# chkrootkit suspect PHP files

## cmp

Hi today I run the ckeck kit first time 

just a second ago. and I had to kill it after running amok.

What is signal 13 ? 

```
gentoo ~ # chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `crontab'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not found

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not infected

Checking `rshd'... not infected

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not infected

Checking `timed'... not found

Checking `traceroute'... not infected

Checking `vdir'... not infected

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while... 

/usr/lib/dbus-1.0/services/.keep_sys-apps_dbus-0 /usr/lib/perl5/5.8.8/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Xfce4/Xfconf/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Image/Magick/.packlist /usr/lib/perl5/site_perl/5.8.8/i686-linux/auto/Bundle/NetSNMP/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/TextUI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/UI/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Irssi/Irc/.packlist /usr/lib/perl5/vendor_perl/5.8.8/i686-linux/auto/Git/.packlist /usr/lib/samba/rpc/.keep_net-fs_samba-0 /usr/lib/samba/auth/.keep_net-fs_samba-0 /usr/lib/samba/idmap/.keep_net-fs_samba-0 /usr/lib/.keep /usr/lib/mozilla-firefox/.autoreg /usr/lib/locale/.keep_sys-libs_glibc-2.2 /usr/lib/mozilla-thunderbird/extensions.d/.keep_mail-client_mozilla-thunderbird-0 /usr/lib/mozilla-thunderbird/chrome.d/.keep_mail-client_mozilla-thunderbird-0 /usr/lib/nfs/sm/.keep_net-fs_nfs-utils-0 /usr/lib/nfs/sm.bak/.keep_net-fs_nfs-utils-0 /lib/udev/state/.keep_sys-fs_udev-0 /lib/udev/devices/.keep_sys-fs_udev-0 /lib/rcscripts/awk/.keep /lib/rcscripts/sh/.keep /lib/rcscripts/.keep /lib/rcscripts/net/.keep

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for LOC rootkit... nothing found

Searching for Romanian rootkit... nothing found

Searching for Suckit rootkit... nothing found

Searching for Volc rootkit... nothing found

Searching for Gold2 rootkit... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for ShKit rootkit default files and dirs... nothing found

Searching for AjaKit rootkit default files and dirs... nothing found

Searching for zaRwT rootkit default files and dirs... nothing found

Searching for Madalin rootkit default files... nothing found

Searching for Fu rootkit default files... nothing found

Searching for ESRK rootkit default files... nothing found

Searching for rootedoor... nothing found

Searching for ENYELKM rootkit default files... nothing found

Searching for common ssh-scanners default files... nothing found

Searching for suspect PHP files... /usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

....

...

...

..

CTRL+C

```

debug mode

```
+ printn 'Searching for suspect PHP files... '

++ /bin/echo 'a\c'

++ /bin/egrep c

+ /bin/echo -n 'Searching for suspect PHP files... '

Searching for suspect PHP files... ++ /usr/bin/find /tmp /var/tmp -name '*.php'

+ files='/var/tmp/portage/net-libs/xulrunner-1.9.0.14/work/mozilla/toolkit/mozapps/extensions/service/VersionCheck.php

/var/tmp/portage/net-libs/xulrunner-1.9.0.14/work/mozilla/toolkit/mozapps/plugins/service/PluginFinderService.php'

++ /usr/bin/find /tmp /var/tmp -type f -exec head -n1 '{}' ';'

++ grep php

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13

/usr/bin/find: `head' terminated by signal 13
```

----------

## Jaglover

 *Quote:*   

> What is signal 13 ? 

 

man 7 signal

----------

## LinuxTom

And what is the solution so that I can use chkrootkit?

----------

## eccerr0r

This is just a guess:

Looks like on line 1121 of chkrootkit

```
      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n1 {} \; | grep php 2> /dev/null`"

```

the 'grep' is failing.   I'm not sure why they decide to use grep to do this, perhaps this was an oversight.  Maybe chkrootkit meant to write it as 

```
      fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n1 {} \; | ${egrep} php 2> /dev/null`"

```

as it appears egrep is used everywhere else in the file, and supposedly ${egrep} also contains the path to a "good" egrep...

Granted egrep is not the same as grep, but I suppose it should be OK in this usage.

Bug in chkrootkit, me thinks.

----------

