmod test skipped"
	    fi

#	    displaytext -n "   Checking all kernelmodules..."
	    
#	    SCANFILES=`cat ${SCANFILELIST} | grep '.o'`
#	    for J in ${SCANFILES}; do

#	      FOUNDSIGN=0
	      
	      # Search strings in file
	      # If we find something, we tell it after the last string
	      # (multiple strings will overwrite each other)
#	      for I in ${LKMSTRINGS}; do
#	        SEARCHSTRING=`echo ${I} | cut -d ':' -f1`
#	        TYPE=`echo ${I} | cut -d ':' -f2`
#	        INFO=`echo ${I} | cut -d ':' -f3`
#		if [ -f ${J} ]; then
#	          FOUND=`strings ${J} | egrep '${SEARCHSTRING}'`
#		 else
#		  # File not found, no strings returned
#		  FOUND=""
#		fi 
#	        if [ ! "${FOUND}" = "" ]; then
#	          FOUNDSIGN=1
#		  FOUNDSTRING=${FOUND}
#		  FOUNDTYPE=${TYPE}
#		  FOUNDINFO=${INFO}
#		  echo "Found: ${FOUND}"
#	        fi
#	      done
      
#	      if [ ${FOUNDSIGN} -eq 1 ]
#	        then
#		  displaytext "     Scanning ${J}"
#		  displaytext "Warning, found a possible ${FOUNDTYPE}"
#		  displaytext "Searchstring '${FOUNDSTRING}' founded in '${SEARCHSTRING}'"
#		  displaytext "Extra info: ${FOUNDINFO}"
#		  waitkeypress
#		else
#		  logtext "Scanning ${J}... [ Clean ]"
#	      fi
	      
#	    done

	logtext "--------------------------- File attributes ---------------------------"

	SIZE=28
	displaytext -n "     `_ "Checking files attributes"`"
	jump=`expr ${defaultcolumn} - ${SIZE}`

	FOUND=0

        if [ ${LSATTRFOUND} -eq 1 ]
          then
			FILE_NUM=0
            for I in ${BINPATHS}; do
	      logtext "Checking $I file attributes"
	      if [ -d ${I} ]
	        then
	          for J in `ls ${I}`; do
	            LSAT=`${LSATTRBINARY} ${I}/${J} 2>/dev/null | cut -c 4`
	            if [ "${LSAT}" = "i" ]; then
	              FOUND=1
	              logtext "Found 'immutable' binary (${I}/${J})"
	            fi
				FILE_NUM=$(($FILE_NUM + 1))
				inc_progress $(($FILE_NUM / 9))
				FILE_NUM=$(($FILE_NUM % 9))
  	          done       
	      fi
	    done
	    if [ ${FOUND} -eq 0 ]; then
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	     else
              insertlayout
              displaytext $E "${LAYOUT}[ ${YELLOW}`_ "Special attributes found!"`${NORMAL} ]"
	      logtext "Found special attributes on some binaries! This can be performed by security software OR"
	      logtext "by a rootkit. Please inspect these files and try to find the reason of this immutable flag."
	      logtext "See 'man chattr' for more information about this attributes."
	    fi	 
	  else
	    insertlayout
	    displaytext $E "   ${file}${LAYOUT}[ ${WHITE}`_ Skipped!`${NORMAL} ]"
        fi


	logtext "----------------------------- LKM modules -----------------------------"

LKM_BADNAMES="
adore.so
cleaner.o
flkm.o
phide_mod.o
vlogger.o
"

LKMPATH="/lib/modules/`uname -r`"
FOUND=0


	SIZE=27
	displaytext -n "     `_ "Checking LKM module path"`"	
	jump=`expr ${defaultcolumn} - ${SIZE}`

	if [ -d ${LKMPATH} ]
	  then
		FILE_NUM=0
	    for J in `${FINDBINARY} ${LKMPATH} -name "*.o" -print`; do
	    
	      for I in ${LKM_BADNAMES}; do
	        if [ ! "`echo ${J} | grep ${I}`" = "" ]
	          then
	            logtext "Warning, possible unwanted LKM (filename: ${J} string: ${I}) installed!"
	            FOUND=1
	          # else
                  #   logtext "Checking ${I} in ${J}... Not found"
	        fi
	      done
			FILE_NUM=$(($FILE_NUM + 1))
			inc_progress $(($FILE_NUM / 2))
			FILE_NUM=$(($FILE_NUM % 2))
 	    done  
	      
	    if [ ${FOUND} -eq 0 ]
	      then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	    fi	      
	    
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${WHITE}`_ Skipped!`${NORMAL} ]"
	    logtext "LKM module filename check skipped, because path (${LKMPATH}) doesn't exist"
	fi

	# End Linux tests    
	fi

	logtext "------------------------------- Backdoors -----------------------------"



	displaytext ""; displaytext ""
	displaytext "${YELLOW}`_ Networking`${NORMAL}"

	displaytext "${test}* `_ "Check: frequently used backdoors"`${NORMAL}"

	if [ "${OPERATING_SYSTEM}" = "Linux" ]; then
	    donetstat="1"
	fi
	if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
	    donetstat="1"
	fi

	# Skip tests when GRSEC is available (because of the locking of /proc/*)
	if [ ${GRSECINSTALLED} -eq 1 ]; then
	    donetstat="0"
	fi   

	if [ "${donetstat}" = "1" ]
	  then
	    for i in `cat ${DB_PATH}/backdoorports.dat`
	      do
	        port=`echo ${i} | cut -d ':' -f 1`
		DESCRIPTION=`echo ${i} | cut -d ':' -f 2`
		DESCRIPTION=`echo ${DESCRIPTION} | sed 's/%%/ /g'`

		if [ "${OPERATING_SYSTEM}" = "Linux" ]; then
	    	    checkport=`netstat -an | grep "LISTEN" | grep ":${port} "`
		fi
	  
	        if [ "${OPERATING_SYSTEM}" = "FreeBSD" ]; then
	            checkport=`netstat -an | grep "LISTEN" | grep ".${port} "`
	        fi

		SIZE=`echo "   ${port}: ${DESCRIPTION} " | wc -c | tr -d ' '`	  
		jump=`expr ${defaultcolumn} - ${SIZE}`			
		displaytext -n "  `_ "Port %1: %2" "${port}" "${DESCRIPTION}"`"
		
		if [ "${checkport}" = "" ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		  else
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "possible trojan port"`) ]"
		fi
			inc_progress 2
 	      done
	  else
	    displaytext "${YELLOW}`_ "Not tested"`"
	    if [ ${GRSECINSTALLED} -eq 1 ]; then
    	      logtext "Backdoor ports test skipped, due customized kernel (GRSEC)"
    	    fi   

	fi  

	displaytext ""
	displaytext "${test}* `_ Interfaces`${NORMAL}"

	SIZE=38
	jump=`expr ${defaultcolumn} - ${SIZE}`

	    displaytext -n "     `_ "Scanning for promiscuous interfaces"`"
	    LOGTEXT="Checking network interfaces (promiscuous mode)... "
	    
