├── GatherInfo.sh ├── README.md ├── busybox ├── chkrootkit └── 应急响应Checklist.xlsx /GatherInfo.sh: -------------------------------------------------------------------------------- 1 | # update 2021.02.23 2 | 3 | #!/bin/bash 4 | 5 | function initial(){ 6 | echo "Doing initial" 7 | mkdir /tmp/GatherInfo 8 | chmod +x ./chkrootkit 9 | chmod +x ./busybox 10 | } 11 | 12 | function chkrootkit_info(){ 13 | echo "Doing chkrootkit" 14 | ./chkrootkit > /tmp/GatherInfo/chkrootkit.log 2>&1 15 | } 16 | 17 | function network_info(){ 18 | echo "Gathering network info" 19 | netstat -tulnp > /tmp/GatherInfo/netstat_tulnp.log 2>&1 20 | netstat -anp > /tmp/GatherInfo/netstat_anp.log 2>&1 21 | } 22 | 23 | function process_info(){ 24 | echo "Gathering process info" 25 | ps aux > /tmp/GatherInfo/ps_aux.log 2>&1 26 | ps auxef > /tmp/GatherInfo/ps_auxef.log 2>&1 27 | top -n 1 > /tmp/GatherInfo/top_n1.log 2>&1 28 | } 29 | 30 | function init_info(){ 31 | echo "Gathering init info" 32 | chkconfig --list > /tmp/GatherInfo/chkconfig_list.log 2>&1 33 | ls -alt /etc/init* > /tmp/GatherInfo/ls_alt_etc_init.log 2>&1 34 | } 35 | 36 | function cron_info(){ 37 | echo "Gathering cron info" 38 | 39 | cat /etc/crontab > /tmp/GatherInfo/crontab.log 2>&1 40 | cat /etc/anacrontab > /tmp/GatherInfo/anacrontab.log 2>&1 41 | crontab -l > /tmp/GatherInfo/crontab_l.log 2>&1 42 | 43 | cd /etc/cron.d/ 44 | ls -alt > /tmp/GatherInfo/etc_cron.d.log 2>&1 45 | cat * >> /tmp/GatherInfo/etc_cron.d.log 2>&1 46 | 47 | cd /etc/cron.daily/ 48 | ls -alt > /tmp/GatherInfo/etc_cron.daily.log 2>&1 49 | cat * >> /tmp/GatherInfo/etc_cron.daily.log 2>&1 50 | 51 | cd /etc/cron.hourly/ 52 | ls -alt > /tmp/GatherInfo/etc_cron.hourly.log 2>&1 53 | cat * >> /tmp/GatherInfo/etc_cron.hourly.log 2>&1 54 | 55 | cd /etc/cron.monthly/ 56 | ls -alt > /tmp/GatherInfo/etc_cron.monthly.log 2>&1 57 | cat * >> /tmp/GatherInfo/etc_cron.monthly.log 2>&1 58 | 59 | cd /etc/cron.weekly/ 60 | ls -alt > /tmp/GatherInfo/etc_cron.weekly.log 2>&1 61 | cat * >> /tmp/GatherInfo/etc_cron.weekly.log 2>&1 62 | 63 | cd /var/spool/cron/ 64 | ls -alt > /tmp/GatherInfo/var_spool_cron.log 2>&1 65 | cat * >> /tmp/GatherInfo/var_spool_cron.log 2>&1 66 | 67 | cd /var/spool/anacron/ 68 | ls -alt > /tmp/GatherInfo/var_spool_anacron.log 2>&1 69 | cat * >> /tmp/GatherInfo/var_spool_anacron.log 2>&1 70 | } 71 | 72 | function other_info(){ 73 | echo "Gathering other info" 74 | 75 | # check system users 76 | cat /etc/passwd | grep -v nologin > /tmp/GatherInfo/passwd.log 2>&1 77 | 78 | # check dirs with 777 permition 79 | ls -alt /tmp > /tmp/GatherInfo/tmp.log 2>&1 80 | ls -alt /var/tmp > /tmp/GatherInfo/var_tmp.log 2>&1 81 | ls -alt /dev/shm > /tmp/GatherInfo/dev_shm.log 2>&1 82 | 83 | # check ld env 84 | echo $LD_PRELOAD > /tmp/GatherInfo/LD_PRELOAD.log 2>&1 85 | cat /etc/ld.so.preload > /tmp/GatherInfo/etc_ld.so.preload.log 2>&1 86 | 87 | # check root ssh config 88 | ls -alt /root/.ssh > /tmp/GatherInfo/ls_alt_root_.ssh.log 2>&1 89 | cat /root/.ssh/* > /tmp/GatherInfo/cat_root_.ssh.log 2>&1 90 | 91 | # check bash config 92 | cat /root/.bash_profile > /tmp/GatherInfo/cat_root_bash_profile.log 2>&1 93 | cat /root/.bashrc > /tmp/GatherInfo/cat_root_bashrc.log 2>&1 94 | 95 | for user in /home/* 96 | do 97 | if test -d $user;then 98 | cat /home/$user/.ssh/* > /tmp/GatherInfo/cat_$user.ssh.log 2>&1 99 | ls -alt /home/$user > /tmp/GatherInfo/cat_$user.home.log 2>&1 100 | fi 101 | done 102 | } 103 | 104 | initial 105 | chkrootkit_info 106 | network_info 107 | process_info 108 | init_info 109 | cron_info 110 | other_info 111 | 112 | cd /tmp 113 | tar -zcvf GatherInfo.tar.gz GatherInfo 114 | 115 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | update:2021.01.11 2 | 3 | # 工具箱说明 4 | 5 | ## 步骤1 上传到服务器 6 | 一线人员把busybox,chkrootkit和,GatherInfo脚本一起上传到目标服务器上 7 | 8 | ## 步骤2 执行信息收集脚本 9 | 接下来执行以下命令进行 10 | ``` 11 | # bash GatherInfo.sh 12 | ``` 13 | 14 | ## 步骤3 回传信息收集包 15 | 脚本执行完成后,会在/tmp目录下生成一个GatherInfo.tar.gz文件,回传该文件给应急人员。 16 | 17 | ## 步骤4 应急响应诊断 18 | 应急人员根据各个命令执行内容进行分析,并完善“应急响应Checklist”内容。 19 | 20 | ## 步骤5 其他情况 21 | 如果自动化脚本收集到的信息不足以判断病毒情况,则需要应急人员人工连接到服务器执行排查。 22 | -------------------------------------------------------------------------------- /busybox: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kafroc/emergency-response-toolbox/8aea36524fbd700c8710041876cd18666af71b0c/busybox -------------------------------------------------------------------------------- /chkrootkit: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # -*- Shell-script -*- 3 | 4 | # $Id: chkrootkit, v 0.53-github2 2019/04/29 5 | CHKROOTKIT_VERSION='0.53-github2' 6 | 7 | # Authors: Nelson Murilo (main author) and 8 | # Klaus Steding-Jessen 9 | # 10 | # (c)1997-2019 Nelson Murilo, Pangeia Informatica, AMS Foundation and others. 11 | # All rights reserved 12 | 13 | ### workaround for some Bourne shell implementations 14 | unalias login > /dev/null 2>&1 15 | unalias ls > /dev/null 2>&1 16 | unalias netstat > /dev/null 2>&1 17 | unalias ss > /dev/null 2>&1 18 | unalias ps > /dev/null 2>&1 19 | unalias dirname > /dev/null 2>&1 20 | 21 | # Workaround for recent GNU coreutils 22 | _POSIX2_VERSION=199209 23 | export _POSIX2_VERSION 24 | 25 | KALLSYMS="/proc/kallsyms" 26 | [ -f /proc/ksysm ] && KALLSYMS="/proc/$KALLSYMS" 27 | 28 | # Native commands 29 | TROJAN="amd basename biff chfn chsh cron crontab date du dirname echo egrep \ 30 | env find fingerd gpm grep hdparm su ifconfig inetd inetdconf identd init \ 31 | killall ldsopreload login ls lsof mail mingetty netstat named passwd pidof \ 32 | pop2 pop3 ps pstree rpcinfo rlogind rshd slogin sendmail sshd syslogd tar tcpd \ 33 | tcpdump top telnetd timed traceroute vdir w write" 34 | 35 | # Tools 36 | TOOLS="aliens asp bindshell lkm rexedcs sniffer w55808 wted scalper slapper z2 chkutmp OSX_RSPLUG" 37 | 38 | # Return Codes 39 | INFECTED=0 40 | NOT_INFECTED=1 41 | NOT_TESTED=2 42 | NOT_FOUND=3 43 | INFECTED_BUT_DISABLED=4 44 | 45 | # Many trojaned commands have this label 46 | GENERIC_ROOTKIT_LABEL="^/bin/.*sh$|bash|elite$|vejeta|\.ark|iroffer" 47 | 48 | ###################################################################### 49 | # tools functions 50 | 51 | # 52 | # 55808.A Worm 53 | # 54 | w55808 (){ 55 | W55808_FILES="${ROOTDIR}tmp/.../a ${ROOTDIR}tmp/.../r" 56 | STATUS=0 57 | 58 | for i in ${W55808_FILES}; do 59 | if [ -f ${i} ]; then 60 | STATUS=1 61 | fi 62 | done 63 | if [ ${STATUS} -eq 1 ] ;then 64 | echo "Warning: Possible 55808 Worm installed" 65 | else 66 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 67 | return ${NOT_INFECTED} 68 | fi 69 | } 70 | 71 | OSX_RSPLUG (){ 72 | if [ ${SYSTEM} != "Darwin" ]; then 73 | if [ "${QUIET}" != "t" ]; then echo "not tested"; fi 74 | return 75 | fi 76 | SAVEIFS=$IFS 77 | IFS=';' 78 | STATUS=0 79 | OSX_RSPLUG_FILES='/Library/Internet Plug-Ins/QuickTime.xpt;/Library/Internet Plug-Ins/plugins.settings' 80 | # echo checking ${OSX_RSPLUG_FILES} 81 | for i in ${OSX_RSPLUG_FILES} ; do 82 | echo searching for "${i}" 83 | if [ -e "${i}" ] ; then 84 | STATUS=1 85 | fi 86 | done 87 | IFS=$SAVEIFS 88 | 89 | if [ ${STATUS} -eq 1 ] ;then 90 | echo "Warning: OSX.RSPlug.A Trojan Horse found" 91 | return ${INFECTED} 92 | else 93 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 94 | return ${NOT_INFECTED} 95 | fi 96 | } 97 | 98 | # 99 | # SLAPPER.{A,B,C,D} and the multi-platform variant 100 | # 101 | slapper (){ 102 | SLAPPER_FILES="${ROOTDIR}tmp/.bugtraq ${ROOTDIR}tmp/.bugtraq.c" 103 | SLAPPER_FILES="$SLAPPER_FILES ${ROOTDIR}tmp/.unlock ${ROOTDIR}tmp/httpd \ 104 | ${ROOTDIR}tmp/update ${ROOTDIR}tmp/.cinik ${ROOTDIR}tmp/.b" 105 | SLAPPER_PORT="0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 " 106 | _chk_netstat_or_ss; 107 | OPT="-an" 108 | [ "${netstat}" = "ss" ] && OPT="-a" 109 | STATUS=0 110 | file_port= 111 | 112 | if ${netstat} "${OPT}"|${egrep} "^tcp"|${egrep} "${SLAPPER_PORT}"> /dev/null 2>&1 113 | then 114 | STATUS=1 115 | [ "$SYSTEM" = "Linux" ] && file_port=`netstat -p ${OPT} | \ 116 | $egrep ^tcp|$egrep "${SLAPPER_PORT}" | ${awk} '{ print $7 }' | tr -d :` 117 | fi 118 | for i in ${SLAPPER_FILES}; do 119 | if [ -f ${i} ]; then 120 | file_port="$file_port $i" 121 | STATUS=1 122 | fi 123 | done 124 | if [ ${STATUS} -eq 1 ] ;then 125 | echo "Warning: Possible Slapper Worm installed ($file_port)" 126 | else 127 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 128 | return ${NOT_INFECTED} 129 | fi 130 | } 131 | 132 | scalper (){ 133 | SCALPER_FILES="${ROOTDIR}tmp/.uua ${ROOTDIR}tmp/.a" 134 | SCALPER_PORT=2001 135 | OPT="-an" 136 | _chk_netstat_or_ss; 137 | [ "$netstat" = "ss" ] && OPT="-a" 138 | STATUS=0 139 | 140 | if ${netstat} "${OPT}" | ${egrep} "0.0:${SCALPER_PORT} "> /dev/null 2>&1; then 141 | STATUS=1 142 | fi 143 | for i in ${SCALPER_FILES}; do 144 | if [ -f ${i} ]; then 145 | STATUS=1 146 | fi 147 | done 148 | if [ ${STATUS} -eq 1 ] ;then 149 | echo "Warning: Possible Scalper Worm installed" 150 | else 151 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 152 | return ${NOT_INFECTED} 153 | fi 154 | } 155 | 156 | asp (){ 157 | ASP_LABEL="poop" 158 | STATUS=${NOT_INFECTED} 159 | CMD=`loc asp asp $pth` 160 | 161 | if [ "${EXPERT}" = "t" ]; then 162 | expertmode_output "${egrep} ^asp ${ROOTDIR}etc/inetd.conf" 163 | expertmode_output "${strings} -a ${CMD}" 164 | return 5 165 | fi 166 | 167 | if ${egrep} "^asp" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1; then 168 | echo "Warning: Possible Ramen Worm installed in inetd.conf" 169 | STATUS=${INFECTED} 170 | fi 171 | if [ ${CMD} = "asp" -o ${CMD} = "${ROOTDIR}asp" ]; then 172 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 173 | return ${NOT_INFECTED} 174 | fi 175 | if ${strings} -a ${CMD} | ${egrep} "${ASP_LABEL}" >/dev/null 2>&1; then 176 | # echo "INFECTED" 177 | STATUS=${INFECTED} 178 | else 179 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 180 | return ${NOT_INFECTED} 181 | fi 182 | return ${STATUS} 183 | } 184 | 185 | sniffer () { 186 | if [ "${ROOTDIR}" != "/" ]; then 187 | echo "not tested" 188 | return ${NOT_TESTED} 189 | fi 190 | 191 | if [ "$SYSTEM" = "SunOS" ]; then 192 | return ${NOT_TESTED} 193 | fi 194 | 195 | if [ "${EXPERT}" = "t" ]; then 196 | expertmode_output "./ifpromisc" -v 197 | return 5 198 | fi 199 | if [ ! -x ./ifpromisc ]; then 200 | echo "not tested: can't exec ./ifpromisc" 201 | return ${NOT_TESTED} 202 | else 203 | [ "${QUIET}" != "t" ] && ./ifpromisc -v || ./ifpromisc -q 204 | fi 205 | } 206 | 207 | chkutmp() { 208 | if [ ! -x ./chkutmp -o ${mode} = "pm" ]; then 209 | echo "not tested: can't exec ./chkutmp" 210 | return ${NOT_TESTED} 211 | fi 212 | if ./chkutmp 213 | then 214 | if [ "${QUIET}" != "t" ]; then echo "chkutmp: nothing deleted"; fi 215 | fi 216 | } 217 | 218 | z2 () { 219 | if [ ! -x ./chklastlog ]; then 220 | echo "not tested: can't exec ./chklastlog" 221 | return ${NOT_TESTED} 222 | fi 223 | 224 | WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 225 | LASTLOG=`loc lastlog lastlog "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 226 | 227 | if [ ! -f $WTMP -a ! -f $LASTLOG ]; then 228 | echo "not tested: not found wtmp and/or lastlog file" 229 | return ${NOT_TESTED} 230 | fi 231 | 232 | if [ "${EXPERT}" = "t" ]; then 233 | expertmode_output "./chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG}" 234 | return 5 235 | fi 236 | 237 | if ./chklastlog -f ${ROOTDIR}${WTMP} -l ${ROOTDIR}${LASTLOG} 238 | then 239 | if [ "${QUIET}" != "t" ]; then echo "chklastlog: nothing deleted"; fi 240 | fi 241 | } 242 | 243 | wted () { 244 | if [ ! -x ./chkwtmp ]; then 245 | echo "not tested: can't exec ./chkwtmp" 246 | return ${NOT_TESTED} 247 | fi 248 | 249 | if [ "$SYSTEM" = "SunOS" ]; then 250 | if [ ! -x ./check_wtmpx ]; then 251 | echo "not tested: can't exec ./check_wtmpx" 252 | else 253 | if [ "${EXPERT}" = "t" ]; then 254 | expertmode_output "./check_wtmpx" 255 | return 5 256 | fi 257 | if [ -f ${ROOTDIR}var/adm/wtmp ]; then 258 | if ./check_wtmpx 259 | then 260 | if [ "${QUIET}" != "t" ]; then \ 261 | echo "check_wtmpx: nothing deleted in /var/adm/wtmpx"; fi 262 | fi 263 | fi 264 | fi 265 | else 266 | WTMP=`loc wtmp wtmp "${ROOTDIR}var/log ${ROOTDIR}var/adm"` 267 | 268 | if [ "${EXPERT}" = "t" ]; then 269 | expertmode_output "./chkwtmp -f ${WTMP}" 270 | return 5 271 | fi 272 | fi 273 | 274 | if ./chkwtmp -f ${WTMP} 275 | then 276 | if [ "${QUIET}" != "t" ]; then echo "chkwtmp: nothing deleted"; fi 277 | fi 278 | } 279 | bindshell () { 280 | PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222" 281 | OPT="-an" 282 | _chk_netstat_or_ss; 283 | [ "$netstat" = "ss" ] && OPT="-a" 284 | PI="" 285 | if [ "${ROOTDIR}" != "/" ]; then 286 | echo "not tested" 287 | return ${NOT_TESTED} 288 | fi 289 | 290 | if [ "${EXPERT}" = "t" ]; then 291 | expertmode_output "${netstat} ${OPT}" 292 | return 5 293 | fi 294 | for P in `echo $PORT | ${sed} 's/|/ /g'`; do 295 | if ${netstat} "${OPT}" | ${egrep} "^tcp.