Squirrely FS Checking Tool

One of the recent difficulties in checking for cracked systems are the kernel patches that make the kernel lie to you. Specifically, the recent "suckit" root kit installs a kernel patch that causes files w/ a certain file suffix to be omitted from directory reads returned by the kernel. It then replaces /sbin/init with a trojaned version that sets all manner of nasty things running and then hands off to the original init which has been moved and hidden by the "magic" file suffix. Furthermore, it adds a special little hack any attempts to look at the trojaned /sbin/init gets redirected in the kernel to the stored, original /sbin/init, so checksums and such notice nothing is wrong.

So what do you do when even the kernel lies to you? Well, you could remove the disk, mount in on a known good system and check for oddly named files there. Or you can reboot the system from an emergency repair-kit CD and check. But both these methods are rather painful, and cannot be automated or even performed on a running system. The solution I found useful on Linux systems is to use the /sbin/debugfs tool to check out the /sbin directory independant of the kernel's read-directory routines,m and compare it with what a simple ls gives you. If the differ, something is up. I've packaged this up in a little perl-script named "squirrely", which looks for just this sort of file system squirreliness that is a sign of trouble. Since I've found this to be useful, I've decided to share it w/ those of you who might find it useful. Here's a link to the perl-code for squirrely:

• squirrely: tool to check for "suckit" style squirreliness in /sbin