Malware and Backdoor detection Shell Script
You ask about 3 different things...
- Root kits;
- Backdoors;
- Malware.
Root kits
Most root kits use the kernel to hide themselves and they are only visible from within the kernel.
If you want to know how to find them why not use the power of open source and install rkhunter
and see how they do it? You can find the source here.
Besides that CERT has a thorough explanation on what to look for when dealing with root kits. Highlights from the link:
- Examine log files for connections from unusual locations or other unusual activity
-
Look for setuid and setgid files (especially setuid root files) everywhere on your system
find / -user root -perm -4000 -print find / -group kmem -perm -2000 -print
Check your system binaries to make sure that they haven't been altered.
- Examine all the files that are run by 'cron' and 'at.'
- Check for unauthorized services.
- Examine the /etc/passwd file on the system and check for modifications to that file.
- Check your system and network configuration files for unauthorized entries.
- Look everywhere on the system for unusual or hidden files (files that start with a period and are normally not shown by 'ls').
Most of these you can do from command line.
Also worth reading:
Backdoors
The problem with backdoors is that they generally are flaws in software that get abused. The basic set of rules...
- immediately install security updates when you're notified;
- do not install antivirus, as you really don't need it in Linux; unless you share files with Windows
- enable the firewall (sudo ufw enable) without further tweaks;
- stick to the official repo's as much as possible, and only deviate from them when strictly necessary and with much caution;
- keep Java (both openJDK and Oracle Java) disabled by default in your browser, and only enable it when needed;
- use Wine with caution;
- and most important of all: use your common sense. The biggest security threat is generally found between keyboard and chair.
Worth reading:
- What to do regarding BackDoor.Wirenet.1
- https://serverfault.com/questions/171893/how-do-you-search-for-backdoors-from-the-previous-it-person
- https://stackoverflow.com/questions/9417739/how-to-find-out-backdoor-in-php-source-code
- https://security.stackexchange.com/questions/35944/how-can-i-find-the-malicious-backdoor-codes-without-knowing-the-last-modified-da
- https://security.stackexchange.com/questions/32645/how-can-i-detect-backdoors
Malware
Scan /etc/hosts
for weird IP adresses and host names. If you look at these:
- Google.com redirect malware on FF
- Ubuntu vulnerable to malware sites?
- Popup Malware “openadserving.com”
- Chrome Popup Malware "openadserving.com"?
either a browser extension or an alteration to /etc/hosts
is the cause.
Also a good read is:
Related videos on Youtube
chadwicke619
Updated on September 18, 2022Comments
-
chadwicke619 almost 2 years
I'm trying to build a shell script which can automatically detect malware, backdoors and rootkits and I'm trying to research for it. I found some of the things like
find . -name “*.js” | xargs grep -l “eval(unescape” find . -name “*.php” | xargs grep -l “eval(base64_decode”
But I dont find only these relevant to just find for .php and .js files and try to see if it consists of malware. Can anyone please help me to give a general idea that I can use for the script so that it can do the work of malware, backdoors and rootkits detection. More precisely to say how can one find these malwares, backdoors and rootkits on a ubuntu system. Thanks.
-
chronitis almost 11 yearsLooking for fixed strings in a dynamic language is a bit of a non-starter, since there are always more ways of obfuscating the operation you're trying to detect. In the first example you could replace
eval
withe=window["ev"+"al"];e
, for instance.
-