#!/bin/bash #ZZZZ #Bobkit detection VZ.Z.Z. #Copyright 2002 William Stearns #Released under the GPL. #Based on 20020122: 1010850460, 1010884915, 1010938413, ds, et if ! . detectlib ; then echo Cannot find detectlib in the current directory, exiting exit 2 fi InitDetectLib AttackName Bobkit Linux rootkit if AttackMarker /usr/include/... /tmp/.bkp ; then ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X #You need to check for running apps with this before removing the files; killall #depends on having the original files still on the drive to kill them. PathToRunningApps \ /usr/include/.../bkit-screen \ /usr/include/.../bkit-sleep \ PackagesMangled X X \ /full/path/to/some/binary ProbableOwnerPackageName \ /another/binary ProbableOwnerPackageForThatBinary #Complete AttackFiles \ /tmp/.bkp/.../.bash_history \ /tmp/.bkp/.../.bkit-1010850460.tgz \ /tmp/.bkp/.../.bkit-1010884915.tgz \ /tmp/.bkp/.../bkit-dl \ /tmp/.bkp/.../bkit-get \ /tmp/.bkp/.../bkit-mc \ /tmp/.bkp/.../bkit-patch \ /tmp/.bkp/.../bkit-screen \ /tmp/.bkp/.../bkit-sleep \ /tmp/.bkp/.../core \ /tmp/.bkp/.../nohup.out \ /tmp/.bkp/du \ /tmp/.bkp/file.h \ /tmp/.bkp/find \ /tmp/.bkp/libproc.so.2.0.6 \ /tmp/.bkp/log.h \ /tmp/.bkp/login \ /tmp/.bkp/ls \ /tmp/.bkp/lsof \ /tmp/.bkp/netstat \ /tmp/.bkp/nscd \ /tmp/.bkp/ntpsx \ /tmp/.bkp/proc.h \ /tmp/.bkp/psr \ /tmp/.bkp/pstree \ /tmp/.bkp/slocate \ /tmp/.bkp/top \ /usr/include/.../.bash_history \ /usr/include/.../.bkit-1010938413.tgz \ /usr/include/.../bkit-dl \ /usr/include/.../bkit-get \ /usr/include/.../bkit-mc \ /usr/include/.../bkit-patch \ /usr/include/.../bkit-screen \ /usr/include/.../bkit-sleep \ /usr/include/.../core \ /usr/include/.../nohup.out \ /usr/lib/.../bkit-adore.o \ /usr/lib/.../bkit-ssh/bkit-pw \ /usr/lib/.../bkit-ssh/bkit-shd.pid \ /usr/lib/.../bkit-ssh/bkit-shdcfg \ /usr/lib/.../bkit-ssh/bkit-shhk \ /usr/lib/.../bkit-ssh/bkit-shrs \ /usr/lib/.../du \ /usr/lib/.../find \ /usr/lib/.../ls \ /usr/lib/.../lsof \ /usr/lib/.../netstat \ /usr/lib/.../psr \ /usr/lib/.../pstree \ /usr/lib/.../slocate \ /usr/lib/.../top \ /usr/lib/.../uconf.inv \ /usr/sbin/.../bkit-ava \ /usr/sbin/.../bkit-d \ /usr/sbin/.../bkit-f \ /usr/sbin/.../bkit-shd \ /tmp/.bkp \ /tmp/.bkp/... \ /tmp/.bkp/.../.tmp \ /usr/include/... \ /usr/include/.../.tmp \ /usr/lib/... \ /usr/lib/.../bkit-ssh \ /usr/sbin/... #Normal dirs, not to be deleted: #/tmp, /usr, /usr/include, /usr/lib, /usr/sbin NukedFiles X \ /some/file/this/attack/removes/or/truncates \ /and/another AddedLine X X \ /some/file RegExpThatMatchesLineAdded ReplacedLine X X X \ /some/file BadRegexInFile GoodStringWeWantThere ServicesStopped X \ somesysvinitservice \ anothersysvinitservice echo Anything you want to warn the user about manually, such as echo Your passwords may have been mailed off to some email account, echo please change all passwords. exit $True #Attack found else exit $False #Attack not found fi exit