	    PROMISCSCAN1=""; PROMISCSCAN2=""
	   
            case "${OPERATING_SYSTEM}" in
	    AIX|OpenBSD)
	      PROMISCSCAN1=`${IFCONFIGBINARY} -a | grep -v pflog | grep 'PROMISC'`
	      ;;
	    SunOS)
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${YELLOW}`_ Skipped`${NORMAL} ]"	    
	      ;;	    
	    *)
	      PROMISCSCAN1=`${IFCONFIGBINARY} | grep 'PROMISC'`
	      ;;
            esac
	    
	    if [ ${IPFOUND} -eq 1 ]; then
	      PROMISCSCAN2=`${IPBINARY} -s link | grep 'PROMISC'`
	    fi

	    if [ "${PROMISCSCAN1}" = "" -a "${PROMISCSCAN2}" = "" ]; then
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		logtext "${LOGTEXT}[ OK ]"
		if [ ${IPFOUND} -eq 1 ]; then
		  logtext "Performed succesfull test with \`ip\`"
		fi
	      else
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
		displaytext "`_ "Found promiscuous interface. Please use option '--createlogfile' and check the logfile"`"
		logtext "${LOGTEXT}[ WARNING ]"
	    	logtext "Possible promisc interfaces:"
		logtext "Output test 1: ${PROMISCSCAN}"
	        if [ ! "${PROMISCSCAN2}" = "" ]; then
		  PROMISCSCAN2IFACES=`${IPBINARY} -s link | grep 'PROMISC' | tr -s ' ' | cut -d ' ' -f2 | tr -d ':'`
		  logtext "Output test 2: ${PROMISCSCAN2IFACES}"
		  
	        fi

	    fi

		inc_progress 2
	
keypresspause


##################################################################################################
#
# System checks
#
##################################################################################################
	    

	displaytext ""; displaytext ""
	displaytext "${YELLOW}`_ "System checks"`${NORMAL}"

	displaytext "${test}* `_ "Allround tests"`${NORMAL}"

	displaytext -n "   `_ "Checking hostname..."` "
	if [ "${hostname}" = "" ]
	  then
	    displaytext "${BAD}`_ "Warning."` ${NORMAL}`_ "Found empty hostname. Some programs don'\''t like this"`."
	  else
	    displaytext "${OK}`_ Found.` ${NORMAL}`_ "Hostname is %1" "${hostname}"`"
	fi

	##################################################################################################

	FOUND=0
	SIZE=49
	jump=`expr ${defaultcolumn} - ${SIZE}`
        displaytext -n "   `_ "Checking for passwordless user accounts..."` "
	logtext "Checking passwordless user accounts... "
        if [ -e "/etc/shadow" ]
	  then
	  	FILE_NUM=0
	    for I in `cat /etc/shadow`; do
	      USER=`echo "${I}" | cut -d ':' -f1`
	      PASSWORD=`echo "${I}" | cut -d ':' -f2`
	      # Exclude NIS-user (+::::::)
	      if [ ! "${USER}" = "+" -a "x${PASSWORD}x" = "xx" ]; then
	        FOUND=1
		logtext "Warning! Found passwordless account (${USER})"
		logtext "Check this account and give it a password."
	      fi
			FILE_NUM=$(($FILE_NUM + 1))
			inc_progress $(($FILE_NUM / 5))
			FILE_NUM=$(($FILE_NUM % 5))
	    done	  
	    if [ ${FOUND} -eq 0 ]; then
	       displaytext "${OK}`_ OK`${NORMAL}"
	      else
	       displaytext "${BAD}`_ Warning!`${NORMAL}"
	       displaytext "`_ "Found passwordless user account. See logfile for more information"`"
	       logtext --nodate "OK"
	    fi
	  else
	    insertlayout
	    displaytext "${WHITE}`_ Skipped`${NORMAL}"
	    logtext --nodate "Skipped"
	    logtext "Skipped test because /etc/shadow doesn't exist"
	fi

	##################################################################################################


	if [ ${PASSWDCHECK_SKIP} -eq 0 ]
	  then
	    displaytext -n "   `_ "Checking for differences in user accounts..."` "
	    if [ -e "/etc/passwd" ]
	      then
	        if [ -e "${TMPDIR}/passwd" ]
		  then
		    differences=`diff /etc/passwd ${TMPDIR}/passwd | grep ":"`
		    if [ "${differences}" = "" ]
		      then
		        displaytext "${OK}`_ "OK."` ${NORMAL}`_ "No changes."`"
		      else
			diffadded=`echo "${differences}" | grep "<"`
			diffremoved=`echo "${differences}" | grep ">"`
		        displaytext "${red}`_ "Found differences"`${NORMAL}"
		        displaytext "   `_ "Info:"` "
			displaytext "----------------------"
			displaytext "${differences}"
			displaytext "----------------------"
			if [ ! "${diffadded}" = "" ]; then
			  displaytext "   `_ "Info: Some items have been added (items marked with '<')"`"
			fi
			if [ ! "${diffremoved}" = "" ]; then
			  displaytext "   `_ "Info: Some items have been removed (items marked with '>')"`"
			fi
		    fi  
		    rm -f ${TMPDIR}/passwd
			inc_progress 2
		  else
		    jump=44
		    displaytext $E "${LAYOUT}[ ${warning}`_ NA`${NORMAL} ]"
		fi
		cp /etc/passwd ${TMPDIR}/passwd
	      else
	        displaytext "${BAD}`_ "Error."` ${NORMAL}`_ "Cannot find %1" /etc/passwd`"
		logtext "Can't find /etc/passwd file?!?"
	    fi

	    displaytext -n "   `_ "Checking for differences in user groups..."` "
	    if [ -e "/etc/group" ]
	      then
	        if [ -e "${TMPDIR}/group" ]
		  then
		    differences=`diff /etc/group ${TMPDIR}/group | grep ":"`
		    if [ "${differences}" = "" ]
		      then
		        displaytext "${OK}`_ "OK."` ${NORMAL}`_ "No changes."`"
		      else
			diffadded=`echo "${differences}" | grep "<"`
			diffremoved=`echo "${differences}" | grep ">"`
		        displaytext "${red}`_ "Found differences"`${NORMAL}"
		        displaytext "   `_ "Info:"` "
			displaytext "----------------------"
			displaytext "${differences}"
			displaytext "----------------------"
			if [ ! "${diffadded}" = "" ]; then
			  displaytext "   `_ "Info: Some items have been added (items marked with '<')"`"
			fi
			if [ ! "${diffremoved}" = "" ]; then
			  displaytext "   `_ "Info: Some items have been removed (items marked with '>')"`"
			fi
		    fi  
		    rm -f ${TMPDIR}/group
			inc_progress 2
		  else
		    displaytext "${warning}`_ "Creating file."` ${NORMAL}`_ "It seems this is your first time."`"
		fi
		cp /etc/group ${TMPDIR}/group
	      else
	        displaytext "${BAD}`_ "Error."` ${NORMAL}`_ "Cannot find %1" /etc/group`"
		logtext "Can't find /etc/passwd file?!?"
	    fi
        fi

	SIZE=42
	jump=`expr ${defaultcolumn} - ${SIZE}`
	displaytext "   `_ "Checking boot.local/rc.local file..."` "

