#!/bin/bash
#X.C. worm finder V0.1.3.
#Copyright 2001 William Stearns <wstearns@pobox.com>
#Released under the GPL.

if ! . detectlib ; then
	echo Cannot find detectlib in the current directory, exiting
	exit 2
fi
InitDetectLib
if [ $DetectLibVer -lt 024 ]; then	#<=023 don't handle the space in '/usr/sbin/cron '
	echo detectlib is too old, please update.  Exiting.
	exit 1
fi

AttackName XdotC
#NB.  Redhat uses /usr/sbin/crond, Debian uses /usr/sbin/cron
#The file in question is '/usr/sbin/cron ' (cron<space>)
if AttackMarker /x.c /x '/usr/sbin/cron ' || grep '/usr/sbin/cron ' rc.local >/dev/null 2>/dev/null ; then
#You need to check for running apps with this before removing the files; killall
#depends on having the original files still on the drive to kill them.

	PathToRunningApps \
	  '/usr/sbin/cron '

	AttackFiles \
	  /x.c \
	  /x \
	  '/usr/sbin/cron '

	AddedLine /etc/rc.local '/usr/sbin/cron '
	AddedLine /etc/inetd.conf '^uaac stream tcp nowait root /bin/sh sh -i$'
	AddedLine /etc/hosts.allow '^sh: ALL$'

	ServicesStopped \
	  inetd

	echo Please note that your system may have had a root shell opened
	echo on tcp port 145.  You should check the system for any additional
	echo damage caused via incoming connections on that port.

	exit $True	#Attack found
else
	exit $False	#Attack not found
fi