#!/bin/bash
echo Adore worm detect script for Linux.
echo Copyright 2001 William Stearns \<wstearns@pobox.com\>
echo Released under the GPL.
echo Version 0.2.4
echo Documentation about this worm and updated versions of this script
echo can be found at http://www.sans.org/y2k/adore.htm and 
echo http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm

if ! . detectlib ; then
	echo Cannot find detectlib in the current directory, exiting
	exit 2
fi
InitDetectLib

AttackName Adore worm for Linux
if AttackMarker /usr/lib/red.tar /dev/.shit/red.tgz /usr/lib/lib/ /dev/.shit/ /dev/.shit/lib/ /usr/lib/lib/start.sh /dev/.shit/lib/start.sh /usr/lib/klogd.o ; then
	ReplacedFile /bin/ps			/usr/bin/adore
	ReplacedFile /sbin/klogd		/usr/lib/klogd.o
	#One or the other should have the backup
	ReplacedFile /etc/cron.daily/0anacron	/usr/lib/lib/0anacron-bak
	ReplacedFile /etc/cron.daily/0anacron	/dev/.shit/lib/0anacron-bak

	PathToRunningApps \
	  /usr/lib/lib/.bind \
	  /usr/lib/lib/.statdx \
	  /usr/lib/lib/bind \
	  /usr/lib/lib/mail.sh \
	  /usr/lib/lib/mail2.sh \
	  /usr/lib/lib/start.sh \
	  /usr/lib/lib/statdx \
	  /usr/lib/lib/lpd \
	  /usr/lib/lib/lpd7.sh \
	  /usr/lib/lib/start-lprng \
	  /usr/lib/lib/start-statd \
	  /usr/lib/lib/start-wu26 \
	  /usr/lib/lib/start-bind \
	  /usr/lib/lib/pscan-bind \
	  /usr/lib/lib/pscan-ftpd \
	  /usr/lib/lib/pscan-lprng \
	  /usr/lib/lib/pscan-statdx \
	  /usr/lib/lib/wuftpd26 \
	  /usr/lib/lib/wuscan \
	  /usr/lib/lib/hackwu26 \
	  /usr/lib/lib/hacklpd \
	  /usr/lib/lib/scan.pl \
	  /usr/lib/lib/.bla \
	  /dev/.shit/lib/.bind \
	  /dev/.shit/lib/.statdx \
	  /dev/.shit/lib/bind \
	  /dev/.shit/lib/mail.sh \
	  /dev/.shit/lib/mail2.sh \
	  /dev/.shit/lib/start.sh \
	  /dev/.shit/lib/statdx \
	  /dev/.shit/lib/lpd \
	  /dev/.shit/lib/lpd7.sh \
	  /dev/.shit/lib/start-lprng \
	  /dev/.shit/lib/start-statd \
	  /dev/.shit/lib/start-wu26 \
	  /dev/.shit/lib/start-bind \
	  /dev/.shit/lib/pscan-bind \
	  /dev/.shit/lib/pscan-ftpd \
	  /dev/.shit/lib/pscan-lprng \
	  /dev/.shit/lib/pscan-statdx \
	  /dev/.shit/lib/wuftpd26 \
	  /dev/.shit/lib/wuscan \
	  /dev/.shit/lib/hackwu26 \
	  /dev/.shit/lib/hacklpd \
	  /dev/.shit/lib/scan.pl \
	  /dev/.shit/lib/.bla \
	  /sbin/klogd
#Klogd may be legitimate, but we'll restart the syslog service in a minute anyways.
#cat and xargs may be left running, but with nothing to feed to.