	# Gentoo: /etc/conf.d/local.start	
	RCLOCATIONS="/etc/rc.local /etc/rc.d/rc.local /usr/local/etc/rc.local /usr/local/etc/rc.d/rc.local /etc/conf.d/local.start /etc/init.d/boot.local"
	FOUNDRCSIGN=0

	for FILE in ${RCLOCATIONS}; do
	    FILELENGTH=`echo ${FILE} | wc -c | tr -d ' '`
	    SIZE=4
	    jump=`expr ${defaultcolumn} - ${SIZE} - ${FILELENGTH}`

	    displaytext -n "     - ${FILE}"
	    if [ -f "${FILE}" ]; then
		for J in ${RCLOCAL_STRINGS}; do
		  STRING=`echo ${J} | cut -d':' -f1`
		  FOUND=`cat ${FILE} | grep "${STRING}"`
		  if [ ! "${FOUND}" = "" ]
		    then
		      FOUNDRCSIGN=1
		      logtext "Warning! Found unusual string in ${FILE}"
		  fi
	        done
		
		if [ "${FOUNDRCSIGN}" -eq 1 ]; then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "found unusual signs"`) ]"
		    logtext "Warning! Found unusual string in rc.local/boot.local file"
		  else
		    insertlayout
	            displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
		fi

	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ "Not found"`${NORMAL} ]"
	   fi
	   inc_progress 2
	done

	FOUNDRCSIGN=0
	COUNTER=0
	
	SIZE=24
	jump=`expr ${defaultcolumn} - ${SIZE}`
	displaytext -n "   `_ "Checking rc.d files..."` "

	if [ -d /etc/rc.d ]
	  then
	    # Insert end-of-line
	    displaytext ""
	    displaytext -n "     `_ Processing`"
		VAL=0
	    for I in `find /etc/rc.d/*`; do
	    # Only check files, not directories
	      if [ -f ${I} ]
		then
    	          COUNTER=`expr ${COUNTER} + 1`
	          if [ ${COUNTER} -eq 40 ]; then
	    	    displaytext "."
	    	    displaytext -n "               "
	    	    COUNTER=0
	          else
	    	    displaytext -n "."
		fi
		for J in ${RCLOCAL_STRINGS}; do
	          STRING=`echo ${J} | cut -d':' -f1`
	          FOUND=`cat ${I} | grep "${STRING}"`
	          if [ ! "${FOUND}" = "" ]
	            then
	              FOUNDRCSIGN=1
	          fi
		done
	      fi
			VAL=$(($VAL + 3))
			inc_progress $(($VAL / 2))
			VAL=$(($VAL % 2))
	    done
	    # Insert end-of-line
	    displaytext ""
	    displaytext -n "   `_ "Result rc.d files check"`"
	    if [ "${FOUNDRCSIGN}" -eq 1 ]; then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "found unusual things"`) ]"
	    else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ "Not found"`${NORMAL} ]"

	fi

	if [ -f ${ROOTDIR}etc/conf.d/local.start ]
	  then
	    SIZE=37
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    displaytext -n "   `_ "Checking Gentoo local.start file..."` "
	    logtext "Found ${ROOTDIR}etc/conf.d/local.start file (Gentoo)"

	    INSPECTLINES=`cat ${ROOTDIR}etc//conf.d/local.start | grep -v '^#' | grep -v '^$'`
	    
		for J in ${RCLOCAL_STRINGS}; do
	          STRING=`echo ${J} | cut -d':' -f1`
	          FOUND=`echo ${INSPECTLINES} | grep "${STRING}"`
	          if [ ! "${FOUND}" = "" ]
	            then
	              FOUNDRCSIGN=1
		      logtext "Found ${FOUND} while checking ${ROOTDIR}etc/conf.d/local.start"
	          fi
		done
	    
	    if [ "${FOUNDRCSIGN}" -eq 1 ]; then
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} ]"
	    else
	        insertlayout
	        displaytext -e "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi

	fi

#	logtext "---------------------------- Binary checks ----------------------------"

#	SIZE=18
#	displaytext -n "   Checking binaries..."
#	jump=`expr ${defaultcolumn} - ${SIZE}`			

#        if [ ${STRINGSFOUND} -eq 1 ]; then

#	  FOUND=0
#	  for I in ${BINPATHS}; do

#            # Calculate string length
#	    SIZE=`echo "${I}" | wc -c | tr -d ' '`
# 	    SIZE=`expr ${SIZE} + 7`	  
#	    jump=`expr ${defaultcolumn} - ${SIZE}`

#	    for J in ${I}; do
#	      for K in `ls ${J}/*`; do
#	        UPXED=`${STRINGSBINARY} ${K} | grep " UPX "`
#	        logtext -n "Checking ${K}... "
#	        if [ ! "${UPXED}" = "" ]; then
#	          FOUND=1
#		  logtext "BAD"
#		  logtext "Warning: ${J} seems to be a UPXed file. This is not usual for a binary file"
#		 else
#		  logtext "OK"
#	        fi
#	      done  	      
#	    done
#	  done
#	  
#	  # Check results
#	  if [ ${FOUND} -eq 1 ]
#	    then
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${BAD}Warning!${NORMAL} ]"
#	      displaytext "See logfile for more information"
#	    else
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${OK}OK${NORMAL} ]"    
#	  fi
#
#        else
#	      insertlayout
#	      displaytext $E "${LAYOUT}[ ${YELLOW}Skipped${NORMAL} ]"
#	fi

	logtext "---------------------------- History files ----------------------------"

	SIZE=15
	displaytext "   `_ "Checking history files"`"
	jump=`expr ${defaultcolumn} - ${SIZE}`			

	displaytext -n "     Bourne Shell"
	
	if [ -f /root/.bash_history ]
	  then
	    ATTRIBUTE=`ls -l /root/.bash_history | cut -c1`
	    if [ "${ATTRIBUTE}" = "l" ]
	      then
	        insertlayout
		displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "redirection found"`) ]"
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	    
	    fi	      
		inc_progress 2
	  else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ "Not Found"`${NORMAL} ]"	    
	fi    

	displaytext ""
	displaytext "${test}* `_ "Filesystem checks"`${NORMAL}"
	displaytext -n "   `_ "Checking /dev for suspicious files..."` "
	    
	if [ -d ${ROOTDIR}dev ]; then
	
	  # FreeBSD (5): character special, symbolic link to,directory
	  # Linux (Debian): block special, socket, fifo (named pipe)
	  SPECIALFILES=`file "${ROOTDIR}dev/"* | $EGREP -v 'character special|block special|socket|fifo \(named pipe\)|symbolic link to|empty|directory|MAKEDEV'`
	  
	  SIZE=39
	  jump=`expr ${defaultcolumn} - ${SIZE}`			
	  
	  if [ "${SPECIALFILES}" = "" ]; then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	   else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${BAD}`_ Warning!`${NORMAL} (`_ "unusual files found"`) ]"
	    displaytext "---------------------------------------------"
	    displaytext "`_ "Unusual files:"`"
	    displaytext "${SPECIALFILES}"
	    displaytext "---------------------------------------------"
	  fi
		inc_progress  $((`file "${ROOTDIR}dev/"* 2>/dev/null | wc -l` / 70))
         else
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${YELLOW}`_ NA`${NORMAL} ]"	  
	fi

	SIZE=29
	
	displaytext -n "   `_ "Scanning for hidden files..."`"

	SEARCHINDIRS="/dev /bin /usr /usr/man /usr/man/man1 /usr/man/man8 /usr/bin /usr/sbin /sbin /etc"
	# Only reset status once
	STATUS=0

	for I in ${SEARCHINDIRS}; do
	  # Initialize directory
	  HIDDENDIRS=""
	  
	  logtext "Start scanning for hidden files in ${I}..."

