#! /bin/sh
# -*- Shell-script -*-

# $Id: chkrootkit, v 0.30 2001/03/22
CHKROOTKIT_VERSION='0.30'

# Author: nelson@pangeia.com.br
# (C)1997-2001 Nelson Murilo, Pangeia Informatica, AMS Foundation and others.
#              Many fixes by Klaus Steding-Jessen <jessen@nic.br>
# All rights reserved

### workaround for some Bourne shell implementations
unalias login > /dev/null 2>&1

# Native commands
TROJAN="basename biff chfn chsh cron date du dirname Echo env find fingerd \
grep su ifconfig inetd identd killall login ls mail netstat passwd pidof \
pop2 pop3 ps pstree rpcinfo rshd sendmail sshd syslogd tar tcpd \
top telnetd timed traceroute write"
# Tools
TOOLS="asp bindshell z2 wted rexedcs sniffer aliens lkm"

# Return Codes
INFECTED=0
NOT_INFECTED=1
NOT_TESTED=2
ERROR=3
INFECTED_BUT_DISABLED=4


# Many trojaned commands have this label
GENERIC_ROOTKIT_LABEL="^/bin/.*sh|bash|elite|vejeta|\.ark"

######################################################################
# tools functions

asp(){

    ASP_LABEL="poop"
    STATUS=${NOT_INFECTED}
    CMD=`loc asp asp $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf"
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then
        echo "Warning: Possible Ramen Worm installed in inetd.conf"
        STATUS=${INFECTED}
    fi
    if [ "$CMD" = "asp" ]; then
        echo "Not vulnerable"
        return ${NOT_INFECTED}
    else
        echo "Warning: Possible Ramen Worm installed ($CMD)"
        STATUS=${INFECTED}
    fi

    if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1
       then
          echo "INFECTED"
          STATUS=${INFECTED}
    fi
    return ${STATUS}
}

sniffer () {
    if [ "${ROOTDIR}" != "/" ]; then
      echo "Not Tested"
      return ${NOT_TESTED}
    fi

    if [ "$SYSTEM" = "SunOS" ]; then
       return ${NOT_TESTED}
    fi

    if [ ! -x ./ifpromisc ]; then
      echo "Not Tested: can't exec ./ifpromisc"
      return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "./ifpromisc"
        return 5
    fi
    echo
    ./ifpromisc
}

z2 () {
    if [ ! -x ./chklastlog ]; then
      echo "Not Tested: can't exec ./chklastlog"
      return ${NOT_TESTED}
    fi

    WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`
    LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "./chklastlog -f ${WTMP} -l ${LASTLOG}"
        return 5
    fi

    if ./chklastlog -f ${WTMP} -l ${LASTLOG}
    then
      echo "Nothing deleted"
    fi
}

wted () {
    if [ ! -x ./chkwtmp ]; then
      echo "Not Tested: can't exec ./chkwtmp"
      return ${NOT_TESTED}
    fi

    WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "./chkwtmp -f ${WTMP}"
        return 5
    fi

    if ./chkwtmp -f ${WTMP}
    then
      echo "Nothing deleted"
    fi
}

bindshell () {
    PORT="114|465|1008|31336|31337|511|47017|27374|47889"
    OPT="-an"
    PI=""
    if [ "${ROOTDIR}" != "/" ]; then
      echo "Not Tested"
      return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${netstat} ${OPT}"
        return 5
    fi
    for P in `echo $PORT | ${sed} 's/|/ /g'`; do
       if ${netstat} "${OPT}" | ${egrep} "^tcp|^udp" | ${egrep} \
"[^0-9.]${P}[^0-9.]" >/dev/null 2>&1
       then
          PI="${PI} ${P}"
       fi
    done
    if [ "${PI}" != "" ]
    then
       echo "INFECTED (PORTS: $PI)"
    else
       echo "Not vulnerable"
    fi
}

lkm () {
    if [ "${SYSTEM}" = "Linux" -a "${ROOTDIR}" = "/" ]; then

      if [ ! -x ./chkproc ]; then
        echo "Not Tested: can't exec ./chkproc"
        return ${NOT_TESTED}
      fi