	AttackFiles \
	  /tmp/.problem \
	  /tmp/.tmp \
	  /usr/lib/red.tar \
	  /usr/lib/lib/.backdoor \
	  /usr/lib/lib/.bind \
	  /usr/lib/lib/.statdx \
	  /usr/lib/lib/0anacron \
	  /usr/lib/lib/bind \
	  /usr/lib/lib/bindname.log \
	  /usr/lib/lib/bindscan \
	  /usr/lib/lib/getip \
	  /usr/lib/lib/go \
	  /usr/lib/lib/go2 \
	  /usr/lib/lib/hacklpd \
	  /usr/lib/lib/hackwu26 \
	  /usr/lib/lib/icmp \
	  /usr/lib/lib/icmp.c \
	  /usr/lib/lib/lpd \
	  /usr/lib/lib/lpd7.sh \
	  /usr/lib/lib/lpdscan \
	  /usr/lib/lib/mail.sh \
	  /usr/lib/lib/mail2.sh \
	  /usr/lib/lib/mail.txt \
	  /usr/lib/lib/myip \
	  /usr/lib/lib/ps \
	  /usr/lib/lib/ps.c \
	  /usr/lib/lib/pscan-bind \
	  /usr/lib/lib/pscan-ftpd \
	  /usr/lib/lib/pscan-lprng \
	  /usr/lib/lib/pscan-statdx \
	  /usr/lib/lib/randb \
	  /usr/lib/lib/results.log \
	  /usr/lib/lib/scan.pl \
	  /usr/lib/lib/start \
	  /usr/lib/lib/start-bind \
	  /usr/lib/lib/start-lprng \
	  /usr/lib/lib/start-statd \
	  /usr/lib/lib/start-wu26 \
	  /usr/lib/lib/start.sh \
	  /usr/lib/lib/statdx \
	  /usr/lib/lib/statdx.log \
	  /usr/lib/lib/statdxscan \
	  /usr/lib/lib/wu.log \
	  /usr/lib/lib/wu26.log \
	  /usr/lib/lib/wuhack.log \
	  /usr/lib/lib/wuftpd26 \
	  /usr/lib/lib/wuftpd26scan \
	  /usr/lib/lib/wuscan \
	  /usr/lib/lib/ \
	  /dev/.shit/red.tgz \
	  /dev/.shit/lib/.backdoor \
	  /dev/.shit/lib/.bind \
	  /dev/.shit/lib/.statdx \
	  /dev/.shit/lib/0anacron \
	  /dev/.shit/lib/0anacron-bak \
	  /dev/.shit/lib/bind \
	  /dev/.shit/lib/bindscan \
	  /dev/.shit/lib/getip \
	  /dev/.shit/lib/icmp \
	  /dev/.shit/lib/icmp.c \
	  /dev/.shit/lib/lpd \
	  /dev/.shit/lib/lpd7.sh \
	  /dev/.shit/lib/lpdscan \
	  /dev/.shit/lib/mail.sh \
	  /dev/.shit/lib/mail2.sh \
	  /dev/.shit/lib/myip \
	  /dev/.shit/lib/ps \
	  /dev/.shit/lib/ps.c \
	  /dev/.shit/lib/pscan-bind \
	  /dev/.shit/lib/pscan-ftpd \
	  /dev/.shit/lib/pscan-lprng \
	  /dev/.shit/lib/pscan-statdx \
	  /dev/.shit/lib/randb \
	  /dev/.shit/lib/s \
	  /dev/.shit/lib/scan.pl \
	  /dev/.shit/lib/start \
	  /dev/.shit/lib/start-bind \
	  /dev/.shit/lib/start-lprng \
	  /dev/.shit/lib/start-statd \
	  /dev/.shit/lib/start-wu26 \
	  /dev/.shit/lib/start.sh \
	  /dev/.shit/lib/statdx \
	  /dev/.shit/lib/statdxscan \
	  /dev/.shit/lib/wuftpd26 \
	  /dev/.shit/lib/wuftpd26scan \
	  /dev/.shit/lib/wuscan \
	  /dev/.shit/ \
	  /dev/.shit/lib/

	#FIXME "./s -own 362436 3976"

	NukedFiles /var/log/maillog /var/log/messages /dev/.lib/ /etc/hosts.deny
	echo Please note that the /dev/.lib directory, if it existed at all,
	echo only contained the Lion worm.  Don\'t worry too much about
	echo restoring it from backup...

	AddedLine /etc/ftpusers	ftp
	AddedLine /etc/ftpusers	anonymous
	AddedLine /etc/passwd	"dead:x:1:1:anarchee:/:/bin/sh"
	AddedLine /etc/shadow	"dead:iUCNir1cd8pI2:::::::"
	AddedLine /etc/passwd	"h:x:0:0:admin:/:/bin/sh"
	AddedLine /etc/shadow	"h:iUCNir1cd8pI2:::::::"

	PackagesMangled \
	 /bin/login util-linux

	ServicesStopped nfslock lpd syslog
	exit $True	#Adore found.
else
	exit $False	#Adore not found.
fi