	  if [ -d "${I}" ]; then
	    HIDDENDIRS=`${MYDIR}/lib/rkhunter/scripts/showfiles.pl ${I}`
	    logtext "Value of hiddendirs: ${HIDDENDIRS}"
	  fi
	
	  if [ ! "${HIDDENDIRS}" = "" ]; then
	    ALLHIDDENDIRS="${ALLHIDDENDIRS} $HIDDENDIRS"
            STATUS=1
   	  fi

	  logtext "End of scanning ${I}"
  
	done
	inc_progress 4

	if [ ${STATUS} -eq 0 ]
	  then
	    jump=`expr ${defaultcolumn} - ${SIZE}`
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	  else
	    # Reset state
	    STATUS=0
	    for I in ${ALLHIDDENDIRS}; do
              if [ ${OPERATING_SYSTEM} = "AIX" -o ${OPERATING_SYSTEM} = "SunOS" ] ; then
	        FILETYPE=`file ${I}|awk '{print $2}'`
              else
	        FILETYPE=`file -b ${I}`
              fi
	      
	      # Ignore some filetypes, because they are harmless
	      case ${FILETYPE} in
	        "character special (8/0)" | "character special (254/0)" | "empty")	      
	          logtext "Hidden file/dir ${I} [${FILETYPE}] seems to be OK"
		  ;;
		"TDB database"*)
		  logtext "Hidden file/dir ${I} [${FILETYPE}] seems to be OK"
		  ;;  
		*)
		  # Ignore Gentoo's zero-sized files (extra check for future use)
		  if [ ! ${GENTOO} -eq 1 -a ! "${I}" = ".keep" -a ! -z ${I} ]
		    then
	              SEARCHDIR=0		    
		      if [ "${FILETYPE}" = "directory" ]
		        then
			  for ALLOWHIDDENDIRS in `cat ${CONFIGFILE} | egrep '^ALLOWHIDDENDIR=' | sed 's/ALLOWHIDDENDIR=//g'`; do
			    if [ "${ALLOWHIDDENDIRS}" = "${I}" ]; then
			      SEARCHDIR=1
			      logtext "Found hidden directory ${I} on whitelist"
			    fi 
			  done
			else
			  for ALLOWHIDDENFILES in `cat ${CONFIGFILE} | egrep '^ALLOWHIDDENFILE=' | sed 's/ALLOWHIDDENFILE=//g'`; do
			    if [ "${ALLOWHIDDENFILES}" = "${I}" ]; then
			      SEARCHDIR=1
			      logtext "Found hidden file ${I} on whitelist"
			    fi 
			  done
		      fi
		            
		      # Is it a directory and is it on the whitelist?
		      # searchdir: 0 = NOT on list, 1 = on list
		      if [ ${SEARCHDIR} -eq 0 ]
		        then
		  	  STATUS=1
		          HIDDENFILES="${HIDDENFILES} ${I} (${FILETYPE}) "
		          logtext "Added ${I} (${FILETYPE}) to list of unknown hidden files/dirs"
		      fi		 
		  fi
		  ;;
	      esac
	    done

	    if [ ${STATUS} -eq 1 ]; then
	      jump=`expr ${defaultcolumn} - ${SIZE}`
	      insertlayout
	      displaytext $E "${LAYOUT}[ ${YELLOW}`_ Warning!`${NORMAL} ]"
	      logtext "WARNING, found: ${HIDDENFILES}"

    	      displaytext "---------------"
	      displaytext "${ALLHIDDENDIRS}"
	      displaytext "---------------"

	      displaytext "`_ "Please inspect: %1" "${HIDDENFILES}"`"
	      else
	        jump=`expr ${defaultcolumn} - ${SIZE}`
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi

	fi

keypresspause

##################################################################################################
#
# Application advisories and warnings
#
##################################################################################################


	logtext "------------------------ Application advisories -----------------------"

	displaytext ""; displaytext ""
	displaytext "${YELLOW}`_ "Application advisories"`${NORMAL}"
	displaytext "* `_ "Application scan"`"

	FOUNDSTRING=0
	SIZE=33
	displaytext -n "   `_ "Checking Apache2 modules ..."` "
	jump=`expr ${defaultcolumn} - ${SIZE}`

	if [ -d /etc/apache2/mods-enabled ]
	  then
	  		FILE_NUM=0
    	    for I in `ls /etc/apache2/mods-enabled/*`; do
	      SEARCHSTRING=`cat ${I} | egrep 'mod_rootme.so|mod_rootme2.so'`
	      logtext -n "Checking Apache2 modules in /etc/apache2/mods-enabled ${I}... "
	      if [ ! "${SEARCHSTRING}" = "" ];
	        then
	          logtext "Warning! Possible bad module found."
	          FOUNDSTRING=1
	        else
	          logtext "OK"
	      fi
			FILE_NUM=$(($FILE_NUM + 1))
			inc_progress $(($FILE_NUM / 2))
			FILE_NUM=$(($FILE_NUM % 2))
	    done

            if [ ${FOUNDSTRING} -eq 1 ]
	      then	
	        insertlayout
	        displaytext $E "   ${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
	      else
	        insertlayout
	        displaytext $E "   ${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
	    fi

	  else
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${OK}`_ "Not found"`${NORMAL} ]"  
	fi


	FOUNDSTRING=0

	SIZE=38
	displaytext -n "   `_ "Checking Apache configuration ..."` "
	jump=`expr ${defaultcolumn} - ${SIZE}`

        for I in ${HTTPDCONFS}; do
	      if [ -f ${I} ]	
		then	
	          SEARCHSTRING=`cat ${I} | egrep 'mod_rootme.so|mod_rootme2.so'`
	          if [ ! "${SEARCHSTRING}" = "" ]; then
	            # Found evil module
	            FOUNDSTRING=1
		  fi
	      fi
        done

        if [ ${FOUNDSTRING} -eq 1 ]
	  then	
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${BAD}`_ BAD`${NORMAL} ]"
          else
	    insertlayout
	    displaytext $E "   ${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"
        fi


	logtext "---------------------- Application version check ----------------------"


	if [ ${APPLICATION_CHECK} -eq 1 ]
	  then

    	    displaytext ""
	    displaytext "* `_ "Application version scan"`"


#BINPATHS="/bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin /usr/local/libexec /usr/libexec"

SCANFILES="
exim:Exim%%MTA:
gpg:GnuPG:
httpd:Apache:
named:Bind%%DNS:
openssl:OpenSSL:
php:PHP:
procmail:Procmail%%MTA:
proftpd:ProFTPd:
sshd:OpenSSH:
"

LINUX_KERNELS="
vulnerable:%2.4.22%2.4.23%
nonvulnerable:%2.4.24%
"

FOUND=0
FOUNDUNKNOWN=0
VULNERABLE_ITEM_COUNT=0

for J in ${SCANFILES}; do
    APPLICATION=`echo ${J} | cut -d ':' -f1`
    APPLICATIONNAME=`echo ${J} | cut -d ':' -f2`
    VULNERABLE=`cat ${DB_PATH}/programs_bad.dat | cut -d ':' -f2`
    NONVULNERABLE=`cat ${DB_PATH}/programs_good.dat | cut -d ':' -f2`
    logtext "----------------------------------------------------------"
    logtext "Scanning ${APPLICATIONNAME}..."