      if [ "${EXPERT}" = "t" ]; then
          expertmode_output "./chkproc -v"
          return 5
      fi

      if ./chkproc
      then
        echo "Nothing detected"
      else
        echo "Warning: Possible LKM Trojan installed"
      fi
    else
        echo "Not Tested"
    fi
}

aliens () {

   if [ "${EXPERT}" = "t" ]; then
        ### suspicious files
        expertmode_output "${find} ${ROOTDIR}dev -type f"
        expertmode_output "${find} ${ROOTDIR}var/run/.tmp"
        expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib"
        expertmode_output "${find} ${ROOTDIR}usr/man/man1/.. *"

        ### sniffer's logs
        expertmode_output "${find} ${ROOTDIR} -name tcp.log -o -name \
.linux-sniff -o -name sniff-l0g" 

        ### t0rn
        expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \
${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \
ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn"
        ## Lion Worm
        expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh 
2> /dev/null" 

        ### ark
        expertmode_output "${find} ${ROOTDIR}dev -name ptyxx"
        expertmode_output "${find} ${ROOTDIR}usr/doc -name '... *'"
        expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'"

        ### RK17
        expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit"
        expertmode_output "${find} ${ROOTDIR}sbin -name pback"
        expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid \
2>/dev/null"
        expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null"
        expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \
autod.o 2> /dev/null"
        expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \
-name ct -o -name snick -o -name kfl"

        CGIDIR=""
        for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
home/httpd/cgi-bin;
        do
           [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
        done
        expertmode_output "${find} ${CGIDIR} -name number.cgi -o -name \
void.cgi -o -name psid -ls"

        ### rsha
        expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \
-o -name n3tstat -o -name chsh2"
        expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha"
        expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \
${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/"

        ### rh-sharpe
        expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \
-o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \
-o -name ldu -o -name lnetstat"
        expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du"

        ### suspicious files and dirs
        DIR=${ROOTDIR}usr/lib
        [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man"
        [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib"
        [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib"
        expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'"
        expertmode_output "${find} ${DIR} -type d -name '.*'"
        expertmode_output "${find} ${DIR} -name '...*'"

        ### Ramen Worm
        expertmode_output "${find} ${ROOTDIR}usr/src/.poop \
${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp"

        ### shell history file check
        if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
        expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \
 -size 0"
        expertmode_output "${find} ${ROOTDIR}${HOME} -name .*history \
 -links 2 -o -type l"
        fi

        return 5
   fi

   dir="${ROOTDIR}var/run/.tmp"
   files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;`
   if [ "${files}" = "" ]
   then
      if [ -d ${dir} ]
      then
         echo "Suspect directory ${dir} FOUND! Looking for sniffer logs"
         files=`${find} ${dir}`
         echo
         echo ${files}
      else
         echo "No suspect files"
      fi
   else
      echo
      echo ${files}
   fi
   printn "Searching for sniffer's logs, it may take a while... "
   files=`${find} ${ROOTDIR} -name "tcp.log -o -name ".linux-sniff" -o \
-name "sniff-l0g 2>/dev/null`
   if [ "${files}" = "" ]
   then
      echo "Nothing found"
   else
      echo
      echo ${files}
   fi
   printn "Searching for t0rn's default files and dirs... "
   if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \
        -d ${ROOTDIR}usr/src/.puta  -o -e ${ROOTDIR}lib/ldlib.tk -o \
        -d ${ROOTDIR}usr/info/.t0rn ]
   then
      echo "Possible t0rn rootkit installed"
   else
      echo "Nothing found"
   fi
   
   printn "Searching for Lion Worm default files and dirs... "
   if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \
        -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ]
   then
         echo "Possible Lion rootkit installed"
   else
      echo "Nothing found"
   fi

