From 82dd537b2fd88850eb4327a80b2c9acb7dbcf2ab Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Jun 20 2016 14:39:51 +0000 Subject: Fix windigo false positive --- diff --git a/chkrootkit-0.50-openssh-windigo.patch b/chkrootkit-0.50-openssh-windigo.patch new file mode 100644 index 0000000..150dc43 --- /dev/null +++ b/chkrootkit-0.50-openssh-windigo.patch @@ -0,0 +1,11 @@ +--- chkrootkit~ 2016-06-20 09:34:06.000000000 -0500 ++++ chkrootkit 2016-06-20 09:37:11.130105353 -0500 +@@ -1141,7 +1141,7 @@ + ## SSJD Operation Windigo (Linux/Ebury) + if [ "${QUIET}" != "t" ]; then + printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi +- if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then ++ if $ssh -H 2>&1 | grep -e illegal -e unknow > /dev/null; then + if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi + else + echo "Possible Linux/Ebury - Operation Windigo installetd" diff --git a/chkrootkit.spec b/chkrootkit.spec index 238ec05..4601bd8 100644 --- a/chkrootkit.spec +++ b/chkrootkit.spec @@ -1,7 +1,7 @@ %define _hardened_build 1 Name: chkrootkit Version: 0.50 -Release: 6%{?dist} +Release: 7%{?dist} Summary: Tool to locally check for signs of a rootkit Group: Applications/System License: BSD and GPLv2+ and Python @@ -24,6 +24,7 @@ Patch9: chkrootkit-0.49-chkproc-psver.patch Patch10: chkrootkit-0.49-chkutmp-outofbounds.patch Patch11: chkrootkit-0.49-CVE-2014-0476.patch Patch12: chkrootkit-suckit.patch +Patch13: chkrootkit-0.50-openssh-windigo.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: desktop-file-utils @@ -63,6 +64,7 @@ It contains: %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p0 sed -i -e 's!\s\+@strip.*!!g' Makefile @@ -130,6 +132,9 @@ rm -rf ${RPM_BUILD_ROOT} %changelog +* Mon Jun 20 2016 Jon Ciesla - 0.50-7 +- Patch for windigo false positive, BZ 1234436. + * Wed Feb 03 2016 Fedora Release Engineering - 0.50-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild