home *** CD-ROM | disk | FTP | other *** search
#!/bin/bash # This script requires a copy of an uncompressed kernel to be placed in the script directory # The kernel copy must match the exact version running on this system. Sysmap=`ls /boot | grep System` # if you wish to use the kernel from the boot directory, uncomment the line below which starts with "kernel". # Make sure an uncompressed kernel does reside in the boot directory. # while this operation will in most cases work, it is not recommanded since # if the system was compromised the kernel itself might have been changed to avoid detection. # it is recommanded that instead a fresh backup is used. #kernel=`ls /boot | grep vmlinux` # if you uncomment the line above please make sure to comment out the next line kernel=`ls | grep vmlinux` if [ -e /boot/System.map ] then Sysmap=/boot/System.map else Sysmap=`ls /boot | grep System` Sysmap=`echo /boot/$Sysmap` fi if [ ! -e "$kernel" ] then kernel=`ls /boot | grep vmlinux` kernel=`echo /boot/$kernel` for check in $kernel do if [ -e "$check" ] then kernel=$check fi done fi if [ `echo $Sysmap | grep .gz` == `echo $Sysmap` ] then rm -f ./system.map.tmp* cp `echo $Sysmap` ./system.map.tmp.gz gzip -d system.map.tmp.gz Sysmap="./system.map.tmp" fi if [ ! -e "$Sysmap" ] then Sysmap=`ls /boot | grep System | grep default` Sysmap=`echo /boot/$Sysmap` fi if [ ! -e "$Sysmap" ] then echo "TRUE:" echo "AddListItem([[[]]],[[[Error]]])" echo "AddListItem([[[Error]]],[[[Unable to find a suitable sysmap, make sure you read the complete documentation of this check]]])" echo "!!SCRIPT_FINISHED!!" exit fi if [ `echo $kernel | grep .gz` == `echo $kernel` ] then rm -f ./vmlinux.tmp* cp `echo $kernel` ./vmlinux.tmp.gz gzip -d vmlinux.tmp.gz kernel="./vmlinux.tmp" fi if [ "$kernel" == "/boot/" ] then kernel="" fi if [ ! -e "$kernel" ] then echo "TRUE:" echo "AddListItem([[[]]],[[[Error]]])" echo "AddListItem([[[Error]]],[[[Unable to find Kernel, make sure you read the complete documentation of this check]]])" echo "!!SCRIPT_FINISHED!!" exit fi kernelloc=`cat $Sysmap | grep sys_call_table` kernelloc=`echo $kernelloc | awk '{ print $1 }'` sysmaploc=`nm $kernel | grep sys_call_table` sysmaploc=`echo $sysmaploc | awk '{ print $1 }'` #compare kernel table location with sysmap if [ "$kernelloc" != "$sysmaploc" ] then echo "TRUE:" echo "AddListItem([[[]]],[[[Kernel sys_call_table doesn't match SystemMap sys_call_table -> 0x$kernelloc : 0x$sysmaploc]]])" echo "!!SCRIPT_FINISHED!!" exit fi cat << EOF > gdb-kernel #!/usr/bin/expect -f set timeout -1 set height 5000 spawn gdb -q ./vmlinux-2.6.4-52-smp [lrange \$argv 1 1] match_max 100000 expect "(gdb) " send -- "set height 5000\r" expect "(gdb) " send -- "disass [lrange \$argv 0 0]" expect -exact "[lrange \$argv 0 0]" send -- "\r" expect "(gdb) " send -- "q\r" expect eof EOF chmod u+x gdb-kernel ./gdb-kernel sys_read > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_read /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_write > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_write /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_open > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_open /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_getdents > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_getdents /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_dents64 > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_dents64 /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_socketcall > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_socketcall /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_query_module > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_query_module /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_setuid > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_setuid /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_getuid > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_getuid /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_execve > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_execve /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_chdir > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_chdir /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_fork > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_fork /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_clone > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_clone /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_ioctl > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_ioctl /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi ./gdb-kernel sys_kill > function-stored.raw grep 0x function-stored.raw | grep -v \#0 | grep -v Core > function-stored rm -f function-stored.raw ./gdb-kernel sys_kill /proc/kcore > function-running.raw grep 0x function-running.raw | grep -v \#0 | grep -v Core > function-running rm -f function-running.raw rm -f gdb-kernel result=`diff function-stored function-running` results=FALSE if [ "$result" != "" ] then results=TRUE fi if [ "$results" = TRUE ] then echo TRUE: echo "AddListItem([[[]]],[[[Possible RootKit Detected]]])" echo "AddListItem([[[Possible RootKit Detected]]],[[[One or more of the System Call functions code was changed in the running kernel.]]])" echo "AddListItem([[[Possible RootKit Detected]]],[[[This is usually the result of a root kit or other malicious software that tries to hide its processes and files.]]])" else echo FALSE: rm -f kernel-stored rm -f kernel-running fi echo "!!SCRIPT_FINISHED!!" 