   printn "Searching for RSHA's default files and dir... "
   if [ -e "${ROOTDIR}bin/kr4p" -o -e "${ROOTDIR}usr/bin/n3tstat" \
-o -e "${ROOTDIR}usr/bin/chsh2" -o -e "${ROOTDIR}usr/bin/slice2" \
-o -e "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \
-o -e "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \
-o -d "${ROOTDIR}etc/rc.d/rsha" \
-o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ]
   then
      echo "Possible RSHA's rootkit installed"
   else
      echo "Nothing found"
   fi

   printn "Searching for RH-Sharpe's default files... "
   if [ -e "${ROOTDIR}bin/lps" -o -e "${ROOTDIR}usr/bin/lpstree" \
-o -e "${ROOTDIR}usr/bin/ltop" -o -e "${ROOTDIR}usr/bin/lkillall" \
-o -e "${ROOTDIR}usr/bin/ldu" -o -e "${ROOTDIR}usr/bin/lnetstat" \
-o -e "${ROOTDIR}usr/bin/wp" -o -e "${ROOTDIR}usr/bin/shad" \
-o -e "${ROOTDIR}usr/bin/vadim" -o -e "${ROOTDIR}usr/bin/slice" \
-o -e "${ROOTDIR}usr/bin/cleaner" -o -e "${ROOTDIR}usr/include/rpcsvc/du" ]
   then
      echo "Possible RH-Sharpe's rootkit installed"
   else
      echo "Nothing found"
   fi

   printn "Searching for Ambient's rootkit (ark) default files and dirs... "
   if [ -d ${ROOTDIR}dev/ptyxx -o -e "${ROOTDIR}usr/lib/.ark?" -o \
        -d ${ROOTDIR}usr/doc/"... " ]; then
      echo "Possible Ambient's rootkit (ark) installed"
   else
      echo "Nothing found"
   fi
   DIR="${ROOTDIR}usr/lib"
   [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man"
   [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib"
   printn "Searching for suspicious files and dirs, it may take a while... "
   files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"`
   dirs=`${find} ${DIR} -type d -name ".*"`
   if [ "${files}" = "" -a "${dirs}" = "" ]
      then
      echo "Nothing found"
   else
      echo
      echo ${files}
      echo ${dirs}
   fi
   printn "Searching for Ramen Worm files and dirs... "
   if [ -d ${ROOTDIR}usr/src/.poop -o -f \
        ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ]
   then
      echo "Possible Ramen worm installed"
   else
      echo "Nothing found"

   fi
   printn "Searching for RK17 files and dirs... "
   CGIDIR=""
   for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \
var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \
home/httpd/cgi-bin;
   do
        [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}"
   done
   files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \
${find} ${ROOTDIR}sbin -name pback && \
${find} ${ROOTDIR}usr/man/man3 -name psid && 2>/dev/null\
${find} ${ROOTDIR}proc -name kset 2> /dev/null && \
${find} ${ROOTDIR}usr/src/linux/modules/ -name autod.o 2> /dev/null && \
${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl && \
${find} ${CGIDIR} -name number.cgi -o -name void.cgi -o -name psid -ls`
   if [ "${files}" = ""  ]; then
      echo "Nothing found"
   else
     echo "${files}"
   fi

   printn "Searching for anomalies in shell history files... "
   files=""
   if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then
      files=`${find} ${ROOTDIR}${HOME} -name '.*history' -size 0`
      [ ! -z "${files}" ] && \
        echo "Warning: \`${files}' file size is zero"
      files=`${find} ${ROOTDIR}${HOME} -name '.*history' -links 2 -o -type l`
      [ ! -z "${files}" ] && \
        echo "Warning: \`${files}' is linked to another file"
   fi
   if [ -z "${files}" ]; then
      echo "Nothing found"
   fi
}

######################################################################
# util functions