  FILEFOUND=0
  for I in ${BINPATHS}; do

    if [ -f "${I}/${APPLICATION}" ]
      then
        FILEFOUND=1
        VERSION=""
        case ${APPLICATION} in
          exim)
                VERSION=`${I}/exim -bV | grep 'Exim version' | awk '{ print $3 }'`
                ;;
          gpg)
                VERSION=`${I}/gpg --version | grep 'GnuPG' | awk '{ print $3 }'`
                ;;
          httpd)
                VERSION=`${I}/httpd -v | grep 'Apache' | cut -d ' ' -f3 | cut -d '/' -f2`
                ;;
          named)
                VERSION=`${I}/named -v | grep 'named' | grep -v '/' | awk '{ print $2 }'`
                if [ ! "`echo ${VERSION} | grep "-"`" = "" ]; then
                  VERSION=`echo ${VERSION} | cut -d '-' -f1`
                fi
		TEST=`${I}/named -v | grep 'named'`
		logtext "Debug: ${TEST}"
		if [ "${VERSION}" = "" ]; then
		  VERSION=`${I}/named -v | awk '{ print $2 }'`
		fi
                ;;
	  openssl)
		VERSION=`${I}/openssl version | head -n 1 | cut -d' ' -f2`
		;;
          php)
                # Strip off any additions (like Debian using version 4.3.10-8)
		VERSION=`${I}/php -v | head -n 1 | awk '{ print $2 }' | cut -d'-' -f1`
                ;;
          procmail)
                VERSION=`${I}/procmail -v 2>&1  | grep 'procmail v' | awk '{ print $2 }' | tr -d 'v'`
                ;;
          proftpd)
                VERSION=`${I}/proftpd -v 2>&1 | awk '{ print $4 }'`
                ;;
          squid)
                VERSION=`${I}/squid -v | grep 'Squid Cache' | awk '{ print $4 }'`
                ;;
          sshd)
                VERSION=`${I}/sshd -t -d 2>&1 | head -n 1 | awk '{ print $4 }' | cut -d '_' -f2`
		if [ ! "`echo "${VERSION}" | grep "+"`" = "" ]; then
		  VERSION=`echo "${VERSION}" | cut -d'+' -f1`
		fi
                ;;
          *)
                displaytext "`_ Unknown`"
                VERSION="NA"
                ;;
        esac

        logtext "${I}/${APPLICATION} found"

        VERSION=`echo ${VERSION} | tr -d '\r'`

        if [ "${VERSION}" = "" ]
          then
            logtext "No version found of application ${APPLICATION}"
            APPLICATIONNAME=`echo ${APPLICATIONNAME} | tr -s '%' ' '`
                displaytext -n "   - ${APPLICATIONNAME} [`_ unknown`] "

		JUMPCOL=`expr ${defaultcolumn} - 12`
		SIZE=`echo \'${APPLICATIONNAME} [`_ unknown`]\' | wc -c | tr -s ' ' | tr -d ' '`
		jump=`expr ${JUMPCOL} - ${SIZE} + 11`
		insertlayout
		displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	    

          else
            APPLICATIONNAME=`echo ${APPLICATIONNAME} | tr -s '%' ' '`
                displaytext -n "   - ${APPLICATIONNAME} ${VERSION} "

		JUMPCOL=`expr ${defaultcolumn} - 12`
		SIZE=`echo \'${APPLICATIONNAME} ${VERSION}\' | wc -c | tr -s ' ' | tr -d ' '`
		jump=`expr ${JUMPCOL} - ${SIZE} + 11`
		insertlayout
		
                ISVULNERABLE=`echo ${VULNERABLE} | grep "%${VERSION}%"`
                if [ "${ISVULNERABLE}" = "" ]
                  then
                    ISNONVULNERABLE=`echo ${NONVULNERABLE} | grep "%${VERSION}%"`
                    if [ "${ISNONVULNERABLE}" = "" ]
                      then
                        logtext "No information available. Unknown version number"
			displaytext $E "${LAYOUT}[ ${YELLOW}`_ Unknown`${NORMAL} ]"	    			
			FOUNDUNKNOWN=1
                      else
                        logtext "Version ${VERSION} is available in non-vulnerable group and seems to be OK!"
			displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	    
                    fi
                  else
                    logtext "Version ${VERSION} seems to be vulnerable (if unpatched)!"
		    if [ ${USE_PATCHED_SOFTWARE} -eq 1 ]
		      then
		       displaytext $E "${LAYOUT}[ ${YELLOW}`_ "Old or patched version"`${NORMAL} ]"
		      else		      
                       displaytext $E "${LAYOUT}[ ${BAD}`_ Vulnerable`${NORMAL} ]"	    
		    fi
		    FOUND=1
		    VULNERABLE_ITEM_COUNT=`expr ${VULNERABLE_ITEM_COUNT} + 1`
                fi
        fi
		inc_progress 4
    fi
  done

if [ ${FILEFOUND} -eq 0 ]
  then
    logtext "Application not found"
fi

done

#if [ `uname` = "Linux" ]
#  then
#    KERNELVERSION=`uname -r`
#      # Strip hypens (-)
#      if [ ! `echo ${KERNELVERSION} | grep '-'` = "" ]
#        then
#          KERNELVERSION=`echo ${KERNELVERSION} | cut -d '-' -f1`
#      fi
#
#    displaytext -n "Search information for Linux kernel ${KERNELVERSION}..."
#
#    FOUND=0
#    VULNERABLE=0
#    for I in ${LINUX_KERNELS}; do
#      TYPE=`echo ${I} | cut -d ':' -f1`
#      INFO=`echo ${I} | cut -d ':' -f2`
#
#      if [ "${TYPE}" = "nonvulnerable" ]
#        then
#          GOODVERSIONS=`echo ${INFO} | sed -e "s/%/, /g" | sed -e "s/^, //"  | sed -e "s/, $//"`
#      fi
#
#      if [ ! "`echo ${INFO} | grep "${KERNELVERSION}"`" = "" -o ! "`echo ${INFO} | grep "${KERNELVERSION}-"`" = "" ]
#        then
#          if [ "${TYPE}" = "vulnerable" ]
#            then
#              FOUND=1
#              VULNERABLE=1
#              displaytext "Possible vulnerable kernel version!"
#          fi
#
#          if [ "${TYPE}" = "nonvulnerable" ]
#            then
#              FOUND=1
#              displaytext "Found a non-vulnerable kernel version"
#          fi
#      fi
#    done
#    if [ "${FOUND}" -eq 0 ]
#      then
#        displaytext "Unknown version"
#      else
#        if [ "${VULNERABLE}" -eq 1 ]
#          then
#            displaytext "Please upgrade to a higher version like ${GOODVERSIONS}"
#        fi
#    fi
#  else
#    displaytext "Linux kernel check skipped"
#fi

displaytext ""
if [ $FOUNDUNKNOWN -eq 1 ]; then
  displaytext "`_ "Your system contains some unknown version numbers. Please run Rootkit Hunter
with the --update parameter or fill in the contact form (www.rootkit.nl)."`"
fi

fi
# end of application test CHECK (application_check=1)




##################################################################################################
#
# Security advisories
#
##################################################################################################


	displaytext ""; displaytext ""
	displaytext "${YELLOW}`_ "Security advisories"`${NORMAL}"
	logtext "------------------------- Security advisories -------------------------"

	SIZE=30
	jump=`expr ${defaultcolumn} - ${SIZE}`			


	    displaytext "${test}* `_ "Check: Groups and Accounts"`${NORMAL}"
	    displaytext -n "   `_ "Searching for /etc/passwd..."` "
	    if [ -e "${ROOTDIR}etc/passwd" ]
	      then
	        insertlayout
		displaytext $E "${LAYOUT}[ ${OK}`_ Found`${NORMAL} ]"	    
    	        displaytext -n "   `_ "Checking users with UID '0' (root)..."` "