*LIST|^udp" | ${egrep} \ 296 | "[.:]${P}[^0-9.:]" >/dev/null 2>&1 297 | then 298 | PI="${PI} ${P}" 299 | fi 300 | done 301 | if [ "${PI}" != "" ] 302 | then 303 | echo "INFECTED PORTS: ($PI)" 304 | else 305 | if [ "${QUIET}" != "t" ]; then echo "not infected"; fi 306 | fi 307 | } 308 | 309 | lkm () 310 | { 311 | prog="" 312 | if [ \( "${SYSTEM}" = "Linux" -o \( "${SYSTEM}" = "FreeBSD" -a \ 313 | `echo ${V} | ${awk} '{ if ($1 > 4.3 || $1 < 6.0) print 1; else print 0 }'` -eq 1 \) \) -a "${ROOTDIR}" = "/" ]; then 314 | [ -x ./chkproc -a "`find /proc 2>/dev/null| wc -l`" -gt 1 ] && prog="./chkproc" 315 | [ -x ./chkdirs ] && prog="$prog ./chkdirs" 316 | if [ "$prog" = "" -o ${mode} = "pm" ]; then 317 | echo "not tested: can't exec $prog" 318 | return ${NOT_TESTED} 319 | fi 320 | 321 | if [ "${EXPERT}" = "t" ]; then 322 | [ -r /proc/$KALLSYMS ] && ${egrep} -i "adore|sebek" < /proc/$KALLSYMS 2>/dev/null 323 | [ -d /proc/knark ] && ${ls} -la /proc/knark 2> /dev/null 324 | PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'` 325 | [ "$PV" = "" ] && PV=2 326 | [ "${SYSTEM}" = "SunOS" ] && PV=0 327 | expertmode_output "./chkproc -v -v -p $PV" 328 | return 5 329 | fi 330 | 331 | ### adore LKM 332 | [ -r /proc/$KALLSYMS ] && \ 333 | if `${egrep} -i adore < /proc/$KALLSYMS >/dev/null 2>&1`; then 334 | echo "Warning: Adore LKM installed" 335 | fi 336 | 337 | ### sebek LKM (Adore based) 338 | [ -r /proc/$KALLSYMS ] && \ 339 | if `${egrep} -i sebek < /proc/$KALLSYMS >/dev/null 2>&1`; then 340 | echo "Warning: Sebek LKM installed" 341 | fi 342 | 343 | ### knark LKM 344 | if [ -d /proc/knark ]; then 345 | echo "Warning: Knark LKM installed" 346 | fi 347 | 348 | PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.11) print 1; else print 2 }'` 349 | [ "$PV" = "" ] && PV=2 350 | [ "${SYSTEM}" = "SunOS" ] && PV=0 351 | if [ "${DEBUG}" = "t" ]; then 352 | ${echo} "*** PV=$PV ***" 353 | fi 354 | if ./chkproc -p ${PV}; then 355 | if [ "${QUIET}" != "t" ]; then echo "chkproc: nothing detected"; fi 356 | else 357 | echo "chkproc: Warning: Possible LKM Trojan installed" 358 | fi 359 | dirs="/tmp" 360 | for i in /usr/share /usr/bin /usr/sbin /lib; do 361 | [ -d $i ] && dirs="$dirs $i" 362 | done 363 | if ./chkdirs $dirs; then 364 | if [ "${QUIET}" != "t" ]; then echo "chkdirs: nothing detected"; fi 365 | else 366 | echo "chkdirs: Warning: Possible LKM Trojan installed" 367 | fi 368 | else 369 | if [ "${QUIET}" != "t" ]; then echo "chkproc: not tested"; fi 370 | fi 371 | } 372 | 373 | aliens () { 374 | if [ "${EXPERT}" = "t" ]; then 375 | ### suspicious files 376 | FILES="usr/bin/sourcemask usr/bin/ras2xm usr/sbin/in.telnet \ 377 | sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc usr/bin/xstat \ 378 | etc/ld.so.hash" 379 | 380 | expertmode_output "${find} ${ROOTDIR}dev -type f" 381 | expertmode_output "${find} ${ROOTDIR}var/run/.tmp" 382 | expertmode_output "${find} ${ROOTDIR}usr/man/man1/lib/.lib" 383 | expertmode_output "${find} ${ROOTDIR}usr/man/man2/.man8" 384 | expertmode_output "${find} ${ROOTDIR}usr/man/man1 -name '.. *'" 385 | expertmode_output "${find} ${ROOTDIR}usr/share/locale/sk" 386 | expertmode_output "${find} ${ROOTDIR}usr/lib/dy0" 387 | expertmode_output "${find} ${ROOTDIR}tmp -name 982235016-gtkrc-429249277" 388 | expertmode_output "${find} ${ROOTDIR}var/spool/lp/admins/.lp/" 389 | 390 | for i in ${FILES}; do 391 | expertmode_output "${ls} ${ROOTDIR}${i} 2> /dev/null" 392 | done 393 | [ -d ${ROOTDIR}lib/.so ] && expertmode_output "${find} ${ROOTDIR}lib/.so" 394 | [ -d "${ROOTDIR}usr/include/.. " ] && expertmode_output ${find} "${ROOTDIR}usr/include/.. " 395 | [ -d ${ROOTDIR}usr/lib/.fx ] && expertmode_output ${find} ${ROOTDIR}usr/lib/.fx 396 | [ -d ${ROOTDIR}var/local/.lpd ] && expertmode_output ${find} ${ROOTDIR}var/local/.lpd 397 | [ -d ${ROOTDIR}dev/rd/cdb ] && expertmode_output ${find} ${ROOTDIR}dev/rd/cdb 398 | [ -d ${ROOTDIR}/usr/lib/lib.so1.so ] && expertmode_output ${find} ${ROOTDIR}/usr/lib/lib.so1.so 399 | ### sniffer's logs 400 | expertmode_output "${find} ${ROOTDIR}dev ${ROOTDIR}usr ${ROOTDIR}tmp \ 401 | ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var ${findargs} -name tcp.log -o -name \ 402 | .linux-sniff -o -name sniff-l0g -o -name core_ -o" 403 | expertmode_output "${find} ${ROOTDIR}usr/lib -name in.httpd -o \ 404 | -name in.pop3d" 405 | 406 | ### t0rn 407 | expertmode_output "${find} ${ROOTDIR}etc ${ROOTDIR}sbin \ 408 | ${ROOTDIR}usr/src/.puta ${ROOTDIR}lib ${ROOTDIR}usr/info -name \ 409 | ttyhash -o -name xlogin -o -name ldlib.tk -o -name .t?rn" 410 | 411 | LIBS= 412 | [ -d ${ROOTDIR}lib ] && LIBS="${ROOTDIR}lib" 413 | [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" 414 | [ -d ${ROOTDIR}usr/local/lib ] && \ 415 | LIBS="${LIBS} ${ROOTDIR}usr/local/lib" 416 | 417 | expertmode_output "${find} ${LIBS} -name libproc.a" 418 | 419 | ## Lion Worm 420 | expertmode_output "${find} ${ROOTDIR}dev/.lib/lib -name 1i0n.sh 421 | 2> /dev/null" 422 | 423 | ### ark 424 | expertmode_output "${find} ${ROOTDIR}dev -name ptyxx" 425 | expertmode_output "${find} ${ROOTDIR}usr/doc -name '... '" 426 | expertmode_output "${find} ${ROOTDIR}usr/lib -name '.ark*'" 427 | 428 | ### RK17 429 | expertmode_output "${find} ${ROOTDIR}bin -name rtty -o -name squit" 430 | expertmode_output "${find} ${ROOTDIR}sbin -name pback" 431 | expertmode_output "${find} ${ROOTDIR}usr/man/man3 -name psid 2> /dev/null" 432 | expertmode_output "${find} ${ROOTDIR}proc -name kset 2> /dev/null" 433 | expertmode_output "${find} ${ROOTDIR}usr/src/linux/modules -name \ 434 | autod.o -o -name soundx.o 2> /dev/null" 435 | expertmode_output "${find} ${ROOTDIR}usr/bin -name gib -o \ 436 | -name ct -o -name snick -o -name kfl" 437 | 438 | CGIDIR="" 439 | for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ 440 | var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ 441 | home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; 442 | do 443 | [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="${CGIDIR} ${ROOTDIR}${cgidir}" 444 | done 445 | BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ 446 | shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ 447 | zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" 448 | for j in ${CGIDIR}; do 449 | for i in ${BACKDOORS}; do 450 | [ -f ${j}/${i} ] && echo ${j}/${i} 451 | done 452 | done 453 | 454 | ### rsha 455 | expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name kr4p \ 456 | -o -name n3tstat -o -name chsh2" 457 | expertmode_output "${find} ${ROOTDIR}etc/rc.d/rsha" 458 | expertmode_output "${find} ${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib \ 459 | ${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/" 460 | 461 | ### ShitC Worm 462 | expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}sbin -name home \ 463 | -o -name frgy -o -name sy" 464 | expertmode_output "${find} ${ROOTDIR}usr/bin -type d -name dir" 465 | expertmode_output "${find} ${ROOTDIR}usr/sbin -type d -name in.slogind" 466 | 467 | ### Omega Worm 468 | expertmode_output "${find} ${ROOTDIR}dev -name chr" 469 | 470 | ### rh-sharpe 471 | expertmode_output "${find} ${ROOTDIR}bin ${ROOTDIR}usr/bin -name lps \ 472 | -o -name .ps -o -name lpstree -o -name .lpstree -o -name lkillall \ 473 | -o -name ldu -o -name lnetstat" 474 | expertmode_output "${find} ${ROOTDIR}usr/include/rpcsvc -name du" 475 | 476 | ### Adore Worm 477 | expertmode_output "${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin \ 478 | -name red.tar -o -name start.sh -o -name klogd.o -o -name 0anacron-bak \ 479 | -o -name adore" 480 | expertmode_output "${find} ${ROOTDIR}usr/lib/lib" 481 | expertmode_output "${find} ${ROOTDIR}usr/lib/libt" 482 | 483 | ### suspicious files and dirs 484 | suspects="/usr/lib/pt07 /usr/bin/atm /tmp/.cheese /dev/ptyzx /dev/ptyzg /usr/bin/sourcemask /dev/ida /dev/xdf* /usr/lib/libx?otps /sbin/init.zk" 485 | DIR=${ROOTDIR}usr/lib 486 | [ -d ${ROOTDIR}usr/man ] && DIR="${DIR} ${ROOTDIR}usr/man" 487 | [ -d ${ROOTDIR}lib ] && DIR="${DIR} ${ROOTDIR}lib" 488 | [ -d ${ROOTDIR}usr/lib ] && DIR="${DIR} ${ROOTDIR}usr/lib" 489 | expertmode_output "${find} ${DIR} -name '.[A-Za-z]*'" 490 | expertmode_output "${find} ${DIR} -type d -name '.*'" 491 | expertmode_output "${find} ${DIR} -name '...*'" 492 | expertmode_output "${ls} ${suspects}" 493 | 494 | ### Maniac RK 495 | expertmode_output "${find} ${ROOTDIR}usr/bin -name mailrc" 496 | 497 | ### Ramen Worm 498 | expertmode_output "${find} ${ROOTDIR}usr/src/.poop \ 499 | ${ROOTDIR}tmp/ramen.tgz ${ROOTDIR}etc/xinetd.d/asp" 500 | 501 | ### Sadmind/IIS Worm 502 | expertmode_output "${find} ${ROOTDIR}dev/cuc" 503 | 504 | ### Monkit 505 | expertmode_output "${find} ${ROOTDIR}lib/defs" 506 | 507 | ### Showtee 508 | expertmode_output "${ls} ${ROOTDIR}usr/lib/.egcs \ 509 | ${ROOTDIR}usr/lib/.wormie \ 510 | ${ROOTDIR}usr/lib/.kinetic ${ROOTDIR}/usr/lib/liblog.o \ 511 | ${ROOTDIR}/usr/include/addr.h ${ROOTDIR}usr/include/cron.h \ 512 | ${ROOTDIR}/usr/include/file.h ${ROOTDIR}usr/include/proc.h \ 513 | ${ROOTDIR}/usr/include/syslogs.h ${ROOTDIR}/usr/include/chk.h" 514 | 515 | ### Optickit 516 | expertmode_output "${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf" 517 | 518 | ### T.R.K 519 | expertmode_output "${find} ${ROOTDIR}usr/bin -name soucemask -o -name ct" 520 | ### MithRa's Rootkit 521 | expertmode_output "${find} ${ROOTDIR}usr/lib/locale -name uboot" 522 | 523 | 524 | ### OpenBSD rootkit v1 525 | if [ \( "$SYSTEM" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f /usr/lib/security/libgcj.security ] 526 | then 527 | expertmode_output "${find} ${ROOTDIR}usr/lib/security" 528 | fi 529 | 530 | ### LOC rootkit 531 | expertmode_output "${find} ${ROOTDIR}tmp -name xp -o -name kidd0.c" 532 | 533 | ### Romanian rootkit 534 | expertmode_output "${ls} ${ROOTDIR}usr/include/file.h \ 535 | ${ROOTDIR}usr/include/proc.h ${ROOTDIR}usr/include/addr.h \ 536 | ${ROOTDIR}usr/include/syslogs.h" 537 | 538 | ## HKRK rootkit 539 | ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null 540 | 541 | ## Suckit rootkit 542 | expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer'" 543 | expertmode_output "${strings} ${ROOTDIR}sbin/init | ${egrep} FUCK" 544 | #expertmode_output "cat ${ROOTDIR}proc/1/maps | ${egrep} init." 545 | expertmode_output "cat ${ROOTDIR}dev/.golf" 546 | 547 | ## Volc rootkit 548 | expertmode_output "${ls} ${ROOTDIR}usr/bin/volc" 549 | expertmode_output "${find} ${ROOTDIR}usr/lib/volc" 550 | 551 | ## Gold2 rootkit 552 | expertmode_output "${ls} ${ROOTDIR}usr/bin/ishit" 553 | 554 | ## TC2 Worm 555 | expertmode_output "${ls} ${ROOTDIR}usr/bin/util ${ROOTDIR}usr/info \ 556 | ${ROOTDIR}usr/sbin/initcheck ${ROOTDIR}usr/sbin/ldb" 557 | 558 | ## Anonoiyng rootkit 559 | expertmode_output "${ls} ${ROOTDIR}usr/sbin/mech* ${ROOTDIR}usr/sbin/kswapd" 560 | 561 | ## ZK rootkit 562 | expertmode_output "${ls} ${ROOTDIR}etc/sysconfig/console/load*" 563 | 564 | ## ShKit 565 | expertmode_output "${ls} ${ROOTDIR}lib/security/.config ${ROOTDIR}etc/ld.so.hash" 566 | 567 | ## AjaKit 568 | expertmode_output "${find} ${ROOTDIR}lib -name .ligh.gh" 569 | expertmode_output "${find} ${ROOTDIR}dev -name tux" 570 | 571 | ## zaRwT 572 | expertmode_output "${find} ${ROOTDIR}bin -name imin -o -name imout" 573 | 574 | ## Madalin rootkit 575 | expertmode_output "${find} ${ROOTDIR}usr/include -name icekey.h -o \ 576 | -name iceconf.h -o -name iceseed.h" 577 | 578 | ## Fu rootkit 579 | expertmode_output "${find} ${ROOTDIR}sbin ${ROOTDIR}bin \ 580 | ${ROOTDIR}usr/include -name xc -o -name .lib -o name ivtype.h" 581 | 582 | ## Kenga3 Rookit 583 | expertmode_output "${find} ${ROOTDIR}usr/include/. ." 584 | 585 | ## ESRK Rookit 586 | expertmode_output "${ls} -l ${ROOTDIR}usr/lib/tcl5.3" 587 | 588 | ## rootedoor 589 | for i in `$echo ${PATH}|tr -s ':' ' '`; do 590 | expertmode_output "${ls} -l ${ROOTDIR}${i}/rootedoor" 591 | done 592 | ## ENYE-LKM 593 | expertmode_output "${ls} -l ${ROOTDIR}etc/.enyeOCULTAR.ko" 594 | 595 | ## SSJD Operation Windigo (Linux/Ebury) 596 | if $ssh -G 2>&1 | grep -v usage > /dev/null; then 597 | expertmode_output "${ssh} -G 2>&1 | grep -e illegal -e unknow" 598 | fi 599 | 600 | ## Mumblehard backdoor/botnet 601 | expertmode_output "cat ${ROOTDIR}/var/spool/cron/crontabs | egrep var/tmp" 602 | 603 | ## Backdoors.Linux.Mokes.a 604 | expertmode_output "${ls} -l ${ROOTDIR}tmp/ss0-[0-]9*" 605 | expertmode_output "${ls} -l ${ROOTDIR}tmp/kk0-[0-]9*" 606 | 607 | ## Malicious TinyDNS 608 | expertmode_output "${ls} -l "${ROOTDIR}home/ ./root/"" 609 | 610 | ## Linux/Xor.DDoS 611 | expertmode_output "${find} ${ROOTDIR}tmp -executable -type f" 612 | expertmode_output "${find} ${ROOTDIR}etc/cron.hourly" 613 | 614 | ## CrossRAT 615 | expertmode_output "${find} ${ROOTDIR}usr/var ${findargs} -name mediamgrs.jar" 616 | 617 | ## Hidden Cobra (IBM AIX) 618 | expertmode_output "${find} ${ROOTDIR}tmp/.ICE-unix ${findargs} -name *.so" 619 | 620 | ## Rocke Monero Miner 621 | expertmode_output "${find} ${ROOTDIR}etc ${findargs} -name ld.so.pre -o -name xig" 622 | 623 | ## Common SSH-SCANNERS 624 | expertmode_output "${find} ${ROOTDIR}/tmp ${ROOTDIR}/var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2" 625 | 626 | ### shell history file check 627 | if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then 628 | expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ 629 | -size 0" 630 | expertmode_output "${find} ${ROOTDIR}${HOME} ${findargs} -name .*history \ 631 | \( -links 2 -o -type l \)" 632 | fi 633 | 634 | return 5 635 | ### expert mode ends here 636 | fi 637 | 638 | ### 639 | ### suspicious files and sniffer's logs 640 | ### 641 | suspects="usr/lib/pt07 usr/bin/atm tmp/.cheese dev/ptyzx dev/ptyzy \ 642 | usr/bin/sourcemask dev/ida dev/xdf1 dev/xdf2 usr/bin/xstat \ 643 | tmp/982235016-gtkrc-429249277 usr/bin/sourcemask /usr/bin/ras2xm \ 644 | usr/sbin/in.telnet sbin/vobiscum usr/sbin/jcd usr/sbin/atd2 usr/bin/.etc .lp \ 645 | etc/ld.so.hash sbin/init.zk usr/lib/in.httpd usr/lib/in.pop3d nlsadmin" 646 | dir="var/run/.tmp lib/.so usr/lib/.fx var/local/.lpd dev/rd/cdb \ 647 | var/spool/lp/admins/.lp var/adm/sa/.adm usr/lib/lib.so1.so" 648 | files=`${find} ${ROOTDIR}dev -type f -exec ${egrep} -l "^[0-5] " {} \;` 649 | if [ "${files}" != "" ]; then 650 | echo 651 | echo ${files} 652 | fi 653 | for i in ${dir}; do 654 | if [ -d ${ROOTDIR}${i} ]; then 655 | echo 656 | echo "Suspect directory ${i} FOUND! Looking for sniffer logs" 657 | files=`${find} ${ROOTDIR}${i}` 658 | echo 659 | echo ${files} 660 | fi 661 | done 662 | for i in ${suspects}; do 663 | if [ -f ${ROOTDIR}${i} ]; then 664 | echo "${ROOTDIR}${i} " 665 | files="INFECTED" 666 | fi 667 | done 668 | if [ "${files}" = "" ]; then 669 | if [ "${QUIET}" != "t" ]; then echo "no suspect files"; fi 670 | fi 671 | if [ "${QUIET}" != "t" ]; then \ 672 | printn "Searching for sniffer's logs, it may take a while... "; fi 673 | files=`${find} ${ROOTDIR}dev ${ROOTDIR}tmp ${ROOTDIR}lib ${ROOTDIR}etc ${ROOTDIR}var \ 674 | ${findargs} \( -name "tcp.log" -o -name ".linux-sniff" -o -name "sniff-l0g" -o -name "core_" \) \ 675 | 2>/dev/null` 676 | if [ "${files}" = "" ] 677 | then 678 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 679 | else 680 | echo 681 | echo ${files} 682 | fi 683 | 684 | ### HiDrootkit 685 | if [ "${QUIET}" != "t" ]; then printn \ 686 | "Searching for HiDrootkit's default dir... "; fi 687 | if [ -d ${ROOTDIR}var/lib/games/.k ] 688 | then 689 | echo "Possible HiDrootkit installed" 690 | else 691 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 692 | fi 693 | 694 | ### t0rn 695 | if [ "${QUIET}" != "t" ]; then printn\ 696 | "Searching for t0rn's default files and dirs... "; fi 697 | if [ -f ${ROOTDIR}etc/ttyhash -o -f ${ROOTDIR}sbin/xlogin -o \ 698 | -d ${ROOTDIR}usr/src/.puta -o -r ${ROOTDIR}lib/ldlib.tk -o \ 699 | -d ${ROOTDIR}usr/info/.t0rn ] 700 | then 701 | echo "Possible t0rn rootkit installed" 702 | else 703 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 704 | fi 705 | 706 | ### t0rn v8 707 | if [ "${QUIET}" != "t" ]; then \ 708 | printn "Searching for t0rn's v8 defaults... "; fi 709 | [ -d ${ROOTDIR}lib ] && LIBS=${ROOTDIR}lib 710 | [ -d ${ROOTDIR}usr/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/lib" 711 | [ -d ${ROOTDIR}usr/local/lib ] && LIBS="${LIBS} ${ROOTDIR}usr/local/lib" 712 | if [ "`find ${LIBS} -name libproc.a 2> /dev/null`" != "" -a \ 713 | "$SYSTEM" != "FreeBSD" ] 714 | then 715 | echo "Possible t0rn v8 \(or variation\) rootkit installed" 716 | else 717 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 718 | fi 719 | 720 | ### Lion Worm 721 | if [ "${QUIET}" != "t" ]; then \ 722 | printn "Searching for Lion Worm default files and dirs... "; fi 723 | if [ -d ${ROOTDIR}usr/info/.torn -o -d ${ROOTDIR}dev/.lib -o \ 724 | -f ${ROOTDIR}bin/in.telnetd -o -f ${ROOTDIR}bin/mjy ] 725 | then 726 | echo "Possible Lion worm installed" 727 | else 728 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 729 | fi 730 | 731 | ### RSHA rootkit 732 | if [ "${QUIET}" != "t" ]; then \ 733 | printn "Searching for RSHA's default files and dir... "; fi 734 | 735 | if [ -r "${ROOTDIR}bin/kr4p" -o -r "${ROOTDIR}usr/bin/n3tstat" \ 736 | -o -r "${ROOTDIR}usr/bin/chsh2" -o -r "${ROOTDIR}usr/bin/slice2" \ 737 | -o -r "${ROOTDIR}usr/src/linux/arch/alpha/lib/.lib/.1proc" \ 738 | -o -r "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib/.1addr" \ 739 | -o -d "${ROOTDIR}etc/rc.d/rsha" \ 740 | -o -d "${ROOTDIR}etc/rc.d/arch/alpha/lib/.lib" ] 741 | then 742 | echo "Possible RSHA's rootkit installed" 743 | else 744 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 745 | fi 746 | 747 | ### RH-Sharpe rootkit 748 | if [ "${QUIET}" != "t" ]; then \ 749 | printn "Searching for RH-Sharpe's default files... "; fi 750 | 751 | if [ -r "${ROOTDIR}bin/lps" -o -r "${ROOTDIR}usr/bin/lpstree" \ 752 | -o -r "${ROOTDIR}usr/bin/ltop" -o -r "${ROOTDIR}usr/bin/lkillall" \ 753 | -o -r "${ROOTDIR}usr/bin/ldu" -o -r "${ROOTDIR}usr/bin/lnetstat" \ 754 | -o -r "${ROOTDIR}usr/bin/wp" -o -r "${ROOTDIR}usr/bin/shad" \ 755 | -o -r "${ROOTDIR}usr/bin/vadim" -o -r "${ROOTDIR}usr/bin/slice" \ 756 | -o -r "${ROOTDIR}usr/bin/cleaner" -o -r "${ROOTDIR}usr/include/rpcsvc/du" ] 757 | then 758 | echo "Possible RH-Sharpe's rootkit installed" 759 | else 760 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 761 | fi 762 | 763 | ### ark rootkit 764 | if [ "${QUIET}" != "t" ]; then printn \ 765 | "Searching for Ambient's rootkit (ark) default files and dirs... "; fi 766 | 767 | if [ -d ${ROOTDIR}dev/ptyxx -o -r "${ROOTDIR}usr/lib/.ark?" -o \ 768 | -d ${ROOTDIR}usr/doc/"... " ]; then 769 | echo "Possible Ambient's rootkit \(ark\) installed" 770 | else 771 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 772 | fi 773 | 774 | ### suspicious files and dirs 775 | DIR="${ROOTDIR}usr/lib" 776 | [ -d ${ROOTDIR}usr/man ] && DIR="$DIR ${ROOTDIR}usr/man" 777 | [ -d ${ROOTDIR}lib ] && DIR="$DIR ${ROOTDIR}lib" 778 | 779 | if [ "${QUIET}" != "t" ]; then printn \ 780 | "Searching for suspicious files and dirs, it may take a while... "; fi 781 | 782 | files=`${find} ${DIR} -name ".[A-Za-z]*" -o -name "...*" -o -name ".. *"` 783 | dirs=`${find} ${DIR} -type d -name ".*"` 784 | if [ "${files}" = "" -a "${dirs}" = "" ] 785 | then 786 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 787 | else 788 | echo 789 | echo ${files} 790 | echo ${dirs} 791 | fi 792 | 793 | ### LPD Worm 794 | if [ "${QUIET}" != "t" ]; then \ 795 | printn "Searching for LPD Worm files and dirs... "; fi 796 | 797 | if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \ 798 | ${egrep} "^ *666 " ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ; 799 | then 800 | echo "Possible LPD worm installed" 801 | elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \ 802 | -f ${ROOTDIR}bin/.login ]; then 803 | echo "Possible LPD worm installed" 804 | else 805 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 806 | fi 807 | 808 | ### Ramem Worm 809 | if [ "${QUIET}" != "t" ]; then \ 810 | printn "Searching for Ramen Worm files and dirs... "; fi 811 | 812 | if [ -d ${ROOTDIR}usr/src/.poop -o -f \ 813 | ${ROOTDIR}tmp/ramen.tgz -o -f ${ROOTDIR}etc/xinetd.d/asp ] 814 | then 815 | echo "Possible Ramen worm installed" 816 | else 817 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 818 | 819 | fi 820 | 821 | ### Maniac rootkit 822 | if [ "${QUIET}" != "t" ]; then \ 823 | printn "Searching for Maniac files and dirs... "; fi 824 | 825 | files=`${find} ${ROOTDIR}usr/bin -name mailrc` 826 | if [ "${files}" = "" ]; then 827 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 828 | else 829 | echo "${files}" 830 | fi 831 | 832 | ### RK17 rookit 833 | if [ "${QUIET}" != "t" ]; then \ 834 | printn "Searching for RK17 files and dirs... "; fi 835 | 836 | CGIDIR="" 837 | for cgidir in www/httpd/cgi-bin www/cgi-bin var/www/cgi-bin \ 838 | var/lib/httpd/cgi-bin usr/local/httpd/cgi-bin usr/local/apache/cgi-bin \ 839 | home/httpd/cgi-bin usr/local/apache2 usr/local/www usr/lib; 840 | do 841 | [ -d ${ROOTDIR}${cgidir} ] && CGIDIR="$CGIDIR ${ROOTDIR}${cgidir}" 842 | done 843 | files=`${find} ${ROOTDIR}bin -name rtty -o -name squit && \ 844 | ${find} ${ROOTDIR}sbin -name pback && \ 845 | ${find} ${ROOTDIR}usr/man/man3 -name psid 2>/dev/null && \ 846 | ${find} ${ROOTDIR}proc -name kset 2> /dev/null && \ 847 | ${find} ${ROOTDIR}usr/src/linux/modules -name autod.o -o -name soundx.o \ 848 | 2> /dev/null && \ 849 | ${find} ${ROOTDIR}usr/bin -name gib -o -name ct -o -name snick -o -name kfl 2> /dev/null` 850 | BACKDOORS="number.cgi void.cgi psid becys.cgi nobody.cgi bash.zk.cgi alya.cgi \ 851 | shell.cgi alin.cgi httpd.cgi linux.cgi sh.cgi take.cgi bogus.cgi alia.cgi all4one.cgi \ 852 | zxcvbnm.cgi secure.cgi ubb.cgi r57shell.php" 853 | files="" 854 | for j in ${CGIDIR}; do 855 | for i in ${BACKDOORS}; do 856 | [ -f ${j}/${i} ] && files="${files} ${j}/${i}" 857 | done 858 | done 859 | if [ "${files}" = "" ]; then 860 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 861 | else 862 | echo "${files}" 863 | fi 864 | 865 | ### Ducoci rootkit 866 | if [ "${QUIET}" != "t" ]; then \ 867 | printn "Searching for Ducoci rootkit... "; fi 868 | 869 | files=`${find} ${CGIDIR} -name last.cgi` 870 | if [ "${files}" = "" ]; then 871 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 872 | else 873 | echo "${files}" 874 | fi 875 | 876 | ### Adore Worm 877 | if [ "${QUIET}" != "t" ]; then printn "Searching for Adore Worm... "; fi 878 | 879 | files=`${find} ${ROOTDIR}usr/lib ${ROOTDIR}usr/bin -name red.tar -o \ 880 | -name start.sh -o -name klogd.o -o -name 0anacron-bak -o -name adore` 881 | if [ "${files}" = "" ]; then 882 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 883 | else 884 | echo "${files}" 885 | files=`${find} ${ROOTDIR}usr/lib/lib ${ROOTDIR}usr/lib/libt 2>/dev/null` 886 | [ "${files}" != "" ] && echo ${files} 887 | fi 888 | 889 | ### ShitC Worm 890 | if [ "${QUIET}" != "t" ]; then printn "Searching for ShitC Worm... "; fi 891 | 892 | files=`${find} ${ROOTDIR}bin -name homo -o -name frgy -o -name dy || \ 893 | ${find} ${ROOTDIR}usr/bin -type d -name dir || \ 894 | ${find} ${ROOTDIR}usr/sbin -name in.slogind` 895 | if [ "${files}" = "" ]; then 896 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 897 | else 898 | echo "${files}" 899 | fi 900 | 901 | ### Omega Worm 902 | if [ "${QUIET}" != "t" ]; then printn "Searching for Omega Worm... "; fi 903 | 904 | files=`${find} ${ROOTDIR}dev -name chr` 905 | if [ "${files}" = "" ]; then 906 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 907 | else 908 | echo "${files}" 909 | fi 910 | 911 | ### China Worm (Sadmind/IIS Worm) 912 | if [ "${QUIET}" != "t" ];then printn "Searching for Sadmind/IIS Worm... "; fi 913 | files=`${find} ${ROOTDIR}dev/cuc 2> /dev/null` 914 | if [ "${files}" = "" ]; then 915 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 916 | else 917 | echo "${files}" 918 | fi 919 | 920 | ### MonKit 921 | if [ "${QUIET}" != "t" ];then printn "Searching for MonKit... "; fi 922 | files=`${find} ${ROOTDIR}lib/defs ${ROOTDIR}usr/lib/libpikapp.a \ 923 | 2> /dev/null` 924 | if [ "${files}" = "" ]; then 925 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 926 | else 927 | echo "${files}" 928 | fi 929 | 930 | ### Showtee 931 | if [ "${QUIET}" != "t" ];then printn "Searching for Showtee... "; fi 932 | if [ -d ${ROOTDIR}usr/lib/.egcs ] || \ 933 | [ -d ${ROOTDIR}usr/lib/.kinetic ] || [ -d ${ROOTDIR}usr/lib/.wormie ] || \ 934 | [ -f ${ROOTDIR}usr/lib/liblog.o ] || [ -f ${ROOTDIR}usr/include/addr.h ] || \ 935 | [ -f ${ROOTDIR}usr/include/cron.h ] || [ -f ${ROOTDIR}usr/include/file.h ] || \ 936 | [ -f ${ROOTDIR}usr/include/proc.h ] || [ -f ${ROOTDIR}usr/include/syslogs.h ] || \ 937 | [ -f ${ROOTDIR}usr/include/chk.h ]; then 938 | echo "Warning: Possible Showtee Rootkit installed" 939 | else 940 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 941 | fi 942 | 943 | ### 944 | ### OpticKit 945 | ### 946 | if [ "${QUIET}" != "t" ];then printn "Searching for OpticKit... "; fi 947 | files=`${find} ${ROOTDIR}usr/bin/xchk ${ROOTDIR}usr/bin/xsf \ 948 | 2> /dev/null` 949 | if [ "${files}" = "" ]; then 950 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 951 | else 952 | echo "${files}" 953 | fi 954 | 955 | ### T.R.K 956 | files="" 957 | if [ "${QUIET}" != "t" ];then printn "Searching for T.R.K... "; fi 958 | files=`${find} ${ROOTDIR}usr/bin -name xchk -o -name xsf >/dev/null 2>&1` 959 | if [ "${files}" = "" ]; then 960 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 961 | else 962 | echo "${files}" 963 | fi 964 | 965 | ### Mithra's Rootkit 966 | files="" 967 | if [ "${QUIET}" != "t" ];then printn "Searching for Mithra... "; fi 968 | files=`${find} ${ROOTDIR}usr/lib/locale -name uboot 2> /dev/null` 969 | if [ "${files}" = "" ]; then 970 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 971 | else 972 | echo "${files}" 973 | fi 974 | 975 | ### OpenBSD rootkit v1 976 | if [ \( "${SYSTEM}" != "SunOS" -a ${SYSTEM} != "Linux" \) -a ! -f ${ROOTDIR}usr/lib/security/libgcj.security ]; then 977 | files="" 978 | if [ "${QUIET}" != "t" ];then printn "Searching for OBSD rk v1... "; fi 979 | files=`${find} ${ROOTDIR}usr/lib/security 2>/dev/null` 980 | if [ "${files}" = "" -o "${SYSTEM}" = "HP-UX" ]; then 981 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 982 | else 983 | echo "${files}" 984 | fi 985 | fi 986 | 987 | ### LOC rootkit 988 | files="" 989 | if [ "${QUIET}" != "t" ];then printn "Searching for LOC rootkit... "; fi 990 | files=`find ${ROOTDIR}tmp -name xp -o -name kidd0.c 2>/dev/null` 991 | if [ "${files}" = "" ]; then 992 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 993 | else 994 | echo "${files}" 995 | loc epic epic $pth 996 | fi 997 | 998 | ### Romanian rootkit 999 | files="" 1000 | if [ "${QUIET}" != "t" ];then printn "Searching for Romanian rootkit... "; fi 1001 | for i in file.h proc.h addr.h syslogs.h; do 1002 | if [ -f ${ROOTDIR}usr/include/${i} ]; then 1003 | files="$files ${ROOTDIR}usr/include/$i" 1004 | fi 1005 | done 1006 | if [ "${files}" = "" ]; then 1007 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1008 | else 1009 | echo "${files}" 1010 | fi 1011 | 1012 | ### HKRK 1013 | if [ -f ${ROOTDIR}etc/rc.d/init.d/network ]; then 1014 | if [ "${QUIET}" != "t" ];then printn "Searching for HKRK rootkit... "; fi 1015 | if ${egrep} "\.hk" ${ROOTDIR}etc/rc.d/init.d/network 2>/dev/null ; then 1016 | echo "Warning: /etc/rc.d/init.d/network INFECTED" 1017 | else 1018 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1019 | fi 1020 | fi 1021 | 1022 | ### Suckit 1023 | if [ -f ${ROOTDIR}sbin/init ]; then 1024 | if [ "${QUIET}" != "t" ];then printn "Searching for Suckit rootkit... "; fi 1025 | if [ ${SYSTEM} != "HP-UX" ] && ( ${strings} ${ROOTDIR}sbin/init | ${egrep} '\.sniffer' || \ 1026 | ${strings} ${ROOTDIR}sbin/init | ${egrep} FUCK \ 1027 | #cat ${ROOTDIR}/proc/1/maps | ${egrep} "init." \ 1028 | ) >/dev/null 2>&1 1029 | then 1030 | echo "Warning: ${ROOTDIR}sbin/init INFECTED" 1031 | else 1032 | if [ -d ${ROOTDIR}/dev/.golf ]; then 1033 | echo "Warning: Suspect directory ${ROOTDIR}dev/.golf" 1034 | else 1035 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1036 | fi 1037 | fi 1038 | fi 1039 | 1040 | ### Volc 1041 | if [ "${QUIET}" != "t" ];then printn "Searching for Volc rootkit... "; fi 1042 | if [ -f ${ROOTDIR}usr/bin/volc -o -f ${ROOTDIR}usr/lib/volc ] ; then 1043 | echo "Warning: Possible Volc rootkit installed" 1044 | else 1045 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1046 | fi 1047 | 1048 | ### Gold2 1049 | if [ "${QUIET}" != "t" ];then printn "Searching for Gold2 rootkit... "; fi 1050 | if [ -f ${ROOTDIR}usr/bin/ishit ] ; then 1051 | echo "Warning: Possible Gold2 rootkit installed" 1052 | else 1053 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1054 | fi 1055 | 1056 | ### TC2 Worm 1057 | if [ "${QUIET}" != "t" ]; then \ 1058 | printn "Searching for TC2 Worm default files and dirs... "; fi 1059 | if [ -d ${ROOTDIR}usr/info/.tc2k -o -d ${ROOTDIR}usr/bin/util -o \ 1060 | -f ${ROOTDIR}usr/sbin/initcheck -o -f ${ROOTDIR}usr/sbin/ldb ] 1061 | then 1062 | echo "Possible TC2 Worm installed" 1063 | else 1064 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1065 | fi 1066 | 1067 | ### ANONOYING Rootkit 1068 | if [ "${QUIET}" != "t" ]; then \ 1069 | printn "Searching for Anonoying rootkit default files and dirs... "; fi 1070 | if [ -f ${ROOTDIR}usr/sbin/mech -o -f ${ROOTDIR}usr/sbin/kswapd ]; then 1071 | echo "Possible anonoying rootkit installed" 1072 | else 1073 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1074 | fi 1075 | 1076 | ### ZK Rootkit 1077 | if [ "${QUIET}" != "t" ]; then \ 1078 | printn "Searching for ZK rootkit default files and dirs... "; fi 1079 | if [ -f ${ROOTDIR}etc/sysconfig/console/load.zk ]; then 1080 | echo "Possible ZK rootkit installed" 1081 | else 1082 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1083 | fi 1084 | ### ShKit 1085 | if [ "${QUIET}" != "t" ]; then 1086 | printn "Searching for ShKit rootkit default files and dirs... "; fi 1087 | if [ -f ${ROOTDIR}lib/security/.config -o -f ${ROOTDIR}etc/ld.so.hash ]; then 1088 | echo "Possible ShKit rootkit installed" 1089 | else 1090 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1091 | fi 1092 | 1093 | ### AjaKit 1094 | if [ "${QUIET}" != "t" ]; then 1095 | printn "Searching for AjaKit rootkit default files and dirs... "; fi 1096 | if [ -d ${ROOTDIR}lib/.ligh.gh -o -d ${ROOTDIR}dev/tux ]; then 1097 | echo "Possible AjaKit rootkit installed" 1098 | else 1099 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1100 | fi 1101 | 1102 | ### zaRwT 1103 | if [ "${QUIET}" != "t" ]; then 1104 | printn "Searching for zaRwT rootkit default files and dirs... "; fi 1105 | if [ -f ${ROOTDIR}bin/imin -o -f ${ROOTDIR}bin/imout ]; then 1106 | echo "Possible zaRwT rootkit installed" 1107 | else 1108 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1109 | fi 1110 | 1111 | ### Madalin rootkit 1112 | if [ "${QUIET}" != "t" ]; then 1113 | printn "Searching for Madalin rootkit default files... "; fi 1114 | D=${ROOTDIR}usr/include 1115 | if [ -f $D/icekey.h -o -f $D/iceconf.h -o -f $D/iceseed.h ]; then 1116 | echo "Possible Madalin rootkit installed" 1117 | else 1118 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1119 | fi 1120 | 1121 | ### Fu rootkit 1122 | if [ "${QUIET}" != "t" ]; then 1123 | printn "Searching for Fu rootkit default files... "; fi 1124 | if [ -f ${ROOTDIR}sbin/xc -o -f ${ROOTDIR}bin/.lib -o \ 1125 | -f ${ROOTDIR}usr/include/ivtype.h ]; then 1126 | echo "Possible Fu rootkit installed" 1127 | else 1128 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1129 | fi 1130 | 1131 | ### ESRK 1132 | if [ "${QUIET}" != "t" ]; then 1133 | printn "Searching for ESRK rootkit default files... "; fi 1134 | if [ -d "${ROOTDIR}usr/lib/tcl5.3" ]; then 1135 | echo "Possible ESRK rootkit installed" 1136 | else 1137 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1138 | fi 1139 | 1140 | ## rootedoor 1141 | if [ "${QUIET}" != "t" ]; then 1142 | printn "Searching for rootedoor... "; fi 1143 | found=0 1144 | for i in `$echo $PATH|tr -s ':' ' '`; do 1145 | if [ -f "${ROOTDIR}${i}/rootedoor" ]; then 1146 | echo "Possible rootedoor installed in ${ROOTDIR}${i}" 1147 | found=1 1148 | fi 1149 | done 1150 | [ "${found}" = "0" ] &&\ 1151 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1152 | 1153 | ### ENYELKM 1154 | if [ "${QUIET}" != "t" ]; then 1155 | printn "Searching for ENYELKM rootkit default files... "; fi 1156 | if [ -d "${ROOTDIR}etc/.enyelkmOCULTAR.ko" ]; then 1157 | echo "Possible ENYELKM rootkit installed" 1158 | else 1159 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1160 | fi 1161 | 1162 | ## Common SSH-SCANNERS 1163 | if [ "${QUIET}" != "t" ]; then 1164 | printn "Searching for common ssh-scanners default files... "; fi 1165 | files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name vuln.txt -o -name ssh-scan -o -name pscan2 2> /dev/null`" 1166 | if [ "${files}" = "" ]; then 1167 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1168 | else 1169 | echo "${files}" 1170 | fi 1171 | 1172 | ## SSJD Operation Windigo (Linux/Ebury) 1173 | LIBKEY="lib/x86_64-linux-gnu/libkeyutils.so.1" 1174 | if [ "${QUIET}" != "t" ]; then 1175 | printn "Searching for Linux/Ebury - Operation Windigo ssh... "; fi 1176 | if $ssh -G 2>&1 | grep -v usage > /dev/null; then 1177 | if $ssh -G 2>&1 | grep -e illegal -e unknow > /dev/null; then 1178 | if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi 1179 | else 1180 | echo "Possible Linux/Ebury 1.4 - Operation Windigo installed" 1181 | fi 1182 | fi 1183 | if [ ! -f "${ROOTDIR}${LIBKEY}" ]; then 1184 | if [ "${QUIET}" != "t" ]; then 1185 | echo "not tested"; fi 1186 | else 1187 | if ${strings} -a ${ROOTDIR}${LIBKEY} | egrep "libns2|libns5|libpw3|libpw5|libsbr|libslr" >/dev/null; then 1188 | echo "Possible Linux/Ebury 1.6 - Operation Windigo installed" 1189 | else 1190 | if [ "${QUIET}" != "t" ]; then echo "nothing found "; fi 1191 | fi 1192 | fi 1193 | ## 1194 | ## Linux Rootkit 64 bits 1195 | if [ "${QUIET}" != "t" ]; then 1196 | printn "Searching for 64-bit Linux Rootkit ... "; fi 1197 | if ${egrep} module_init ${ROOTDIR}etc/rc.local >/dev/null 2>&1 || \ 1198 | ${ls} ${ROOTDIR}/usr/local/hide >/dev/null 2>&1; then 1199 | echo "Possible 64-bit Linux Rootkit" 1200 | else 1201 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1202 | fi 1203 | 1204 | if [ "${QUIET}" != "t" ]; then 1205 | printn "Searching for 64-bit Linux Rootkit modules... "; fi 1206 | files="`${find} ${ROOTDIR}/lib/modules ${findargs} -name module_init.ko 2 2> /dev/null`" 1207 | if [ "${files}" = "" ]; then 1208 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1209 | else 1210 | echo "${files}" 1211 | fi 1212 | 1213 | ## Mumblehard backdoor/botnet 1214 | if [ "${QUIET}" != "t" ]; then 1215 | printn "Searching for Mumblehard Linux ... "; fi 1216 | if [ -e ${ROOTDIR}var/spool/cron/crontabs ]; then 1217 | cat ${ROOTDIR}var/spool/cron/crontabs/* 2>/dev/null | egrep "var/tmp" 1218 | if [ $? -ne 0 ] ; then 1219 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1220 | else 1221 | echo "Possible Mumblehard backdoor installed" 1222 | fi 1223 | else 1224 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1225 | fi 1226 | 1227 | ## Backdoor.Linux.Mokes.a 1228 | if [ "${QUIET}" != "t" ]; then 1229 | printn "Searching for Backdoor.Linux.Mokes.a ... "; fi 1230 | files="`${find} ${ROOTDIR}tmp/ ${findargs} -name "ss0-[0-9]*" -o -name "kk-[0-9]*" 2> /dev/null`" 1231 | if [ "${files}" = "" ]; then 1232 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1233 | else 1234 | echo "${files}" 1235 | fi 1236 | 1237 | ## Malicious TinyDNS 1238 | if [ "${QUIET}" != "t" ]; then 1239 | printn "Searching for Malicious TinyDNS ... "; fi 1240 | files="`${find} "${ROOTDIR}home/ ./" 2> /dev/null`" 1241 | if [ "${files}" = "" ]; then 1242 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1243 | else 1244 | echo "INFECTED: Possible Malicious TinyDNS installed" 1245 | fi 1246 | 1247 | ## Linux/Xor.DDoS 1248 | if [ "${QUIET}" != "t" ]; then 1249 | printn "Searching for Linux.Xor.DDoS ... "; fi 1250 | files="`${find} ${ROOTDIR}tmp/ ${findargs} -executable -type f 2> /dev/null`" 1251 | if [ "${files}" = "" ]; then 1252 | files="`${ls} ${ROOTDIR}etc/cron.hourly/udev.sh 2> /dev/null`" 1253 | files="$files $($ls ${ROOTDIR}etc/cron.hourly/gcc.sh 2> /dev/null)" 1254 | if [ "${files}" = " " ]; then 1255 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1256 | else 1257 | echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" 1258 | fi 1259 | else 1260 | echo "INFECTED: Possible Malicious Linux.Xor.DDoS installed" 1261 | echo "${files}" 1262 | fi 1263 | 1264 | ## Linux.Proxy 1.0 1265 | if [ "${QUIET}" != "t" ]; then 1266 | printn "Searching for Linux.Proxy.1.0 ... "; fi 1267 | 1268 | if ${egrep} -i mother ${ROOTDIR}etc/passwd >/dev/null 2>&1 ; then 1269 | echo "INFECTED: Possible Malicious Linux.Proxy.10 installed" 1270 | else 1271 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1272 | fi 1273 | 1274 | # Linux/CrossRAT 1275 | if [ "${QUIET}" != "t" ]; then 1276 | printn "Searching for CrossRAT ... "; fi 1277 | if ${ls} ${ROOTDIR}usr/var/mediamgrs.jar 2>/dev/null; then 1278 | echo "INFECTED: Possible Malicious CrossRAT installed" 1279 | else 1280 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1281 | fi 1282 | ## Hidden Cobra (IBM AIX) 1283 | if [ "${QUIET}" != "t" ]; then 1284 | printn "Searching for Hidden Cobra ... "; fi 1285 | if ${ls} "${ROOTDIR}tmp/.ICE-unix/m*.so" ${ROOTDIR}tmp/.ICE-unix/engine.so 2>/dev/null; then 1286 | echo "INFECTED: Possible Malicious Hidden Cobra installed" 1287 | else 1288 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1289 | fi 1290 | 1291 | ### Rocke Monero Miner 1292 | if [ "${QUIET}" != "t" ]; then 1293 | printn "Searching for Rocke Miner ... "; fi 1294 | if [ -f "${ROOTDIR}etc/ld.so.pre" -o -f "${ROOTDIR}etc/xig" ] ; then 1295 | echo "INFECTED: Possible Malicious Rocke Miner installed" 1296 | else 1297 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1298 | fi 1299 | 1300 | ### 1301 | ### Suspects PHP files 1302 | ### 1303 | if [ "${QUIET}" != "t" ]; then 1304 | printn "Searching for suspect PHP files... "; fi 1305 | files="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -name '*.php' 2> /dev/null`" 1306 | if [ `echo abc | _head -1` = "abc" ]; then 1307 | fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -n 1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" 1308 | else 1309 | fileshead="`${find} ${ROOTDIR}tmp ${ROOTDIR}var/tmp ${findargs} -type f -exec head -1 {} \; | ${egrep} '^#!.*php' 2> /dev/null`" 1310 | fi 1311 | if [ "${files}" = "" -a "${fileshead}" = "" ]; then 1312 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1313 | else 1314 | echo 1315 | echo "${files}" 1316 | echo "${fileshead}" 1317 | fi 1318 | 1319 | ### 1320 | ### shell history anomalies 1321 | ### 1322 | if [ "${QUIET}" != "t" ]; then \ 1323 | printn "Searching for anomalies in shell history files... "; fi 1324 | files="" 1325 | if [ ! -z "${SHELL}" -a ! -z "${HOME}" ]; then 1326 | files=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' -size 0` 1327 | [ ! -z "${files}" ] && \ 1328 | echo "Warning: \`${files}' file size is zero" 1329 | files1=`${find} ${ROOTDIR}${HOME} ${findargs} -name '.*history' \( -links 2 -o -type l \)` 1330 | [ ! -z "${files1}" ] && \ 1331 | echo "Warning: \`${files1}' is linked to another file" 1332 | fi 1333 | if [ -z "${files}" -a -z "${files1}" ]; then 1334 | if [ "${QUIET}" != "t" ]; then echo "nothing found"; fi 1335 | fi 1336 | } 1337 | 1338 | ###################################################################### 1339 | # util functions 1340 | 1341 | # our which(1) 1342 | loc () { 1343 | ### usage: loc filename filename_to_return_if_nothing_was_found path 1344 | thing=$1 1345 | shift 1346 | dflt=$1 1347 | shift 1348 | for dir in $*; do 1349 | case "$thing" in 1350 | .) 1351 | if test -d $dir/$thing; then 1352 | echo $dir 1353 | exit 0 1354 | fi 1355 | ;; 1356 | *) 1357 | for thisthing in $dir/$thing; do 1358 | : 1359 | done 1360 | if test -f $thisthing; then 1361 | echo $thisthing 1362 | exit 0 1363 | fi 1364 | ;; 1365 | esac 1366 | done 1367 | if [ "${ROOTDIR}" = "/" ]; then 1368 | echo ${dflt} 1369 | else 1370 | echo "${ROOTDIR}${dflt}" 1371 | fi 1372 | exit 1 1373 | } 1374 | 1375 | getCMD() { 1376 | RUNNING=`${ps} ${ps_cmd} | ${egrep} "${L_REGEXP}${1}${R_REGEXP}" | \ 1377 | ${egrep} -v grep | ${egrep} -v chkrootkit | _head -1 | \ 1378 | ${awk} '{ print $5 }'` 1379 | 1380 | for i in ${ROOTDIR}${RUNNING} ${ROOTDIR}usr/sbin/${1} `loc ${1} ${1} $pth` 1381 | do 1382 | CMD="${i}" 1383 | if [ -r "${i}" ] 1384 | then 1385 | return 0 1386 | fi 1387 | done 1388 | return 1 1389 | } 1390 | 1391 | expertmode_output() { 1392 | echo "###" 1393 | echo "### Output of: $1" 1394 | echo "###" 1395 | eval $1 2>&1 1396 | # cat <&1` 1398 | #EOF 1399 | return 0 1400 | } 1401 | 1402 | tnfs () 1403 | { 1404 | ## Check if -fstype nfs works 1405 | findargs="" 1406 | if find /etc -maxdepth 0 >/dev/null 2>&1; then 1407 | find /etc ! -fstype nfs -maxdepth 0 >/dev/null 2>&1 && \ 1408 | findargs="! -fstype nfs " 1409 | elif find /etc -prune > /dev/null 2>&1; then 1410 | find /etc ! -fstype nfs -prune > /dev/null 2>&1 && \ 1411 | findargs="! -fstype nfs " 1412 | fi 1413 | } 1414 | 1415 | ###################################################################### 1416 | # trojan functions 1417 | 1418 | chk_chfn () { 1419 | STATUS=${NOT_INFECTED} 1420 | CMD=`loc chfn chfn $pth` 1421 | [ ${?} -ne 0 ] && return ${NOT_FOUND} 1422 | 1423 | if [ "${EXPERT}" = "t" ]; then 1424 | expertmode_output "${strings} -a ${CMD}" 1425 | return 5 1426 | fi 1427 | 1428 | case "${SYSTEM}" in 1429 | Linux) 1430 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1431 | >/dev/null 2>&1 1432 | then 1433 | STATUS=${INFECTED} 1434 | fi;; 1435 | FreeBSD) 1436 | [ `echo $V | ${awk} '{ if ( $1 >= 5.0) print 1; else print 0 }'` -eq 1 ] && n=1 || n=2 1437 | if [ `${strings} -a ${CMD} | \ 1438 | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] 1439 | then 1440 | STATUS=${INFECTED} 1441 | fi;; 1442 | esac 1443 | return ${STATUS} 1444 | } 1445 | 1446 | chk_chsh () { 1447 | STATUS=${NOT_INFECTED} 1448 | CMD=`loc chsh chsh $pth` 1449 | [ ${?} -ne 0 ] && return ${NOT_FOUND} 1450 | 1451 | REDHAT_PAM_LABEL="*NOT*" 1452 | 1453 | if [ "${EXPERT}" = "t" ]; then 1454 | expertmode_output "${strings} -a ${CMD}" 1455 | return 5 1456 | fi 1457 | 1458 | case "${SYSTEM}" in 1459 | Linux) 1460 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1461 | >/dev/null 2>&1 1462 | then 1463 | if ${strings} -a ${CMD} | ${egrep} "${REDHAT_PAM_LABEL}" \ 1464 | >/dev/null 2>&1 1465 | then 1466 | : 1467 | else 1468 | STATUS=${INFECTED} 1469 | fi 1470 | fi;; 1471 | FreeBSD) 1472 | [ `echo $V | ${awk} '{ if ($1 >= 5.0) print 1; else print 0}'` -eq 1 ] && n=1 || n=2 1473 | if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] 1474 | then 1475 | STATUS=${INFECTED} 1476 | fi;; 1477 | esac 1478 | return ${STATUS} 1479 | } 1480 | 1481 | chk_login () { 1482 | STATUS=${NOT_INFECTED} 1483 | CMD=`loc login login $pth` 1484 | 1485 | if [ "${EXPERT}" = "t" ]; then 1486 | expertmode_output "${strings} -a ${CMD}" 1487 | return 5 1488 | fi 1489 | 1490 | if [ "$SYSTEM" = "SunOS" ]; then 1491 | TROJED_L_L="porcao|/bin/xstat" 1492 | if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" >/dev/null 2>&1 ]; then 1493 | return ${INFECTED} 1494 | else 1495 | return ${NOT_TESTED} 1496 | fi 1497 | fi 1498 | GENERAL="^root$" 1499 | TROJED_L_L="vejeta|^xlogin|^@\(#\)klogin\.c|lets_log|sukasuka|/usr/lib/.ark?