# our which(1)
loc () {
    ### usage: loc filename filename_to_return_if_nothing_was_found path
    thing=$1
    shift
    dflt=$1
    shift
    for dir in $*; do
            case "$thing" in
            .)
            if test -d $dir/$thing; then
                    echo $dir
                    exit 0
            fi
            ;;
            *)
            for thisthing in $dir/$thing; do
                    :
            done
            if test -f $thisthing; then
                    echo $thisthing
                    exit 0
            fi
            ;;
            esac
    done
    if [ "${ROOTDIR}" = "/" ]; then
      echo ${dflt}
    else
      echo "${ROOTDIR}${dflt}"
    fi
    exit 1
}

getCMD() {

   RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \
            ${egrep} -v egrep | ${egrep} -v chkrootkit | ${head} -1 | \
            ${awk} '{ print $5 }'`

   for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth`
   do
      CMD="${i}"
      if [ -r "${i}" ]
        then
        return 0
      fi
   done
   return 1
}

expertmode_output() {
    echo "###"
    echo "### Output of: $1"
    echo "###"
    cat <<EOF
`$1 2>&1`
EOF
    return 0
}

######################################################################
# trojan functions

chfn () {
    STATUS=${NOT_INFECTED}
    CMD=`loc chfn chfn $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    case "${SYSTEM}" in
       Linux)
          if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
             >/dev/null 2>&1
          then
             STATUS=${INFECTED}
          fi;;
       FreeBSD)
          if [ `${strings} -a ${CMD} | \
                ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ]
          then
             STATUS=${INFECTED}
          fi;;
    esac
    return ${STATUS}
}

chsh () {
    STATUS=${NOT_INFECTED}
    CMD=`loc chsh chsh $pth`
    REDHAT_PAM_LABEL="*NOT*"

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    case "${SYSTEM}" in
       Linux)
          if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
          >/dev/null 2>&1
             then
             if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \
             >/dev/null 2>&1
                then
                :
             else
                STATUS=${INFECTED}
             fi
          fi;;
       FreeBSD)
          if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne 2 ]
             then
             STATUS=${INFECTED}
          fi;;
    esac
    return ${STATUS}
}

login () {
    if [ "$SYSTEM" = "SunOS" ]; then
       return ${NOT_TESTED}
    fi
    STATUS=${NOT_INFECTED}
    CMD=`loc login login $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    TROJED_LOGIN_LABEL="^root$|vejeta|xlogin|^@\(#\)klogin\.c"
    V=`echo $VERSION | ${sed} 's/\.//'`
    ret=`${strings} -a ${CMD} | ${egrep} -c "${TROJED_LOGIN_LABEL}"`
    if [ ${ret} -gt 0 ]; then
        case ${ret} in
        1) [ "${SYSTEM}" = "OpenBSD" -a ${V} -le 27 ] && \
             STATUS=${NOT_INFECTED};;
        2) [ "${SYSTEM}" = "FreeBSD" ] && STATUS=${NOT_INFECTED};
           [ ${SYSTEM} = "OpenBSD" -a ${V} -ge 28 ] && \
             STATUS=${NOT_INFECTED};;
        *) STATUS=${INFECTED};;
        esac
    fi
    return ${STATUS}
}

passwd () {
    STATUS=${NOT_INFECTED}
    CMD=`loc passwd passwd $pth`

    if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then
       CMD="${ROOTDIR}usr/bin/passwd"
    fi

    if [ "${EXPERT}" = "t" ]; then
       expertmode_output "${strings} -a ${CMD}"
    fi

    if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" ]
    then
       return ${NOT_TESTED}
    fi
    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
    >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

inetd () {
    STATUS=${NOT_INFECTED}
    getCMD 'inetd'

    if [ ! -r ${CMD} ]
    then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \
    >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

syslogd () {
    STATUS=${NOT_INFECTED}
    SYSLOG_INFECTED_LABEL="/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hds[0-7]"
    CMD=`loc syslogd syslogd $pth`

    if [ ! -r ${CMD} ]
    then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_INFECTED_LABEL}" \
       >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

sendmail () {
    STATUS=${NOT_INFECTED}
    SENDMAIL_INFECTED_LABEL="fuck"
    CMD=`loc sendmail sendmail $pth`
    if [ ! -r ${CMD} ]
    then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \
       >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

