chkrootkit (part #4)
In chkrootkit
#define MAX_ID 99999
int main(int argc, char*argv[]) {
int fh_wtmp;
int fh_lastlog;
struct lastlog lastlog_ent;
struct utmp utmp_ent;
long userid[MAX_ID];
#define MAX_ID 99999
int main(int argc, char*argv[]) {
int fh_wtmp;
int fh_lastlog;
struct lastlog lastlog_ent;
struct utmp utmp_ent;
long userid[MAX_ID];
...
for (i=0; i<MAX_ID; i++)
userid[i]=FALSE;
...
if (*uid > MAX_ID)
{
fprintf(stderr, "MAX_ID is %ld and current uid is %ld, please check\n\r", (long int)MAX_ID, (long int)*uid );
exit (1);
}
uid gets set by getpwnam(). On modern systems, it can be 32bits. Much higher than MAX_ID of 99999. If your backdoored account has a high uid, it won't be detected in lastlog/wtmp rootkit detection.
This is not unusually bad of chkrootkit. It's just old code that hasn't been maintained.