|SucKIT|cocola" 1500 | ret=`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` 1501 | if [ ${ret} -gt 0 ]; then 1502 | case ${ret} in 1503 | 1) [ "${SYSTEM}" = "OpenBSD" -a `echo $V | ${awk} '{ if ($1 < 2.7 || 1504 | $1 >= 3.0) print 1; else print 0}'` -eq 1 ] && \ 1505 | STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1506 | 2) [ "${SYSTEM}" = "FreeBSD" -o ${SYSTEM} = "NetBSD" -o ${SYSTEM} = \ 1507 | "OpenBSD" -a `echo ${V} | ${awk} '{ if ($1 >= 2.8) print 1; else print 0 }'` -eq 1 ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1508 | 6|7) [ "${SYSTEM}" = "HP-UX" ] && STATUS=${NOT_INFECTED} || STATUS=${INFECTED};; 1509 | *) STATUS=${INFECTED};; 1510 | esac 1511 | fi 1512 | if ${strings} -a ${CMD} | ${egrep} "${TROJED_L_L}" 2>&1 >/dev/null 1513 | then 1514 | STATUS=${INFECTED} 1515 | fi 1516 | return ${STATUS} 1517 | } 1518 | 1519 | chk_passwd () { 1520 | STATUS=${NOT_INFECTED} 1521 | CMD=`loc passwd passwd $pth` 1522 | 1523 | if [ ! -x ${CMD} -a -x ${ROOTDIR}usr/bin/passwd ]; then 1524 | CMD="${ROOTDIR}usr/bin/passwd" 1525 | fi 1526 | 1527 | if [ "${EXPERT}" = "t" ]; then 1528 | expertmode_output "${strings} -a ${CMD}" 1529 | fi 1530 | 1531 | if [ "${SYSTEM}" = "OpenBSD" -o "${SYSTEM}" = "SunOS" -o "${SYSTEM}" \ 1532 | = "HP-UX" ] 1533 | then 1534 | return ${NOT_TESTED} 1535 | fi 1536 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}|/lib/security" \ 1537 | >/dev/null 2>&1 1538 | then 1539 | STATUS=${INFECTED} 1540 | fi 1541 | return ${STATUS} 1542 | } 1543 | 1544 | chk_inetd () { 1545 | STATUS=${NOT_INFECTED} 1546 | getCMD 'inetd' 1547 | 1548 | if [ ! -r ${CMD} -o ${CMD} = '/' ] 1549 | then 1550 | return ${NOT_TESTED} 1551 | fi 1552 | 1553 | if [ "${EXPERT}" = "t" ]; then 1554 | expertmode_output "${strings} -a ${CMD}" 1555 | return 5 1556 | fi 1557 | 1558 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" \ 1559 | >/dev/null 2>&1 1560 | then 1561 | STATUS=${INFECTED} 1562 | fi 1563 | return ${STATUS} 1564 | } 1565 | 1566 | chk_syslogd () { 1567 | STATUS=${NOT_INFECTED} 1568 | SYSLOG_I_L="/usr/lib/pt07|/dev/pty[pqrs]|/dev/hd[als][0-7]|/dev/ddtz1|/dev/ptyxx|/dev/tux|syslogs\.h" 1569 | CMD=`loc syslogd syslogd $pth` 1570 | 1571 | if [ ! -r ${CMD} ] 1572 | then 1573 | return ${NOT_TESTED} 1574 | fi 1575 | 1576 | if [ "${EXPERT}" = "t" ]; then 1577 | expertmode_output "${strings} -a ${CMD}" 1578 | return 5 1579 | fi 1580 | 1581 | if ${strings} -a ${CMD} | ${egrep} "${SYSLOG_I_L}" >/dev/null 2>&1 1582 | then 1583 | STATUS=${INFECTED} 1584 | fi 1585 | return ${STATUS} 1586 | } 1587 | 1588 | chk_hdparm () { 1589 | STATUS=${NOT_INFECTED} 1590 | HDPARM_INFECTED_LABEL="/dev/ida" 1591 | CMD=`loc hdparm hdparm $pth` 1592 | if [ ! -r ${CMD} ] 1593 | then 1594 | return ${NOT_FOUND} 1595 | fi 1596 | 1597 | if [ "${EXPERT}" = "t" ]; then 1598 | expertmode_output "${strings} -a ${CMD}" 1599 | return 5 1600 | fi 1601 | 1602 | if ${strings} -a ${CMD} | ${egrep} "${HDPARM_INFECTED_LABEL}" \ 1603 | >/dev/null 2>&1 1604 | then 1605 | STATUS=${INFECTED} 1606 | fi 1607 | return ${STATUS} 1608 | } 1609 | 1610 | chk_gpm () { 1611 | STATUS=${NOT_INFECTED} 1612 | GPM_INFECTED_LABEL="mingetty" 1613 | CMD=`loc gpm gpm $pth` 1614 | if [ ! -r ${CMD} ] 1615 | then 1616 | return ${NOT_FOUND} 1617 | fi 1618 | 1619 | if [ "${EXPERT}" = "t" ]; then 1620 | expertmode_output "${strings} -a ${CMD}" 1621 | return 5 1622 | fi 1623 | 1624 | if ${strings} -a ${CMD} | ${egrep} "${GPM_INFECTED_LABEL}" \ 1625 | >/dev/null 2>&1 1626 | then 1627 | STATUS=${INFECTED} 1628 | fi 1629 | return ${STATUS} 1630 | } 1631 | 1632 | chk_mingetty () { 1633 | STATUS=${NOT_INFECTED} 1634 | MINGETTY_INFECTED_LABEL="Dimensioni|pacchetto" 1635 | CMD=`loc mingetty mingetty $pth` 1636 | if [ ! -r ${CMD} ] 1637 | then 1638 | return ${NOT_FOUND} 1639 | fi 1640 | 1641 | if [ "${EXPERT}" = "t" ]; then 1642 | expertmode_output "${strings} -a ${CMD}" 1643 | return 5 1644 | fi 1645 | 1646 | if ${strings} -a ${CMD} | ${egrep} "${MINGETTY_INFECTED_LABEL}" \ 1647 | >/dev/null 2>&1 1648 | then 1649 | STATUS=${INFECTED} 1650 | fi 1651 | return ${STATUS} 1652 | } 1653 | 1654 | chk_sendmail () { 1655 | STATUS=${NOT_INFECTED} 1656 | SENDMAIL_INFECTED_LABEL="fuck" 1657 | CMD=`loc sendmail sendmail $pth` 1658 | if [ ! -r ${CMD} ] 1659 | then 1660 | return ${NOT_FOUND} 1661 | fi 1662 | 1663 | if [ "${EXPERT}" = "t" ]; then 1664 | expertmode_output "${strings} -a ${CMD}" 1665 | return 5 1666 | fi 1667 | 1668 | if ${strings} -a ${CMD} | ${egrep} "${SENDMAIL_INFECTED_LABEL}" \ 1669 | >/dev/null 2>&1 1670 | then 1671 | STATUS=${INFECTED} 1672 | fi 1673 | return ${STATUS} 1674 | } 1675 | 1676 | chk_ls () { 1677 | STATUS=${NOT_INFECTED} 1678 | LS_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|/dev/hdl0|\.tmp/lsfile|/dev/hdcc|/dev/ptyxx|duarawkz|^/prof|/dev/tux|/security|file\.h" 1679 | CMD=`loc ls ls $pth` 1680 | 1681 | if [ "${EXPERT}" = "t" ]; then 1682 | expertmode_output "${strings} -a ${CMD}" 1683 | return 5 1684 | fi 1685 | 1686 | if ${strings} -a ${CMD} | ${egrep} "${LS_INFECTED_LABEL}" >/dev/null 2>&1 1687 | then 1688 | STATUS=${INFECTED} 1689 | fi 1690 | return ${STATUS} 1691 | } 1692 | 1693 | chk_du () { 1694 | STATUS=${NOT_INFECTED} 1695 | DU_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrsx]|w0rm|^/prof|/dev/tux|file\.h" 1696 | CMD=`loc du du $pth` 1697 | 1698 | if [ "${EXPERT}" = "t" ]; then 1699 | expertmode_output "${strings} -a ${CMD}" 1700 | return 5 1701 | fi 1702 | 1703 | if ${strings} -a ${CMD} | ${egrep} "${DU_INFECTED_LABEL}" >/dev/null 2>&1 1704 | then 1705 | STATUS=${INFECTED} 1706 | fi 1707 | return ${STATUS} 1708 | } 1709 | 1710 | chk_named () { 1711 | STATUS=${NOT_INFECTED} 1712 | NAMED_I_L="blah|bye" 1713 | CMD=`loc named named $pth` 1714 | 1715 | if [ ! -r "${CMD}" ]; then 1716 | CMD=`loc in.named in.named $pth` 1717 | if [ ! -r "${CMD}" ]; then 1718 | return ${NOT_FOUND} 1719 | fi 1720 | fi 1721 | 1722 | if [ "${EXPERT}" = "t" ]; then 1723 | expertmode_output "${strings} -a ${CMD}" 1724 | return 5 1725 | fi 1726 | 1727 | if ${strings} -a ${CMD} | ${egrep} "${NAMED_I_L}" \ 1728 | >/dev/null 2>&1 1729 | then 1730 | STATUS=${INFECTED} 1731 | fi 1732 | return ${STATUS} 1733 | } 1734 | 1735 | chk_netstat () { 1736 | STATUS=${NOT_INFECTED} 1737 | NETSTAT_I_L="/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h|__bzero" 1738 | CMD=`loc netstat netstat $pth` 1739 | 1740 | if [ "${EXPERT}" = "t" ]; then 1741 | expertmode_output "${strings} -a ${CMD}" 1742 | return 5 1743 | fi 1744 | 1745 | if ${strings} -a ${CMD} | ${egrep} "${NETSTAT_I_L}" \ 1746 | >/dev/null 2>&1 1747 | then 1748 | STATUS=${INFECTED} 1749 | fi 1750 | return ${STATUS} 1751 | } 1752 | 1753 | chk_ps () { 1754 | STATUS=${NOT_INFECTED} 1755 | PS_I_L="/dev/xmx|\.1proc|/dev/ttyop|/dev/pty[pqrsx]|/dev/cui|/dev/hda[0-7]|\ 1756 | /dev/hdp|/dev/cui220|/dev/dsx|w0rm|/dev/hdaa|duarawkz|/dev/tux|/security|^proc\.h|ARRRGH\.so" 1757 | CMD=`loc ps ps $pth` 1758 | 1759 | if [ "${EXPERT}" = "t" ]; then 1760 | expertmode_output "${strings} -a ${CMD}" 1761 | return 5 1762 | fi 1763 | 1764 | if ${strings} -a ${CMD} | ${egrep} "${PS_I_L}" >/dev/null 2>&1 1765 | then 1766 | STATUS=${INFECTED} 1767 | fi 1768 | return ${STATUS} 1769 | } 1770 | 1771 | chk_pstree () { 1772 | STATUS=${NOT_INFECTED} 1773 | PSTREE_INFECTED_LABEL="/dev/ttyof|/dev/hda01|/dev/cui220|/dev/ptyxx|^/prof|/dev/tux|proc\.h" 1774 | 1775 | CMD=`loc pstree pstree $pth` 1776 | if [ ! -r "${CMD}" ] 1777 | then 1778 | return ${NOT_FOUND} 1779 | fi 1780 | 1781 | if [ "${EXPERT}" = "t" ]; then 1782 | expertmode_output "${strings} -a ${CMD}" 1783 | return 5 1784 | fi 1785 | 1786 | if ${strings} -a ${CMD} | ${egrep} "${PSTREE_INFECTED_LABEL}" >/dev/null 2>&1 1787 | then 1788 | STATUS=${INFECTED} 1789 | fi 1790 | return ${STATUS} 1791 | } 1792 | 1793 | chk_crontab () { 1794 | STATUS=${NOT_INFECTED} 1795 | CRONTAB_I_L="crontab.*666" 1796 | 1797 | CMD=`loc crontab crontab $pth` 1798 | 1799 | if [ ! -r ${CMD} ] 1800 | then 1801 | return ${NOT_FOUND} 1802 | fi 1803 | 1804 | if [ "${EXPERT}" = "t" ]; then 1805 | expertmode_output "${CMD} -l -u nobody" 1806 | return 5 1807 | fi 1808 | # slackware's crontab have a bug 1809 | if ( ${CMD} -l -u nobody | $egrep [0-9] ) >/dev/null 2>&1 ; then 1810 | ${echo} "Warning: crontab for nobody found, possible Lupper.Worm... " 1811 | if ${CMD} -l -u nobody 2>/dev/null | ${egrep} $CRONTAB_I_L >/dev/null 2>&1 1812 | then 1813 | STATUS=${INFECTED} 1814 | fi 1815 | fi 1816 | return ${STATUS} 1817 | } 1818 | 1819 | chk_top () { 1820 | STATUS=${NOT_INFECTED} 1821 | TOP_INFECTED_LABEL="/dev/xmx|/dev/ttyop|/dev/pty[pqrsx]|/dev/hdp|/dev/dsx|^/prof/|/dev/tux|^/proc\.h|proc_hackinit" 1822 | 1823 | CMD=`loc top top $pth` 1824 | 1825 | if [ ! -r ${CMD} ] 1826 | then 1827 | return ${NOT_FOUND} 1828 | fi 1829 | 1830 | if [ "${EXPERT}" = "t" ]; then 1831 | expertmode_output "${strings} -a ${CMD}" 1832 | return 5 1833 | fi 1834 | 1835 | if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1836 | then 1837 | STATUS=${INFECTED} 1838 | fi 1839 | return ${STATUS} 1840 | } 1841 | 1842 | chk_pidof () { 1843 | STATUS=${NOT_INFECTED} 1844 | TOP_INFECTED_LABEL="/dev/pty[pqrs]" 1845 | CMD=`loc pidof pidof $pth` 1846 | 1847 | if [ "${?}" -ne 0 ] 1848 | then 1849 | return ${NOT_FOUND} 1850 | fi 1851 | 1852 | if [ "${EXPERT}" = "t" ]; then 1853 | expertmode_output "${strings} -a ${CMD}" 1854 | return 5 1855 | fi 1856 | 1857 | if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1858 | then 1859 | STATUS=${INFECTED} 1860 | fi 1861 | return ${STATUS} 1862 | } 1863 | 1864 | chk_killall () { 1865 | STATUS=${NOT_INFECTED} 1866 | TOP_INFECTED_LABEL="/dev/ttyop|/dev/pty[pqrs]|/dev/hda[0-7]|/dev/hdp|/dev/ptyxx|/dev/tux|proc\.h" 1867 | CMD=`loc killall killall $pth` 1868 | 1869 | if [ "${?}" -ne 0 ] 1870 | then 1871 | return ${NOT_FOUND} 1872 | fi 1873 | 1874 | if [ "${EXPERT}" = "t" ]; then 1875 | expertmode_output "${strings} -a ${CMD}" 1876 | return 5 1877 | fi 1878 | 1879 | if ${strings} -a ${CMD} | ${egrep} "${TOP_INFECTED_LABEL}" >/dev/null 2>&1 1880 | then 1881 | STATUS=${INFECTED} 1882 | fi 1883 | return ${STATUS} 1884 | } 1885 | 1886 | chk_ldsopreload() { 1887 | STATUS=${NOT_INFECTED} 1888 | CMD="${ROOTDIR}lib/libshow.so ${ROOTDIR}lib/libproc.a" 1889 | 1890 | if [ "${SYSTEM}" = "Linux" ] 1891 | then 1892 | if [ ! -x ./strings-static ]; then 1893 | printn "can't exec ./strings-static, " 1894 | return ${NOT_TESTED} 1895 | fi 1896 | 1897 | if [ "${EXPERT}" = "t" ]; then 1898 | expertmode_output "./strings-static -a ${CMD}" 1899 | return 5 1900 | fi 1901 | 1902 | ### strings must be a statically linked binary. 1903 | if ./strings-static -a ${CMD} > /dev/null 2>&1 1904 | then 1905 | STATUS=${INFECTED} 1906 | fi 1907 | else 1908 | STATUS=${NOT_TESTED} 1909 | fi 1910 | return ${STATUS} 1911 | } 1912 | 1913 | chk_basename () { 1914 | STATUS=${NOT_INFECTED} 1915 | CMD=`loc basename basename $pth` 1916 | 1917 | if [ "${EXPERT}" = "t" ]; then 1918 | expertmode_output "${strings} -a ${CMD}" 1919 | expertmode_output "${ls} -l ${CMD}" 1920 | return 5 1921 | fi 1922 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1923 | then 1924 | STATUS=${INFECTED} 1925 | fi 1926 | 1927 | [ "$SYSTEM" != "OSF1" ] && 1928 | { 1929 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1930 | then 1931 | STATUS=${INFECTED} 1932 | fi 1933 | } 1934 | return ${STATUS} 1935 | } 1936 | 1937 | chk_dirname () { 1938 | STATUS=${NOT_INFECTED} 1939 | CMD=`loc dirname dirname $pth` 1940 | 1941 | if [ "${EXPERT}" = "t" ]; then 1942 | expertmode_output "${strings} -a ${CMD}" 1943 | expertmode_output "${ls} -l ${CMD}" 1944 | return 5 1945 | fi 1946 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1947 | then 1948 | STATUS=${INFECTED} 1949 | fi 1950 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1951 | then 1952 | STATUS=${INFECTED} 1953 | fi 1954 | return ${STATUS} 1955 | } 1956 | 1957 | chk_traceroute () { 1958 | STATUS=${NOT_INFECTED} 1959 | CMD=`loc traceroute traceroute $pth` 1960 | 1961 | if [ ! -r "${CMD}" ] 1962 | then 1963 | return ${NOT_FOUND} 1964 | fi 1965 | 1966 | if [ "${EXPERT}" = "t" ]; then 1967 | expertmode_output "${strings} -a ${CMD}" 1968 | return 5 1969 | fi 1970 | 1971 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1972 | then 1973 | STATUS=${INFECTED} 1974 | fi 1975 | return ${STATUS} 1976 | } 1977 | 1978 | chk_rpcinfo () { 1979 | STATUS=${NOT_INFECTED} 1980 | CMD=`loc rpcinfo rpcinfo $pth` 1981 | 1982 | if [ ! -r "${CMD}" ] 1983 | then 1984 | return ${NOT_FOUND} 1985 | fi 1986 | 1987 | if [ "${EXPERT}" = "t" ]; then 1988 | expertmode_output "${strings} -a ${CMD}" 1989 | expertmode_output "${ls} -l ${CMD}" 1990 | return 5 1991 | fi 1992 | 1993 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 1994 | then 1995 | STATUS=${INFECTED} 1996 | fi 1997 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 1998 | then 1999 | STATUS=${INFECTED} 2000 | fi 2001 | return ${STATUS} 2002 | } 2003 | 2004 | chk_date () { 2005 | STATUS=${NOT_INFECTED} 2006 | S_L="/bin/.*sh" 2007 | CMD=`loc date date $pth` 2008 | 2009 | if [ "${EXPERT}" = "t" ]; then 2010 | expertmode_output "${strings} -a ${CMD}" 2011 | expertmode_output "${ls} -l ${CMD}" 2012 | return 5 2013 | fi 2014 | [ "${SYSTEM}" = "FreeBSD" -a `echo $V | ${awk} '{ if ($1 > 4.9) print 1; else print 0 }'` -eq 1 ] && 2015 | { 2016 | N=`${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ 2017 | ${egrep} -c "$S_L"` 2018 | if [ ${N} -ne 2 -a ${N} -ne 0 ]; then 2019 | STATUS=${INFECTED} 2020 | fi 2021 | } || 2022 | { 2023 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" 2>&1 2024 | then 2025 | STATUS=${INFECTED} 2026 | fi 2027 | } 2028 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2029 | then 2030 | STATUS=${INFECTED} 2031 | fi 2032 | return ${STATUS} 2033 | } 2034 | 2035 | chk_echo () { 2036 | STATUS=${NOT_INFECTED} 2037 | CMD=`loc echo echo $pth` 2038 | 2039 | if [ "${EXPERT}" = "t" ]; then 2040 | expertmode_output "${strings} -a ${CMD}" 2041 | expertmode_output "${ls} -l ${CMD}" 2042 | return 5 2043 | fi 2044 | 2045 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2046 | then 2047 | STATUS=${INFECTED} 2048 | fi 2049 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2050 | then 2051 | STATUS=${INFECTED} 2052 | fi 2053 | return ${STATUS} 2054 | } 2055 | 2056 | chk_env () { 2057 | STATUS=${NOT_INFECTED} 2058 | CMD=`loc env env $pth` 2059 | 2060 | if [ "${EXPERT}" = "t" ]; then 2061 | expertmode_output "${strings} -a ${CMD}" 2062 | expertmode_output "${ls} -l ${CMD}" 2063 | return 5 2064 | fi 2065 | 2066 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2067 | then 2068 | STATUS=${INFECTED} 2069 | fi 2070 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2071 | then 2072 | STATUS=${INFECTED} 2073 | fi 2074 | 2075 | return ${STATUS} 2076 | } 2077 | 2078 | chk_timed () { 2079 | STATUS=${NOT_INFECTED} 2080 | CMD=`loc timed timed $pth` 2081 | if [ ${?} -ne 0 ]; then 2082 | CMD=`loc in.timed in.timed $pth` 2083 | if [ ${?} -ne 0 ]; then 2084 | return ${NOT_FOUND} 2085 | fi 2086 | fi 2087 | if [ "${EXPERT}" = "t" ]; then 2088 | expertmode_output "${strings} -a ${CMD}" 2089 | return 5 2090 | fi 2091 | 2092 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2093 | then 2094 | STATUS=${INFECTED} 2095 | fi 2096 | return ${STATUS} 2097 | } 2098 | 2099 | chk_identd () { 2100 | STATUS=${NOT_INFECTED} 2101 | CMD=`loc in.identd in.identd $pth` 2102 | if [ ${?} -ne 0 ]; then 2103 | return ${NOT_FOUND} 2104 | fi 2105 | if [ "${EXPERT}" = "t" ]; then 2106 | expertmode_output "${strings} -a ${CMD}" 2107 | return 5 2108 | fi 2109 | 2110 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2111 | then 2112 | STATUS=${INFECTED} 2113 | fi 2114 | return ${STATUS} 2115 | } 2116 | 2117 | chk_init () { 2118 | STATUS=${NOT_INFECTED} 2119 | INIT_INFECTED_LABEL="UPX" 2120 | CMD=`loc init init $pth` 2121 | if [ ${?} -ne 0 ]; then 2122 | return ${NOT_FOUND} 2123 | fi 2124 | if [ "${EXPERT}" = "t" ]; then 2125 | expertmode_output "${strings} -a ${CMD}" 2126 | return 5 2127 | fi 2128 | 2129 | if ${strings} -a ${CMD} | ${egrep} "${INIT_INFECTED_LABEL}" > /dev/null 2>&1 2130 | then 2131 | STATUS=${INFECTED} 2132 | fi 2133 | return ${STATUS} 2134 | } 2135 | 2136 | chk_pop2 () { 2137 | STATUS=${NOT_INFECTED} 2138 | CMD=`loc in.pop2d in.pop2d $pth` 2139 | if [ ${?} -ne 0 ]; then 2140 | return ${NOT_FOUND} 2141 | fi 2142 | if [ "${EXPERT}" = "t" ]; then 2143 | expertmode_output "${strings} -a ${CMD}" 2144 | return 5 2145 | fi 2146 | 2147 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2148 | then 2149 | STATUS=${INFECTED} 2150 | fi 2151 | return ${STATUS} 2152 | } 2153 | 2154 | chk_pop3 () { 2155 | STATUS=${NOT_INFECTED} 2156 | CMD=`loc in.pop3d in.pop3d $pth` 2157 | if [ ${?} -ne 0 ]; then 2158 | return ${NOT_FOUND} 2159 | fi 2160 | if [ "${EXPERT}" = "t" ]; then 2161 | expertmode_output "${strings} -a ${CMD}" 2162 | return 5 2163 | fi 2164 | 2165 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2166 | then 2167 | STATUS=${INFECTED} 2168 | fi 2169 | return ${STATUS} 2170 | } 2171 | 2172 | chk_write () { 2173 | STATUS=${NOT_INFECTED} 2174 | CMD=`loc write write $pth` 2175 | WRITE_ROOTKIT_LABEL="bash|elite$|vejeta|\.ark" 2176 | if [ "${EXPERT}" = "t" ]; then 2177 | expertmode_output "${strings} -a ${CMD}" 2178 | expertmode_output "${ls} -l ${CMD}" 2179 | return 5 2180 | fi 2181 | 2182 | if ${strings} -a ${CMD} | ${egrep} "${WRITE_ROOTKIT_LABEL}" | grep -v locale > /dev/null 2>&1 2183 | then 2184 | STATUS=${INFECTED} 2185 | fi 2186 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2187 | then 2188 | STATUS=${INFECTED} 2189 | fi 2190 | return ${STATUS} 2191 | } 2192 | 2193 | chk_w () { 2194 | STATUS=${NOT_INFECTED} 2195 | CMD=`loc w w $pth` 2196 | W_INFECTED_LABEL="uname -a" 2197 | 2198 | if [ "${EXPERT}" = "t" ]; then 2199 | expertmode_output "${strings} -a ${CMD}" 2200 | expertmode_output "${ls} -l ${CMD}" 2201 | return 5 2202 | fi 2203 | if ${strings} -a ${CMD} | ${egrep} "${W_INFECTED_LABEL}" > /dev/null 2>&1 2204 | then 2205 | STATUS=${INFECTED} 2206 | fi 2207 | return ${STATUS} 2208 | } 2209 | 2210 | chk_vdir () { 2211 | STATUS=${NOT_INFECTED} 2212 | CMD=`loc vdir vdir $pth` 2213 | VDIR_INFECTED_LABEL="/lib/volc" 2214 | if [ ! -r ${CMD} ]; then 2215 | return ${NOT_FOUND} 2216 | fi 2217 | 2218 | if [ "${EXPERT}" = "t" ]; then 2219 | expertmode_output "${strings} -a ${CMD}" 2220 | expertmode_output "${ls} -l ${CMD}" 2221 | return 5 2222 | fi 2223 | if ${strings} -a ${CMD} | ${egrep} "${VDIR_INFECTED_LABEL}" > /dev/null 2>&1 2224 | then 2225 | STATUS=${INFECTED} 2226 | fi 2227 | return ${STATUS} 2228 | } 2229 | 2230 | chk_tar () { 2231 | STATUS=${NOT_INFECTED} 2232 | CMD=`loc tar tar $pth` 2233 | 2234 | if [ "${EXPERT}" = "t" ]; then 2235 | expertmode_output "${ls} -l ${CMD}" 2236 | return 5 2237 | fi 2238 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2239 | then 2240 | STATUS=${INFECTED} 2241 | fi 2242 | return ${STATUS} 2243 | } 2244 | 2245 | rexedcs () { 2246 | STATUS=${NOT_INFECTED} 2247 | CMD=`loc in.rexedcs in.rexedcs $pth` 2248 | if [ "${?}" -ne 0 ] 2249 | then 2250 | if [ "${QUIET}" != "t" ]; then echo "not found"; fi 2251 | return ${NOT_FOUND} 2252 | fi 2253 | 2254 | if [ "${EXPERT}" = "t" ]; then 2255 | expertmode_output "${strings} -a ${CMD}" 2256 | return 5 2257 | fi 2258 | STATUS=${INFECTED} 2259 | return ${STATUS} 2260 | } 2261 | 2262 | chk_mail () { 2263 | STATUS=${NOT_INFECTED} 2264 | CMD=`loc mail mail $pth` 2265 | if [ "${?}" -ne 0 ] 2266 | then 2267 | return ${NOT_FOUND} 2268 | fi 2269 | 2270 | [ "${SYSTEM}" = "HP-UX" ] && return $NOT_TESTED 2271 | 2272 | MAIL_INFECTED_LABEL="sh -i" 2273 | 2274 | if [ "${EXPERT}" = "t" ]; then 2275 | expertmode_output "${strings} -a ${CMD}" 2276 | expertmode_output "${ls} -l ${CMD}" 2277 | return 5 2278 | fi 2279 | 2280 | if ${strings} -a ${CMD} | ${egrep} "${MAIL_INFECTED_LABEL}" > /dev/null 2>&1 2281 | then 2282 | STATUS=${INFECTED} 2283 | fi 2284 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2285 | then 2286 | STATUS=${INFECTED} 2287 | fi 2288 | return ${STATUS} 2289 | } 2290 | 2291 | chk_biff () { 2292 | STATUS=${NOT_INFECTED} 2293 | CMD=`loc biff biff $pth` 2294 | if [ "${?}" -ne 0 ] 2295 | then 2296 | return ${NOT_FOUND} 2297 | fi 2298 | 2299 | if [ "${EXPERT}" = "t" ]; then 2300 | expertmode_output "${strings} -a ${CMD}" 2301 | expertmode_output "${ls} -l ${CMD}" 2302 | return 5 2303 | fi 2304 | 2305 | if ${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" > /dev/null 2>&1 2306 | then 2307 | STATUS=${INFECTED} 2308 | fi 2309 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2310 | then 2311 | STATUS=${INFECTED} 2312 | fi 2313 | return ${STATUS} 2314 | } 2315 | 2316 | chk_egrep () { 2317 | STATUS=${NOT_INFECTED} 2318 | EGREP_INFECTED_LABEL="blah" 2319 | CMD=`loc egrep egrep $pth` 2320 | 2321 | if [ "${EXPERT}" = "t" ]; then 2322 | expertmode_output "${strings} -a ${CMD}" 2323 | expertmode_output "${ls} -l ${CMD}" 2324 | return 5 2325 | fi 2326 | if ${strings} -a ${CMD} | ${egrep} "${EGREP_INFECTED_LABEL}" > /dev/null 2>&1 2327 | then 2328 | STATUS=${INFECTED} 2329 | fi 2330 | return ${STATUS} 2331 | } 2332 | 2333 | chk_grep () { 2334 | STATUS=${NOT_INFECTED} 2335 | GREP_INFECTED_LABEL="givemer" 2336 | CMD=`loc grep grep $pth` 2337 | 2338 | if [ "${EXPERT}" = "t" ]; then 2339 | expertmode_output "${strings} -a ${CMD}" 2340 | expertmode_output "${ls} -l ${CMD}" 2341 | return 5 2342 | fi 2343 | 2344 | if ${strings} -a ${CMD} | ${egrep} "${GREP_INFECTED_LABEL}" > /dev/null 2>&1 2345 | then 2346 | STATUS=${INFECTED} 2347 | fi 2348 | if ${ls} -l ${CMD} | ${egrep} "^...s" > /dev/null 2>&1 2349 | then 2350 | STATUS=${INFECTED} 2351 | fi 2352 | return ${STATUS} 2353 | } 2354 | 2355 | chk_find () { 2356 | STATUS=${NOT_INFECTED} 2357 | FIND_INFECTED_LABEL="/dev/ttyof|/dev/pty[pqrs]|^/prof|/home/virus|/security|file\.h" 2358 | CMD=`loc find find $pth` 2359 | 2360 | if [ "${?}" -ne 0 ] 2361 | then 2362 | return ${NOT_FOUND} 2363 | fi 2364 | 2365 | if [ "${EXPERT}" = "t" ]; then 2366 | expertmode_output "${strings} -a ${CMD}" 2367 | return 5 2368 | fi 2369 | 2370 | if ${strings} -a ${CMD} | ${egrep} "${FIND_INFECTED_LABEL}" >/dev/null 2>&1 2371 | then 2372 | STATUS=${INFECTED} 2373 | fi 2374 | return ${STATUS} 2375 | } 2376 | 2377 | chk_rlogind () { 2378 | STATUS=${NOT_INFECTED} 2379 | RLOGIN_INFECTED_LABEL="p1r0c4|r00t" 2380 | CMD=`loc in.rlogind in.rlogind $pth` 2381 | if [ ! -x "${CMD}" ]; then 2382 | CMD=`loc rlogind rlogind $pth` 2383 | if [ ! -x "${CMD}" ]; then 2384 | return ${NOT_FOUND} 2385 | fi 2386 | fi 2387 | if [ "${EXPERT}" = "t" ]; then 2388 | expertmode_output "${strings} -a ${CMD}" 2389 | return 5 2390 | fi 2391 | if ${strings} -a ${CMD} | ${egrep} "${RLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 2392 | then 2393 | STATUS=${INFECTED} 2394 | fi 2395 | return ${STATUS} 2396 | } 2397 | 2398 | chk_lsof () { 2399 | STATUS=${NOT_INFECTED} 2400 | LSOF_INFECTED_LABEL="^/prof" 2401 | CMD=`loc lsof lsof $pth` 2402 | if [ ! -x "${CMD}" ]; then 2403 | return ${NOT_FOUND} 2404 | fi 2405 | if [ "${EXPERT}" = "t" ]; then 2406 | expertmode_output "${strings} -a ${CMD}" 2407 | return 5 2408 | fi 2409 | if ${strings} -a ${CMD} | ${egrep} "${LSOF_INFECTED_LABEL}" >/dev/null 2>&1 2410 | then 2411 | STATUS=${INFECTED} 2412 | fi 2413 | return ${STATUS} 2414 | } 2415 | 2416 | chk_amd () { 2417 | STATUS=${NOT_INFECTED} 2418 | AMD_INFECTED_LABEL="blah" 2419 | CMD=`loc amd amd $pth` 2420 | if [ ! -x "${CMD}" ]; then 2421 | return ${NOT_FOUND} 2422 | fi 2423 | if [ "${EXPERT}" = "t" ]; then 2424 | expertmode_output "${strings} -a ${CMD}" 2425 | return 5 2426 | fi 2427 | if ${strings} -a ${CMD} | ${egrep} "${AMD_INFECTED_LABEL}" >/dev/null 2>&1 2428 | then 2429 | STATUS=${INFECTED} 2430 | fi 2431 | return ${STATUS} 2432 | } 2433 | 2434 | chk_slogin () { 2435 | STATUS=${NOT_INFECTED} 2436 | SLOGIN_INFECTED_LABEL="homo" 2437 | CMD=`loc slogin slogin $pth` 2438 | if [ ! -x "${CMD}" ]; then 2439 | return ${NOT_FOUND} 2440 | fi 2441 | if [ "${EXPERT}" = "t" ]; then 2442 | expertmode_output "${strings} -a ${CMD}" 2443 | return 5 2444 | fi 2445 | if ${strings} -a ${CMD} | ${egrep} "${SLOGIN_INFECTED_LABEL}" >/dev/null 2>&1 2446 | then 2447 | STATUS=${INFECTED} 2448 | fi 2449 | return ${STATUS} 2450 | } 2451 | 2452 | chk_cron () { 2453 | STATUS=${NOT_INFECTED} 2454 | CRON_INFECTED_LABEL="/dev/hda|/dev/hda[0-7]|/dev/hdc0" 2455 | CMD=`loc cron cron $pth` 2456 | if [ "${?}" -ne 0 ]; then 2457 | CMD=`loc crond crond $pth` 2458 | fi 2459 | if [ "${?}" -ne 0 ] 2460 | then 2461 | return ${NOT_FOUND} 2462 | fi 2463 | if [ "${EXPERT}" = "t" ]; then 2464 | expertmode_output "${strings} -a ${CMD}" 2465 | return 5 2466 | fi 2467 | if ${strings} -a ${CMD} | ${egrep} "${CRON_INFECTED_LABEL}" >/dev/null 2>&1 2468 | then 2469 | STATUS=${INFECTED} 2470 | fi 2471 | return ${STATUS} 2472 | } 2473 | 2474 | chk_ifconfig () { 2475 | STATUS=${INFECTED} 2476 | CMD=`loc ifconfig ifconfig $pth` 2477 | if [ "${?