ls () {
    STATUS=${NOT_INFECTED}
    LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0"
    CMD=`loc ls ls $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

du () {
    STATUS=${NOT_INFECTED}
    DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]"
    CMD=`loc du du $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

netstat () {
    STATUS=${NOT_INFECTED}
NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrs]|/dev/cui|/dev/hdn0"
    CMD=`loc netstat netstat $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \
    >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

ps () {
   STATUS=${NOT_INFECTED}
PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrs]|/dev/cui|/dev/hda[0-7]|\
/dev/hdp"
   CMD=`loc ps ps $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

pstree () {
    STATUS=${NOT_INFECTED}
    PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01"
    CMD=`loc pstree pstree $pth`
    if [ ! -r "${CMD}" ]
    then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

top () {
    STATUS=${NOT_INFECTED}
    TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrs]|/dev/hdp"
    CMD=`loc top top $pth`

    if [ ! -r ${CMD} ]
       then
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

pidof () {
    STATUS=${NOT_INFECTED}
    TOP_INFECTED_LABEL="/dev/pty[pqrs]"
    CMD=`loc pidof pidof $pth`

    if [ "${?}" -ne 0 ]
    then
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

killall () {
    STATUS=${NOT_INFECTED}
    TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp"
    CMD=`loc killall killall $pth`

    if [ "${?}" -ne 0 ]
       then
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

basename () {
    STATUS=${NOT_INFECTED}
    CMD=`loc basename basename $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi
    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

dirname () {
    STATUS=${NOT_INFECTED}
    CMD=`loc dirname dirname $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi
    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

traceroute () {
    STATUS=${NOT_INFECTED}
    CMD=`loc traceroute traceroute $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

rpcinfo () {
    STATUS=${NOT_INFECTED}
    CMD=`loc rpcinfo rpcinfo $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

date () {
    STATUS=${NOT_INFECTED}
    CMD=`loc date date $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

Echo () {
    STATUS=${NOT_INFECTED}
    CMD=`loc echo echo $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

env () {
    STATUS=${NOT_INFECTED}
    CMD=`loc env env $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi

    return ${STATUS}
}

timed () {
    STATUS=${NOT_INFECTED}
    CMD=`loc timed timed $pth`
    if [ ${?} -ne 0 ]; then
       CMD=`loc in.timed in.timed $pth`
       if [ ${?} -ne 0 ]; then
          return ${NOT_TESTED}
       fi
    fi
    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

identd () {
    STATUS=${NOT_INFECTED}
    CMD=`loc in.identd in.identd $pth`
    if [ ${?} -ne 0 ]; then
       return ${NOT_TESTED}
    fi
    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

pop2 () {
    STATUS=${NOT_INFECTED}
    CMD=`loc in.pop2d in.pop2d $pth`
    if [ ${?} -ne 0 ]; then
       return ${NOT_TESTED}
    fi
    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

pop3 () {
    STATUS=${NOT_INFECTED}
    CMD=`loc in.pop3d in.pop3d $pth`
    if [ ${?} -ne 0 ]; then
        return ${NOT_TESTED}
    fi
    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

write () {
    STATUS=${NOT_INFECTED}
    CMD=`loc write write $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

tar () {
    STATUS=${NOT_INFECTED}
    CMD=`loc tar tar $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

rexedcs () {
    STATUS=${NOT_INFECTED}
    CMD=`loc in.rexedcs in.rexedcs $pth`
    if [ "${?}" -ne 0 ]
       then
        echo Not vulnerable
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi
    STATUS=${INFECTED}
    echo "INFECTED"
    return ${STATUS}
}

mail () {
    STATUS=${NOT_INFECTED}
    CMD=`loc mail mail $pth`
    if [ "${?}" -ne 0 ]
       then
        return ${NOT_TESTED}
    fi
    MAIL_INFECTED_LABEL="sh -i"

