I installed OSSEC, and the following file failed a rootkit check. I'm not sure if it's malicious or what it's doing. Any help would be greatly appreciated!
The file is a bash file: /usr/bin/svnadd Below are its contents:
#!/bin/sh
svn status | perl -ne 's/^\?\s+(\S.+)$/\1/g;chomp;system("svn add \"$_\"");'
The version of Ubuntu we're running is a fully patched 10.04.4 LTS.
The script is legitimate but poorly written. Its purpose is to put files under version control, using subversion, also called svn, if they are not already control.
Suppose, for example, that subversion reports the following about your current directory:
$ svn status
? something.c
M other.h
This means that something.c is not currently under version control. other.h is under version control but the local copy have been modified (hence the M).
Your svnadd command will cause the following commands to be executed:
svn add something.c
svn add M other.h
The first places something.c under version control. The second command attempts to place the files M and other.h under version control. Since other.h is already under version control, this will generate an error. What happens with M depends on whether there is a file called M in your directory.
In sum, this command is not malicious. It will not infect anything. But, don't run it.