		SIZE=39
		jump=`expr ${defaultcolumn} - ${SIZE}`			

		users_with_uid0=`grep -v '^:0:0:::' ${ROOTDIR}etc/passwd | grep ":0:" | cut -d ":" -f1,3 | grep '0' | grep -v 'root:0'` 
		    if [ "${users_with_uid0}" = "" ] 
		      then
		        insertlayout
			displaytext $E "${LAYOUT}[ ${OK}`_ OK`${NORMAL} ]"	    
		      else
		        insertlayout
			displaytext $E "${LAYOUT}[ ${YELLOW}`_ Warning!`${NORMAL} (`_ "some users in root group"`) ]"
			displaytext "    `_ "info: %1" "${users_with_uid0}"`"
		    fi
	    
			inc_progress 2
	      else
	        insertlayout
		displaytext $E "${LAYOUT}[ ${BAD}`_ "Not Found"`${NORMAL} ]"	    
	    fi	


	displaytext "";
	displaytext "${test}* `_ "Check: SSH"`${NORMAL}"


	SIZE=39
	jump=`expr ${defaultcolumn} - ${SIZE}`			
	
	displaytext "   `_ "Searching for sshd_config..."` "
	SSHDCONFIG_PLACES="${ROOTDIR}etc ${ROOTDIR}etc/ssh ${ROOTDIR}usr/local/etc ${ROOTDIR}usr/local/etc/ssh"
	for I in ${SSHDCONFIG_PLACES}; do
	    
	  if [ -e "${I}/sshd_config" ]	
	    then
	        FOUND=0
		displaytext "   `_ "Found %1" "${I}/sshd_config"`"
		displaytext -n "   `_ "Checking for allowed root login..."` "
		permitrootlogin=`cat ${I}/sshd_config | grep "PermitRootLogin" | grep -v "#"`
		
		if [ "${permitrootlogin}" = "PermitRootLogin yes" ]
	          then
		    FOUND=1
		    logtext "Info: Found 'PermitRootLogin yes'. Unsafe for production servers..."
		    logtext "Tip: Change the option in your configuration file (${I}/sshd_config)."
		    logtext "     Use normal user accounts and 'su' to obtain root permissions."
	          else
		    permitrootlogin2=`cat ${I}/sshd_config | grep "PermitRootLogin no" | grep -v "#"`
		    if [ "${permitrootlogin2}" = "PermitRootLogin no" -o "${permitrootlogin2}" = "PermitRootLogin without-password" ]
		      then
		        FOUND=0
			logtext "Info: Found 'PermitRootLogin no' or 'PermitRootLogin without-password'"
		      else
			permitrootlogin3=`cat ${I}/sshd_config | grep "#PermitRootLogin yes"`
			if [ ! "${permitrootlogin3}" = "" ]
			  then
			    FOUND=1
			    logtext "Info: Found no explicit values, but a default value of 'yes'"
			  else
			    FOUND=0
			    logtext "Unknown PermitRootLogin state"
		        fi
		    fi
		fi

		if [ ${FOUND} -eq 1 ]
		  then
		  
		    if [ "${ALLOW_SSH_ROOT_USER}" = "0" ]
		      then	      
	    	        displaytext "${red} `_ "Watch out."` ${NORMAL} `_ "Root login possible. Possible risk!"`"
	    	        displaytext "     `_ "info: %1" "${permitrootlogin}"`"
		        displaytext "     `_ "Hint: See logfile for more information about this issue"`"
		        logtext "Warning: root login possible. Change for your safety the 'PermitRootLogin'"
			logtext "(into 'no') and use 'su -' to become root. "
		      else
			logtext "Remote root login permitted, but allowed by using explicit option"	      
			SIZE=36
		        jump=`expr ${defaultcolumn} - ${SIZE}`			
		        insertlayout
		        displaytext -e "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ( `_ "Remote root login permitted by explicit option"`) ]"
		    fi
		  else
		    SIZE=36
		    jump=`expr ${defaultcolumn} - ${SIZE}`			
		    insertlayout
		    displaytext -e "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ( `_ "Remote root login disabled"`) ]"
		fi

		displaytext -n "    `_ "Checking for allowed protocols..."` "
	    
		protocols=`cat ${I}/sshd_config | grep 'Protocol 2' | grep -v '#'`
		if [ "${protocols}" = "Protocol 2" ]
		  then
		    SIZE=35
		    jump=`expr ${defaultcolumn} - ${SIZE}`			
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ( `_ "Only SSH2 allowed"`) ]"	    
		  else
		    if [ "${protocols}" = "Protocol 2,1" -o "${protocols}" = "Protocol 1,2" -o "${protocols}" = "Protocol 1" ]
		      then
		        SIZE=35
		        jump=`expr ${defaultcolumn} - ${SIZE}`			
			insertlayout
		        displaytext $E "${LAYOUT}[ ${YELLOW} `_ Warning`${NORMAL} ]"
		        displaytext "     `_ "info: Users can use SSH1-protocol (see logfile for more information)."`"
			logtext "Hint: Change the 'Protocol xxx' line into 'Protocol 2'"
		      else
		        SIZE=35		      
		        jump=`expr ${defaultcolumn} - ${SIZE}`			
			insertlayout
			protocols=`cat ${I}/sshd_config | grep "#Protocol"`
			if [ "${protocols}" = "#Protocol 2,1" -o "${protocols}" = "#Protocol 1,2" ]
			  then
			    FOUND=1
			    logtext "Found default option Protocol 2,1"
			fi
			if [ "${protocols}" = "#Protocol 1" ]
			  then
			    FOUND=1
			    logtext "Found default option Protocol 1"
			fi

			if [ ${FOUND} -eq 0 ] 
		          then			    
			    displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} (`_ "Only SSH2 allowed"`) ]"	    
			    displaytext "     `_ "info: found no option, most times default value is used."`"
			  else
			    displaytext $E "${LAYOUT}[ ${YELLOW} `_ Warning`${NORMAL} ( `_ "SSH v1 allowed"`) ]"	    
			    logtext "Warning: SSH version 1 possible allowed!"
			    logtext "Hint: Change the 'Protocol xxx' line into 'Protocol 2'"
			fi
		    fi
		fi
		inc_progress 8
	  fi
 
	done

 
	displaytext "";
	displaytext "${test}*  `_ "Check: Events and Logging"`${NORMAL}"
	displaytext -n "    `_ "Search for syslog configuration..."` "

        SIZE=36
        jump=`expr ${defaultcolumn} - ${SIZE}`			


	if [ -e "/etc/syslog.conf" -o -e "/etc/syslog-ng/syslog-ng.conf" ]
	  then
	    insertlayout
	    displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ]"	    		    
	    SIZE=38
	    jump=`expr ${defaultcolumn} - ${SIZE}`			

	    displaytext -n "    `_ "Checking for running syslog slave..."` "
	    
		case "${OPERATING_SYSTEM}" in
		  SunOS)
		    syslogisrunning=`ps -ef | grep syslogd | grep -v "grep"`
		    syslogngisrunning=`ps -ef | grep syslog-ng | grep -v "grep"`
		    ;;		
		  *)
		    syslogisrunning=`ps ax | egrep "syslogd|syslog-ng|metalog" | grep -v "grep"`
		    #syslogngisrunning=`ps ax | grep syslog-ng | grep -v "grep"`
		    ;;
		esac
		
		if [ ! "${syslogisrunning}" = "" -o ! "${syslogngisrunning}" = "" ]
		  then
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ]"	    		    
		  else
		    insertlayout
		    displaytext $E "${LAYOUT}[ ${BAD} `_ Warning!`${NORMAL} ]"
		    displaytext "     `_ "Info: Cannot find syslog/syslog-ng daemon"`"
	    	fi
		    