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

biff () {
    STATUS=${NOT_INFECTED}
    CMD=`loc biff biff $pth`
    if [ "${?}" -ne 0 ]
       then
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

grep () {
    STATUS=${NOT_INFECTED}
    GREP_INFECTED_LABEL="givemer"
    CMD=`loc grep grep $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        expertmode_output "${ls} -l ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

find () {
    STATUS=${NOT_INFECTED}
    TOP_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]"
    CMD=`loc find find $pth`

    if [ "${?}" -ne 0 ]
       then
        return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

cron () {
    STATUS=${NOT_INFECTED}
    TOP_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0"
    CMD=`loc cron cron $pth`
    if [ "${?}" -ne 0 ]; then
          CMD=`loc crond crond $pth`
    fi
    if [ "${?}" -ne 0 ]
       then
        return ${NOT_TESTED}
    fi
    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi
    if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1
    then
       STATUS=${INFECTED}
    fi
    return ${STATUS}
}

ifconfig () {
    STATUS=${INFECTED}
    CMD="${ROOTDIR}sbin/ifconfig"

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    IFCONFIG_NOT_INFECTED_LABEL="PROMISC"
    if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \
    >/dev/null 2>&1
    then
       STATUS=${NOT_INFECTED}
    fi
    return ${STATUS}
}

rshd () {
    STATUS=${NOT_INFECTED}
    case "${SYSTEM}" in
       Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";;
       FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";;
       *) CMD=`loc rshd rshd $pth`;;
    esac

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    RSHD_INFECTED_LABEL="HISTFILE"
    if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
        if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \
            ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then
           STATUS=${INFECTED_BUT_DISABLED}
        fi
    fi
    return ${STATUS}
}

tcpd () {
    STATUS=${NOT_INFECTED}
    TCPD_INFECTED_LABEL="hack|/dev/xmx|/dev/hdn0"

    [ -e ${ROOTDIR}etc/inetd.conf ] &&
    CMD=`${egrep} 'tcpd' ${ROOTDIR}etc/inetd.conf | ${head} -1 | \
         ${awk} '{ print $6 }'`
    if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1;  then
       CMD=`loc tcpd tcpd $pth`
    fi

    [ "" = "${CMD}" ] && return ${NOT_TESTED};
    CMD=${ROOTDIR}${CMD}

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

sshd () {
    STATUS=${NOT_INFECTED}
    SSHD2_INFECTED_LABEL="panasonic|^1234$|satori|vejeta|\.ark"
    getCMD 'sshd'

    if [ ${?} -ne 0 ]; then
       return ${NOT_TESTED}
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \
       > /dev/null 2>&1
    then
        STATUS=${INFECTED}
        if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then
           STATUS=${INFECTED_BUT_DISABLED}
        fi
    fi
    return ${STATUS}
}

su () {
    STATUS=${NOT_INFECTED}
    SU_INFECTED_LABEL="satori|vejeta"
    CMD=`loc su su $pth`

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

fingerd () {
    STATUS=${NOT_INFECTED}
    FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}"
    CMD=`loc fingerd fingerd $pth`

    if [ ${?} -ne 0 ]; then
        CMD=`loc in.fingerd in.fingerd $pth`
        if [ ${?} -ne 0 ]; then
           return ${NOT_TESTED}
        fi
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \
> /dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

telnetd () {
    STATUS=${NOT_INFECTED}
    TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]'
    CMD=`loc telnetd telnetd $pth`

    if [ ${?} -ne 0 ]; then
        CMD=`loc in.telnetd in.telnetd $pth`
        if [ ${?} -ne 0 ]; then
           return ${NOT_TESTED}
        fi
    fi

    if [ "${EXPERT}" = "t" ]; then
        expertmode_output "${strings} -a ${CMD}"
        return 5
    fi

    if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \
       >/dev/null 2>&1
    then
        STATUS=${INFECTED}
    fi
    return ${STATUS}
}

printn() {
   if [ `echo "a\c" | ${egrep} c >/dev/null 2>&1` ]; then
      echo "${1}\c"
   else
      echo -n "$1"
   fi
}

# main
#


### using regexps, as the `-w' option to grep/egrep is not portable.
L_REGEXP='(^|[^A-Za-z0-9_])'
R_REGEXP='([^A-Za-z0-9_]|$)'

