Centos 6.4 how to check if sshd is infected with Fokirtor

Centos 6.4 how to check if sshd is infected with Fokirtor

At first you need to install

yum install python-psutil

after that

cp /sbin/pidof /bin/pidof

and download and execute this script

https://github.com/kumina/nagios-plugins-kumina/blob/master/check_fokirtor.sh



#!/bin/sh
#
# A simple check to see if running ssh processes contain any string that have
# been designated an indication of Fokirtor by Symantec.
#
# More info here:
# http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol
#
# (c) 2013, Kumina bv, [email protected]
#
# You are free to use, modify and distribute this check in any way you see
# fit. Just don't say you wrote it.
#
# This check is created for Debian Squeeze/Wheezy, no idea if it'll work in
# other distros. You'll need gdb-minimal (for gcore) installed.
# We need to be root
if [ `/usr/bin/id -u` -ne 0 ]; then
echo "You need root for this script. Sorry."
        exit 1
fi
# For all pids of the ssh process, do the check
for pid in `/bin/pidof sshd`; do
t=$(/bin/mktemp)
        /usr/bin/gdb </dev/null --nx --batch \
          -ex "set pagination off" -ex "set height 0 " -ex "set width 0" \
          -ex "attach $pid" -ex "gcore $t" -ex detach -ex quit
        i=0
        for str in hbt= key= dhost= sp= sk= dip=; do
                /usr/bin/strings $t | /bin/grep "${str}[[:digit:]]"
                if [ $? -eq 0 ]; then
i=$(($i + 1))
                fi
done
        /bin/rm $t
        if [ $i -eq 6 ]; then
echo "CRITICAL: Fokirtor strings found in sshd process ${pid}!"
                exit 2
        fi
done
echo "OK: No indication of Fokirtor found."
exit 0
After that you will see output like this:
[Thread debugging using libthread_db enabled] 0x00007f5b2e4d7513 in __select_nocancel () from /lib64/libc.so.6 Saved corefile /tmp/tmp.Q89Sku0vPN [Thread debugging using libthread_db enabled] 0x00007f5b2e4d1630 in __read_nocancel () from /lib64/libc.so.6 Saved corefile /tmp/tmp.QLWtlfoMok [Thread debugging using libthread_db enabled] 0x00007f5eb920d513 in __select_nocancel () from /lib64/libc.so.6 Saved corefile /tmp/tmp.1d41QbCaA3 [Thread debugging using libthread_db enabled] 0x00007f5eb9207630 in __read_nocancel () from /lib64/libc.so.6 Saved corefile /tmp/tmp.lXIzRAYB4g [Thread debugging using libthread_db enabled] 0x00007eff8f06c513 in __select_nocancel () from /lib64/libc.so.6 Saved corefile /tmp/tmp.e4QmwlYJtT
OK: No indication of Fokirtor found.  
 

Comments

Popular posts from this blog

Securing the Pi-hole with fail2ban to prevent DNS Amplification attacks

Reduce (shrink) and resize raw disk at Proxmox

How to clean DB from old logs in Magento 1.x