	    SIZE=42
	    jump=`expr ${defaultcolumn} - ${SIZE}`			

	    displaytext -n "    `_ "Checking for logging to remote system..."` "

	    # First do syslog	    
	    if [ -e /etc/syslog.conf ]
	      then
		logtoremote=`cat /etc/syslog.conf | grep "@" | grep -v "#"`
	      else
	        # Second try syslog-ng
	        if [ -e /etc/syslog-ng/syslog-ng.conf ]
		  then
		    # Yes, we found the configuration file
		    logtoremote=`cat /etc/syslog-ng/syslog-ng.conf | grep "@" | grep -v "#"`		  		    
		  else
		    displaytext $E "${LAYOUT}[ ${YELLOW} `_ NA`${NORMAL} ]"
		    displaytext " `_ "Warning: Cannot find syslog-ng configuration file"`"
		    logtext "Info: Cannot find syslog-ng configuration file"
		fi
	    fi

	    if [ "${logtoremote}" = "" ]
	      then
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ( `_ "no remote logging"`) ]"	    
	      else
	        insertlayout
	        displaytext $E "${LAYOUT}[ ${OK} `_ OK`${NORMAL} ( `_ "remote logging"`) ]"
	        displaytext "     `_ "info: %1" "${logtoremote}"`"
	        logtext "Info: line found with logging to remote host ($logtoremote)"
	    fi

		inc_progress 5
	fi
	STATE=report
	inc_progress $(($TOTAL_PROGRESS_VAL - $CURRENT_PROGRESS_VAL))
	
keypresspause

        if [ ${OPERATING_SYSTEM} = "AIX" ] ; then
         ENDTIME=$SECONDS
        else
         ENDTIME=`date +%s`
        fi
	TOTALTIME=`expr ${ENDTIME} - ${BEGINTIME}`
	
	displaytext ""; displaytext ""
	displaytext "----------------------------  `_ "Scan results"` ----------------------------"
	displaytext ""
	displaytext "${YELLOW}MD5${NORMAL}"
	displaytext " `_ "MD5 compared: %1" "${MD5_COUNT}"`"
	displaytext -n " `_ "Incorrect MD5 checksums: "`"	
	if [ "${MD5_DIFFERENT}" -eq 0 ]; then
	    displaytext -n "${OK}"
	  else
	    displaytext -n "${BAD}"
	fi
	displaytext "${MD5_DIFFERENT}${NORMAL}"
	displaytext ""
	displaytext "${YELLOW} `_ "File scan"`${NORMAL}"
	displaytext " `_ "Scanned files: %1" "${SCANNED_COUNT}"`"
	displaytext -n " `_ "Possible infected files:"` "
	if [ "${INFECTED_COUNT}" -eq 0 ]; then
	    displaytext -n "${OK}"
	  else
	    displaytext -n "${BAD}"
	fi
	displaytext "${INFECTED_COUNT}${NORMAL}"
	logtext "Scanned for: ${ROOTKIT_TESTS}"
	if [ ! "${INFECTED_NAMES}" = "" ]; then
	  displaytext " `_ "Possible rootkits: %1" "${INFECTED_NAMES}"`"
	fi

	displaytext ""
	displaytext "${YELLOW} `_ "Application scan"`${NORMAL}"
	if [ ${APPLICATION_CHECK} -eq 1 ]; then
	  logtext "${VULNERABLE_ITEM_COUNT} vulnerable applications found"
	  displaytext -n " `_ "Vulnerable applications:"` "
  	  if [ "${VULNERABLE_ITEM_COUNT}" -eq 0 ]; then
	    displaytext -n "${OK}"
	    else
	    displaytext -n "${BAD}"
	  fi
	  displaytext ${VULNERABLE_ITEM_COUNT}${NORMAL}
  	  displaytext ""
	fi
	
	displaytext " `_ "Scanning took %1 seconds" "${TOTALTIME}"`"

	if [ "${REPORTMODE}" -eq 0 ];
	  then
	    if [ "${DEBUGLOG}" -eq 1 ]; then
	      displaytext " `_ "Scan results written to logfile (%1)" "${DEBUGFILE}"`"
	    fi
	  
	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"
	    displaytext ""
	    displaytext " `_ "Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)"`"
	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"

	  else

	    # Force output (because we are in quiet mode)
	    echo "*  `_ "MD5 scan"`"
	    echo " `_ "MD5 compared            : %1" "${MD5_COUNT}"`"
	    echo " `_ "Incorrect MD5 checksums : %1" "${MD5_DIFFERENT}"`"
	    echo ""
	    echo "*  `_ "File scan"`"
	    echo " `_ "Scanned files: %1" "${SCANNED_COUNT}"`"
            echo " `_ "Possible infected files: %1" "${INFECTED_COUNT}"`"
	    echo ""
	    echo "*  `_ "Rootkits"`"
	    echo " `_ "Possible rootkits: %1" "${INFECTED_NAMES}"`"
	    echo ""
	    echo " `_ "Scanning took %1 seconds" "${TOTALTIME}"`"
	    echo ""
	    echo "* `_ "important*"`"
	    echo " `_ "Scan your system sometimes manually with full output enabled!"`"

	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"
	    displaytext ""
	    displaytext " `_ "Do you have some problems, undetected rootkits, false positives, ideas
or suggestions?
Please e-mail me by filling in the contact form (@http://www.rootkit.nl)"`"
	    displaytext ""
	    displaytext "-----------------------------------------------------------------------"

       fi
       
       if [ $CATLOGFILE -eq 1 ]; then
         cat $DEBUGFILE
       fi
       
       if [ ${WARNING} -eq 1 ]
         then
	 
	   if [ ${SHOWWARNINGSONLY} -eq 1 ]; then
	     echo "-----------------------------------------------------------------"
	     echo ""
	     echo " `_ "Found warnings:"`"
	     cat $DEBUGFILE | egrep "Warning|WARNING|BAD|Bad|Vulnerable"
	     echo ""
	     echo "-----------------------------------------------------------------"
	     echo ""
	     echo " `_ "If you're unsure about the results above, please contact the author of
Rootkit Hunter. Fill in contact form: http://www.rootkit.nl/contact/"`"
	   fi
	   if [ ! "${MAILONWARNING}" = "" ]; then
			DATEFORMAT=`_ "%%b %%e, %%Y %%I:%%M %%p"`
			(
				_ "This letter was generated by security scanner started on host %1 at %2." "${hostname}" "`date "+${DATEFORMAT}"`"
				echo
				echo
				_ "Note: It is recommended that you re-run security scanning on the machine
via Plesk control panel before you make any changes to the machine
configuration."
				echo
				echo
				if [ 0 -lt `cat $DEBUGFILE | egrep "Warning|WARNING|BAD|Bad|Vulnerable" | wc -l` ]; then
					_ "Security scanning generated the following warnings (the full scanning log
is available at %1):" "$DEBUGFILE"
					echo
					echo
					cat $DEBUGFILE | awk "/-----\$/ { buf = \$0; }; /Warning|WARNING|BAD|Bad|Vulnerable/ { if (0 < length(buf)) { print buf; buf=\"\" }; print; }"
				else
					_ "Security scanning discovered potential threats to your system. For more
information, please re-run security scanning on the machine via Plesk
control panel."
				fi
			) | mail -s "`_ "Security alert from host %1." "${hostname}"`" "${MAILONWARNING}"
	   fi
	