### default ROOTDIR is "/"
ROOTDIR='/'

while :
do
        case $1 in
        -r)     shift
                ROOTDIR=$1;;

        -p)     shift
                CHKRKPATH=$1;;

        -d)     DEBUG=t;;

        -x)     EXPERT=t;;

        -V)     echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}"
                exit 1;;

        -l)     echo >&2 "$0: tests: ${TOOLS} ${TROJAN}"
                exit 1;;

        -h | -*) echo >&2 "Usage: $0 [options] [test ...]
Options:
        -h                show this help and exit
        -V                show version information and exit
        -l                show available tests and exit
        -d                debug
        -x                expert mode
        -r dir            use dir as the root directory
        -p dir1:dir2:dirN path for the external commands used by chkrootkit"
                exit 1;;
        *)      break
        esac

        shift
done

### check the external commands needed

cmdlist="
awk
cut
egrep
find
head
id
ls
netstat
ps
sed
strings
uname
"

### PATH used by loc
pth=`echo $PATH | sed -e "s/:/ /g"`
pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec"

### external command's PATH
if [ "${CHKRKPATH}" = "" ]; then
  chkrkpth=${pth}
else
  ### use the path provided with the -p option
  chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"`
fi

for file in $cmdlist; do
        xxx=`loc $file $file $chkrkpth`
        eval $file=$xxx
        case "$xxx" in
        /* | ./* | ../*)

                if [ ! -x "${xxx}" ]
                then
                    echo >&2 "chkrootkit: can't exec \`$xxx'."
                    exit 1
                fi
                ;;
        *)
                echo >&2 "chkrootkit: can't find \`$file'."
                exit 1
                ;;
        esac
done

# ps command

ps_cmd="ax"
if [ "$SYSTEM" = "SunOS" ]; then
  if [ "${CHKRKPATH}" = "" ]; then
    if [ -x /usr/ucb/ps ]; then
       ps="/usr/ucb/ps"
    else
       ps_cmd="-fe"
    fi
  else
    ### -p is in place: use `-fe' as ps options
    ps_cmd="-fe"
  fi
fi

SYSTEM=`${uname} -s`
VERSION=`${uname} -r`

if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then
   echo "$0 need root privileges"
   exit 1
fi

if [ $# -gt 0 ]
then
    ### perform only tests supplied as arguments
    for arg in $*
    do
        ### check if is a valid test name
        if echo "${TROJAN} ${TOOLS}"| \
           ${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1
        then
            echo >&2 "$0: \`$arg': not a known test"
            exit 1
        fi
    done
    LIST=$*
else
    ### this is the default: perform all tests
    LIST="${TROJAN} ${TOOLS}"
fi

if [ "${DEBUG}" = "t" ]; then
    set -x
fi

if [ "${ROOTDIR}" != "/" ]; then

    ### remove trailing `/'
    ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'`

    for dir in ${pth}
    do
      if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1
      then
        newpth="${newpth} ${ROOTDIR}${dir}"
      else
        newpth="${newpth} ${ROOTDIR}/${dir}"
      fi
    done
    pth=${newpth}
   ROOTDIR="${ROOTDIR}/"
fi


echo "ROOTDIR is \`${ROOTDIR}'"
for cmd in ${LIST}
do

    if echo "${TROJAN}" | \
    ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1
    then
        if [ "${EXPERT}" != "t" ]; then
            printn "Checking \`${cmd}'... "
        fi
        ${cmd}

        case $? in
        0) echo "INFECTED";;
        1) echo "Not vulnerable";;
        2) echo "NOT TESTED";;
        3) echo "ERROR: ${ERR}";;
        4) echo "Vulnerable but disabled";;
        5) ;;   ### expert mode
        esac
    else
        ### external tool
        if [ "${EXPERT}" != "t" ]; then
            printn "Checking \`$cmd'... "
        fi
        ${cmd}

    fi

done

### chkrootkit ends here.