}" -ne 0 ]; then 2478 | return ${NOT_FOUND} 2479 | fi 2480 | 2481 | if [ "${EXPERT}" = "t" ]; then 2482 | expertmode_output "${strings} -a ${CMD}" 2483 | return 5 2484 | fi 2485 | 2486 | IFCONFIG_NOT_INFECTED_LABEL="PROMISC" 2487 | IFCONFIG_INFECTED_LABEL="/dev/tux|/session.null" 2488 | if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_NOT_INFECTED_LABEL}" \ 2489 | >/dev/null 2>&1 2490 | then 2491 | STATUS=${NOT_INFECTED} 2492 | fi 2493 | if ${strings} -a ${CMD} | ${egrep} "${IFCONFIG_INFECTED_LABEL}" \ 2494 | >/dev/null 2>&1 2495 | then 2496 | STATUS=${INFECTED} 2497 | fi 2498 | return ${STATUS} 2499 | } 2500 | 2501 | chk_rshd () { 2502 | STATUS=${NOT_INFECTED} 2503 | case "${SYSTEM}" in 2504 | Linux) CMD="${ROOTDIR}usr/sbin/in.rshd";; 2505 | FreeBSD) CMD="${ROOTDIR}usr/libexec/rshd";; 2506 | *) CMD=`loc rshd rshd $pth`;; 2507 | esac 2508 | 2509 | if [ ! -x ${CMD} ] ;then 2510 | return ${NOT_FOUND} 2511 | fi 2512 | if [ "${EXPERT}" = "t" ]; then 2513 | expertmode_output "${strings} -a ${CMD}" 2514 | return 5 2515 | fi 2516 | 2517 | RSHD_INFECTED_LABEL="HISTFILE" 2518 | if ${strings} -a ${CMD} | ${egrep} "${RSHD_INFECTED_LABEL}" > /dev/null 2>&1 2519 | then 2520 | STATUS=${INFECTED} 2521 | if ${egrep} "^#.*rshd" ${ROOTDIR}etc/inetd.conf >/dev/null 2>&1 -o \ 2522 | ${ls} ${ROOTDIR}etc/xinetd.d/rshd >/dev/null 2>&1 ; then 2523 | STATUS=${INFECTED_BUT_DISABLED} 2524 | fi 2525 | fi 2526 | return ${STATUS} 2527 | } 2528 | 2529 | chk_tcpdump () { 2530 | STATUS=${NOT_INFECTED} 2531 | TCPDUMP_I_L="212.146.0.34:1963"; 2532 | _chk_netstat_or_ss; 2533 | OPT="-an" 2534 | [ "${netstat}" = "ss" ] && OPT="-a" 2535 | if ${netstat} "${OPT}" | ${egrep} "${TCPDUMP_I_L}"> /dev/null 2>&1; then 2536 | STATUS=${INFECTED} 2537 | fi 2538 | return ${STATUS} 2539 | } 2540 | 2541 | chk_tcpd () { 2542 | STATUS=${NOT_INFECTED} 2543 | TCPD_INFECTED_LABEL="p1r0c4|hack|/dev/xmx|/dev/hdn0|/dev/xdta|/dev/tux" 2544 | CMD="" 2545 | [ -r ${ROOTDIR}etc/inetd.conf ] && 2546 | CMD=`${egrep} '^[^#].*tcpd' ${ROOTDIR}etc/inetd.conf | _head -1 | \ 2547 | ${awk} '{ print $6 }'` 2548 | if ${ps} auwx | ${egrep} xinetd | ${egrep} -v grep >/dev/null 2>&1; then 2549 | CMD=`loc tcpd tcpd $pth` 2550 | fi 2551 | [ -z "${CMD}" ] && CMD=`loc tcpd tcpd $pth` 2552 | 2553 | [ "tcpd" = "${CMD}" ] && return ${NOT_FOUND}; 2554 | 2555 | if [ "${EXPERT}" = "t" ]; then 2556 | expertmode_output "${strings} -a ${CMD}" 2557 | return 5 2558 | fi 2559 | 2560 | if ${strings} -a ${CMD} | ${egrep} "${TCPD_INFECTED_LABEL}" > /dev/null 2>&1 2561 | then 2562 | STATUS=${INFECTED} 2563 | fi 2564 | return ${STATUS} 2565 | } 2566 | 2567 | chk_sshd () { 2568 | STATUS=${NOT_INFECTED} 2569 | SSHD2_INFECTED_LABEL="check_global_passwd|panasonic|satori|vejeta|\.ark|/hash\.zk" 2570 | getCMD 'sshd' 2571 | 2572 | if [ ${?} -ne 0 ]; then 2573 | return ${NOT_FOUND} 2574 | fi 2575 | 2576 | if [ "${EXPERT}" = "t" ]; then 2577 | expertmode_output "${strings} -a ${CMD}" 2578 | return 5 2579 | fi 2580 | 2581 | if ${strings} -a ${CMD} | ${egrep} "${SSHD2_INFECTED_LABEL}" \ 2582 | > /dev/null 2>&1 2583 | then 2584 | STATUS=${INFECTED} 2585 | if ${ps} ${ps_cmd} | ${egrep} sshd >/dev/null 2>&1; then 2586 | STATUS=${INFECTED_BUT_DISABLED} 2587 | fi 2588 | fi 2589 | return ${STATUS} 2590 | } 2591 | 2592 | chk_su () { 2593 | STATUS=${NOT_INFECTED} 2594 | SU_INFECTED_LABEL="satori|vejeta|conf\.inv" 2595 | CMD=`loc su su $pth` 2596 | 2597 | if [ "${EXPERT}" = "t" ]; then 2598 | expertmode_output "${strings} -a ${CMD}" 2599 | return 5 2600 | fi 2601 | 2602 | if ${strings} -a ${CMD} | ${egrep} "${SU_INFECTED_LABEL}" > /dev/null 2>&1 2603 | then 2604 | STATUS=${INFECTED} 2605 | fi 2606 | return ${STATUS} 2607 | } 2608 | 2609 | chk_fingerd () { 2610 | STATUS=${NOT_INFECTED} 2611 | FINGER_INFECTED_LABEL="cterm100|${GENERIC_ROOTKIT_LABEL}" 2612 | CMD=`loc fingerd fingerd $pth` 2613 | 2614 | if [ ${?} -ne 0 ]; then 2615 | CMD=`loc in.fingerd in.fingerd $pth` 2616 | if [ ${?} -ne 0 ]; then 2617 | return ${NOT_FOUND} 2618 | fi 2619 | fi 2620 | 2621 | if [ "${EXPERT}" = "t" ]; then 2622 | expertmode_output "${strings} -a ${CMD}" 2623 | return 5 2624 | fi 2625 | 2626 | if ${strings} -a ${CMD} | ${egrep} "${FINGER_INFECTED_LABEL}" \ 2627 | > /dev/null 2>&1 2628 | then 2629 | STATUS=${INFECTED} 2630 | fi 2631 | return ${STATUS} 2632 | } 2633 | 2634 | 2635 | chk_inetdconf () { 2636 | STATUS=${NOT_INFECTED} 2637 | SHELLS="${ROOTDIR}bin/sh ${ROOTDIR}bin/bash" 2638 | 2639 | if [ -r ${ROOTDIR}etc/shells ]; then 2640 | SHELLS="`cat ${ROOTDIR}etc/shells | ${egrep} -v '^#'`"; 2641 | fi 2642 | 2643 | if [ -r ${ROOTDIR}etc/inetd.conf ]; then 2644 | for CHK_SHELL in ${SHELLS}; do 2645 | cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" > /dev/null 2646 | if [ ${?} -ne 1 ]; then 2647 | if [ "${EXPERT}" = "t" ]; then 2648 | echo "Backdoor shell record(s) in /etc/inetd.conf: " 2649 | cat ${ROOTDIR}etc/inetd.conf | ${egrep} -v "^#" | ${egrep} "^.*stream.*tcp.*nowait.*$CHK_SHELL.*" 2650 | fi 2651 | STATUS=${INFECTED} 2652 | fi 2653 | done 2654 | return ${STATUS} 2655 | else 2656 | return ${NOT_FOUND} 2657 | fi 2658 | 2659 | } 2660 | 2661 | chk_telnetd () { 2662 | STATUS=${NOT_INFECTED} 2663 | TELNETD_INFECTED_LABEL='cterm100|vt350|VT100|ansi-term|/dev/hda[0-7]' 2664 | CMD=`loc telnetd telnetd $pth` 2665 | 2666 | if [ ${?} -ne 0 ]; then 2667 | CMD=`loc in.telnetd in.telnetd $pth` 2668 | if [ ${?} -ne 0 ]; then 2669 | return ${NOT_FOUND} 2670 | fi 2671 | fi 2672 | 2673 | if [ "${EXPERT}" = "t" ]; then 2674 | expertmode_output "${strings} -a ${CMD}" 2675 | return 5 2676 | fi 2677 | 2678 | if ${strings} -a ${CMD} | ${egrep} "${TELNETD_INFECTED_LABEL}" \ 2679 | >/dev/null 2>&1 2680 | then 2681 | STATUS=${INFECTED} 2682 | fi 2683 | return ${STATUS} 2684 | } 2685 | 2686 | printn () { 2687 | if `${echo} "a\c" | ${egrep} c >/dev/null 2>&1` ; then 2688 | ${echo} -n "$1" 2689 | else 2690 | ${echo} "${1}\c" 2691 | fi 2692 | } 2693 | 2694 | # main 2695 | # 2696 | 2697 | 2698 | ### using regexps, as the `-w' option to grep/egrep is not portable. 2699 | L_REGEXP='(^|[^A-Za-z0-9_])' 2700 | R_REGEXP='([^A-Za-z0-9_]|$)' 2701 | 2702 | ### default ROOTDIR is "/" 2703 | ROOTDIR='/' 2704 | mode="rt" 2705 | 2706 | while : 2707 | do 2708 | case $1 in 2709 | -r) [ -z "$2" ] && exit 1; 2710 | shift 2711 | mode="pm" 2712 | ROOTDIR=$1;; 2713 | -p) [ -z "$2" ] && exit 1; 2714 | shift 2715 | CHKRKPATH=$1;; 2716 | 2717 | -d) DEBUG=t;; 2718 | 2719 | -x) EXPERT=t;; 2720 | 2721 | -q) QUIET=t;; 2722 | 2723 | -V) echo >&2 "chkrootkit version ${CHKROOTKIT_VERSION}" 2724 | exit 1;; 2725 | 2726 | -l) echo >&2 "$0: tests: ${TOOLS} ${TROJAN}" 2727 | exit 1;; 2728 | 2729 | -n) tnfs;; 2730 | 2731 | -h | -*) echo >&2 "Usage: $0 [options] [test ...] 2732 | Options: 2733 | -h show this help and exit 2734 | -V show version information and exit 2735 | -l show available tests and exit 2736 | -d debug 2737 | -q quiet mode 2738 | -x expert mode 2739 | -r dir use dir as the root directory 2740 | -p dir1:dir2:dirN path for the external commands used by chkrootkit 2741 | -n skip NFS mounted dirs" 2742 | exit 1;; 2743 | *) break 2744 | esac 2745 | 2746 | shift 2747 | done 2748 | 2749 | ### check the external commands needed 2750 | 2751 | cmdlist=" 2752 | awk 2753 | cut 2754 | echo 2755 | egrep 2756 | find 2757 | head 2758 | id 2759 | ls 2760 | ps 2761 | sed 2762 | strings 2763 | uname 2764 | " 2765 | 2766 | ### PATH used by loc 2767 | pth=`echo $PATH | sed -e "s/:/ /g"` 2768 | pth="$pth /sbin /usr/sbin /lib /usr/lib /usr/libexec ." 2769 | 2770 | ### external command's PATH 2771 | if [ "${CHKRKPATH}" = "" ]; then 2772 | chkrkpth=${pth} 2773 | else 2774 | ### use the path provided with the -p option 2775 | chkrkpth=`echo ${CHKRKPATH} | sed -e "s/:/ /g"` 2776 | fi 2777 | echo=echo 2778 | for file in $cmdlist; do 2779 | xxx=`loc $file $file $chkrkpth` 2780 | eval $file=$xxx 2781 | case "$xxx" in 2782 | /* | ./* | ../*) 2783 | 2784 | if [ ! -x "${xxx}" ] 2785 | then 2786 | echo >&2 "chkrootkit: can't exec \`$xxx'." 2787 | exit 1 2788 | fi 2789 | ;; 2790 | *) 2791 | echo >&2 "chkrootkit: can't find \`$file'." 2792 | exit 1 2793 | ;; 2794 | esac 2795 | done 2796 | 2797 | 2798 | SYSTEM=`${uname} -s` 2799 | VERSION=`${uname} -r` 2800 | if [ "${SYSTEM}" != "FreeBSD" -a ${SYSTEM} != "OpenBSD" ] ; then 2801 | V=4.4 2802 | else 2803 | V=`echo $VERSION| ${sed} -e 's/[-_@].*//'| ${awk} -F . '{ print $1 "." $2 $3 }'` 2804 | fi 2805 | 2806 | # head command 2807 | _head() 2808 | { 2809 | if `$echo a | $head -n 1 >/dev/null 2>&1` ; then 2810 | $head -n `echo $1 | tr -d "-"` 2811 | else 2812 | $head $1 2813 | fi 2814 | } 2815 | # ps command 2816 | ps_cmd="ax" 2817 | if [ "$SYSTEM" = "SunOS" ]; then 2818 | if [ "${CHKRKPATH}" = "" ]; then 2819 | if [ -x /usr/ucb/ps ]; then 2820 | ps="/usr/ucb/ps" 2821 | else 2822 | ps_cmd="-fe" 2823 | fi 2824 | else 2825 | ### -p is in place: use `-fe' as ps options 2826 | ps_cmd="-fe" 2827 | fi 2828 | fi 2829 | # Check if ps command is ok 2830 | if ${ps} ax >/dev/null 2>&1 ; then 2831 | ps_cmd="ax" 2832 | else 2833 | ps_cmd="-fe" 2834 | fi 2835 | 2836 | if [ `${id} | ${cut} -d= -f2 | ${cut} -d\( -f1` -ne 0 ]; then 2837 | echo "$0 needs root privileges" 2838 | exit 1 2839 | fi 2840 | 2841 | if [ $# -gt 0 ] 2842 | then 2843 | ### perform only tests supplied as arguments 2844 | for arg in $* 2845 | do 2846 | ### check if is a valid test name 2847 | if echo "${TROJAN} ${TOOLS}"| \ 2848 | ${egrep} -v "${L_REGEXP}$arg${R_REGEXP}" > /dev/null 2>&1 2849 | then 2850 | echo >&2 "$0: \`$arg': not a known test" 2851 | exit 1 2852 | fi 2853 | done 2854 | LIST=$* 2855 | else 2856 | ### this is the default: perform all tests 2857 | LIST="${TROJAN} ${TOOLS}" 2858 | fi 2859 | 2860 | if [ "${DEBUG}" = "t" ]; then 2861 | set -x 2862 | fi 2863 | 2864 | if [ "${ROOTDIR}" != "/" ]; then 2865 | 2866 | ### remove trailing `/' 2867 | ROOTDIR=`echo ${ROOTDIR} | ${sed} -e 's/\/*$//g'` 2868 | 2869 | for dir in ${pth} 2870 | do 2871 | if echo ${dir} | ${egrep} '^/' > /dev/null 2>&1 2872 | then 2873 | newpth="${newpth} ${ROOTDIR}${dir}" 2874 | else 2875 | newpth="${newpth} ${ROOTDIR}/${dir}" 2876 | fi 2877 | done 2878 | pth=${newpth} 2879 | ROOTDIR="${ROOTDIR}/" 2880 | fi 2881 | 2882 | if [ "${QUIET}" != "t" ]; then 2883 | echo "ROOTDIR is \`${ROOTDIR}'" 2884 | fi 2885 | 2886 | # 2887 | # NETSTAT OR SS 2888 | # 2889 | _chk_netstat_or_ss() 2890 | { 2891 | netstat="netstat" 2892 | CMD=`loc ss ss $pth` 2893 | [ ${?} -eq 0 ] && netstat="ss" 2894 | } 2895 | 2896 | for cmd in ${LIST} 2897 | do 2898 | 2899 | if echo "${TROJAN}" | \ 2900 | ${egrep} "${L_REGEXP}$cmd${R_REGEXP}" > /dev/null 2>&1 2901 | then 2902 | if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then 2903 | printn "Checking \`${cmd}'... " 2904 | fi 2905 | chk_${cmd} 2906 | STATUS=$? 2907 | 2908 | ### quiet mode 2909 | if [ "${QUIET}" = "t" ]; then 2910 | ### show only INFECTED status 2911 | if [ ${STATUS} -eq 0 ]; then 2912 | echo "Checking \`${cmd}'... INFECTED" 2913 | fi 2914 | continue 2915 | fi 2916 | 2917 | case $STATUS in 2918 | 0) echo "INFECTED";; 2919 | 1) echo "not infected";; 2920 | 2) echo "not tested";; 2921 | 3) echo "not found";; 2922 | 4) echo "infected but disabled";; 2923 | 5) ;; ### expert mode 2924 | esac 2925 | else 2926 | ### external tool 2927 | if [ "${EXPERT}" != "t" -a "${QUIET}" != "t" ]; then 2928 | printn "Checking \`$cmd'... " 2929 | fi 2930 | ${cmd} 2931 | 2932 | fi 2933 | done 2934 | 2935 | ### chkrootkit ends here. -------------------------------------------------------------------------------- /应急响应Checklist.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kafroc/emergency-response-toolbox/8aea36524fbd700c8710041876cd18666af71b0c/应急响应Checklist.xlsx --------------------------------------------------------------------------------