	   # If we use the --quiet option, tell the user he has to inspect the machine
	   if [ ${QUIET} -eq 1 ]; then
	     echo " `_ "Some errors have been found while checking. Please perform a manual check on this machine %1" "${hostname}"`"
	   fi

	   # Something was wrong. So end with a nonzero exit state for scripters/coders ;-)
	   	STATE=finish
		save_state
           exit 1
   
	 else
	   	STATE=finish
		save_state
	   exit 0
       fi
       
  else

    if [ ! ${NOARGS} -eq 1 -a ${VERSIONCHECK} -eq 0 -a ${UPDATE} -eq 0 ]; then
      displaytext " `_ "Don't you want to check your system?"`"
      displaytext " `_ "Please submit a parameter like --checkall or --cronjob"`"
    fi
fi

if [ "${UPDATE}" -eq 1 ]
  then
    displaytext "`_ "Running updater..."`"
    displaytext ""
    ${MYDIR}/lib/rkhunter/scripts/check_update.sh ${CONFIGFILE} ${MIRRORFILE} ${DB_PATH} ${md5} ${DEBUGFILE}
    displaytext ""
    displaytext "`_ "Ready."`"
fi

if [ "${VERSIONCHECK}" -eq 1 ]
  then
    LATESTVERSION="unknown"

    if [ -f ${TMPDIR}/rkhunter.upd ]; then
      rm -f ${TMPDIR}/rkhunter.upd
    fi

    URLPREFIX=`cat ${DB_PATH}/mirrors.dat | grep -v 'version=' | head -n 1 | cut -d '=' -f2`

    VERSIONUPDATEURL=`cat ${CONFIGFILE} | grep 'LATESTVERSION=' | sed 's/LATESTVERSION=//g'`
  
    if [ "${WGETFOUND}" -eq 1 ]
      then
	  ${WGETBINARY} -q -O ${TMPDIR}/rkhunter.upd ${URLPREFIX}${VERSIONUPDATEURL}
	  displaytext "${URLPREFIX}${VERSIONUPDATEURL}"
	  LATESTVERSION=`cat ${TMPDIR}/rkhunter.upd`
    fi

    if [ $QUIET -eq 0 ]
      then
        displaytext ""
        displaytext "${PROGRAM_NAME} ${PROGRAM_version}, copyright ${PROGRAM_author}"
        displaytext ""
        displaytext "`_ "This version:   %1" "${PROGRAM_version}"`"
        displaytext "`_ "Latest version: %1" "${LATESTVERSION}"`"
    fi

    
    if [ "${LATESTVERSION}" = "" ]; then
      LATESTVERSION="unknown"
    fi
    
    if [ ! "${PROGRAM_version}" = "${LATESTVERSION}" ]
      then
        if [ "${LATESTVERSION}" = "unknown"  ]
	  then
	    echo "`_ "Can't fetch latest version number."`"
	    echo "${WHITE}`_ "Please check manually for updates"`${NORMAL}"
	  else
            echo "${WHITE}`_ "Update available"`${NORMAL}"
	fi	  
    fi

    if [ $QUIET -eq 0 ]; then
      displaytext "" ; displaytext "" ; displaytext ""
    fi
fi   
  

if [ "${NOARGS}" -eq 1 ]
  then
    echo $ECHOOPT "${PROGRAM_license}"
    echo $ECHOOPT ""
    echo $ECHOOPT "`_ "Valid parameters:"`"
    echo $ECHOOPT "`_ "--checkall (-c)           : Check system"`"
    echo $ECHOOPT "`_ "--createlogfile*          : Create logfile"`"
    echo $ECHOOPT "`_ "--cronjob                 : Run as cronjob (removes colored layout)"`"
    echo $ECHOOPT "`_ "--display-logfile         : Show logfile at end of the output"`"    
    echo $ECHOOPT "`_ "--help (-h)               : Show this help"`"
    echo $ECHOOPT "`_ "--nocolors*               : Don't use colors for output"`"
    echo $ECHOOPT "`_ "--report-mode*            : Don't show uninteresting information for reports"`"
    echo $ECHOOPT "`_ "--report-warnings-only*   : Show only warnings (lesser output than --report-mode,
                            more than --quiet)"`"
    echo $ECHOOPT "`_ "--skip-application-check* : Don't run application version checks"`"
    echo $ECHOOPT "`_ "--skip-keypress*          : Don't wait after every test (non-interactive)"`"
    echo $ECHOOPT "`_ "--quick*                  : Perform quick scan (instead of full scan)"`"
    echo $ECHOOPT "`_ "--quiet*                  : Be quiet (only show warnings)"`"
    echo $ECHOOPT "`_ "--update                  : Run update tool and check for database updates"`"
    echo $ECHOOPT "`_ "--version                 : Show version and quit"`"
    echo $ECHOOPT "`_ "--versioncheck            : Check for latest version"`"
    echo $ECHOOPT ""
    echo $ECHOOPT "`_ "--bindir <bindir>*        : Use <bindir> instead of using default binaries"`"
    echo $ECHOOPT "`_ "--configfile <file>*      : Use different configuration file"`"
    echo $ECHOOPT "`_ "--dbdir <dir>*            : Use <dbdir> as database directory" `"       
    echo $ECHOOPT "`_ "--rootdir <rootdir>*      : Use <rootdir> instead of / (slash at end)"`"
    echo $ECHOOPT "`_ "--tmpdir <tempdir>*       : Use <tempdir> as temporary directory"`"
    echo $ECHOOPT ""
    echo $ECHOOPT "`_ "Explicit scan options:"`"
    echo $ECHOOPT "`_ "--allow-ssh-root-user*    : Allow usage of SSH root user login"`"
    echo $ECHOOPT "`_ "--disable-md5-check*      : Disable MD5 checks"`"
    echo $ECHOOPT "`_ "--disable-passwd-check*   : Disable passwd/group checks"`"
    echo $ECHOOPT "`_ "--scan-knownbad-files*    : Perform besides 'known good' check a 'known bad' check"`"  
    echo $ECHOOPT ""
    echo $ECHOOPT "`_ "Multiple parameters are allowed"`"
    echo $ECHOOPT "`_ "*) Parameter can only be used with other parameters"`"
    echo $ECHOOPT ""
    echo $ECHOOPT "${PROGRAM_extrainfo}"
    echo $ECHOOPT ""
fi    

# end of parameter check

# 
# To Do:
#
# - FreeBSD MD5 test:
# ( md5 -x | grep -v 'verified correct' | grep -v 'MD5 test suite:' )
# Portacelo:
# String: 'big mess of a failure', 'Here today, gone tommorow' (sshd)
# find `lsof -F n | sort | uniq | grep '^n/' | cut -b 2,256 | egrep 'ASCII|ELF'` | cut -d ':' -f1
#
#
#################################################################################
#
# Big thanks to:
# - Iain Roberts: AIX and OpenBSD support
# - unSpawn @ rootshell.be
# - Doncho N. Gunchev
# - Steph: testing
#
#################################################################################


# The End
