#!/bin/bash #Copyright 2001, William Stearns #Released under the GPL. DetectLibVer="010" #Please leave Need_Utils before the rest, please. This gets called at #the end of each function that needs a system tool. #The actual check happens at the end in InitDetectLib . Need_Utils () { NeededUtils="$NeededUtils $@" } debug () { echo '++++' $* >/dev/stderr } #Don't call directly, use AttackFiles or AttackDirs, as appropriate. #No required utils outside of bash builtins DetectFile () { DFRetVal=$False while [ -n "$@" ]; do if [ -d "$1" ]; then FoundDirs="$FoundDirs $1" DFRetVal=$True elif [ -f "$1" ]; then FoundFiles="$FoundFiles $1" DFRetVal=$True elif [ -b "$1" ] || [ -c "$1" ] || [ -p "$1" ] || [ -S "$1" ]; then FoundSpecials="$FoundSpecials $1" DFRetVal=$True else MissingFiles="$MissingFiles $1" fi shift done return $DFRetVal } #No required utils outside of bash builtins AttackName () { #Params: A descriptive name for this worm. if [ -n "$@" ]; then NameOfAttack="$@" else debug Null attack name in AttackName. fi } #No required utils outside of bash builtins AttackMarker () { #Params: One or more files or directories whose presence (of any of them, not all of them) #essentially guarantees the attack is on the system. #DO NOT ASSUME ANY EXTERNAL UTILITY CAN BE TRUSTED AT THIS POINT. if [ -z "$NameOfAttack" ]; then debug Null attack name in AttackMarker. fi for OneFile in $* ; do if [ -e $OneFile ]; then AttackPresent=$True fi done if [ "$AttackPresent" = "$True" ]; then echo $NameOfAttack detected. else echo $NameOfAttack DOES NOT appear to be present on this system, good. fi return $AttackPresent } #No required utils outside of bash builtins Need_Utils rm AttackFiles () { DetectFiles "$@" AFRetVal=$? echo Do you wish to delete the following files and directories? echo $FoundFiles $FoundSpecials $FoundDirs echo If so, enter \"YES\" without the quotes. read Reply if [ "$Reply" = "YES" ]; then rm -f $FoundFiles $FoundSpecials $FoundDirs else echo NOT removing the above listed files. fi return $AFRetVal } Need_Utils mv ReplacedFile () { #Params: Suspect utility name, Where the good copy was moved if replaced. if [ -f "$2" ]; then echo \"$2\" found, so we assume \"$1\" is a wrapper and echo will restore the original version. if [ ! -f "$1" ]; then debug \"$1\" does not exist in WrappedUtil. fi mv -f "$2" "$1" fi } NukedFiles () { #Params: Files which may have been removed from the system or truncated to 0 bytes. if [ -n "$@" ]; then echo The following files may have been removed from the system or echo truncated. You should inspect them to see if they need to be echo restored from backup. echo "$@" else debug Null filelist in NukedFiles fi } Need_Utils killall PathToRunningApps () { #Params: full path to apps that may be running as part of the attack #FIXME - writeme... :-) echo Would you like to kill any running processes run from the echo following executables? If so, enter \"YES\" without quotes. echo "$@" read Reply if [ "$Reply" = "YES" ]; then killall -9 $@ else echo NOT removing the above listed applications. fi } AddedLine () { #Params: file which may have had a line added, line that was added (or at least enough of a regexp to match). #FIXME - writeme } ServicesStopped () { #Params: names of SysVinit scripts that may need to be restarted. #FIXME - writeme for OneService in "$@" ; do echo Would you like to stop and start service \"$OneService\"? echo If so, enter \"YES\" without quotes. read Reply if [ "$Reply" = "YES" ]; then if [ -f /etc/rc.d/init.d/$OneService ]; then /etc/rc.d/init.d/$OneService stop /etc/rc.d/init.d/$OneService start elif [ -f /etc/init.d/$OneService ]; then /etc/init.d/$OneService stop /etc/init.d/$OneService start else echo Can\'t find the script that stops and starts the service. echo Please restart it by hand. fi else echo NOT restarting the above listed service. fi done } #Need_Utils mkdir #Last function, please InitDetectLib () { if [ ! "$DetectLibInitialized" = "$True" ]; then False=1 #As far as bash is concerned. True=0 #set PATH=/knowngood MissingFiles="" FoundFiles="" FoundDirs="" FoundSpecials="" AttackPresent=$False for OneUtil in $NeededUtils ; do if ! type -path $OneUtil ; then echo Missing support tool \"$OneUtil\" in path \"$PATH\" echo Exiting. exit $False fi done DetectLibInitialized="True" fi }