-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathrootkit_finder.sh
More file actions
99 lines (97 loc) · 2.01 KB
/
rootkit_finder.sh
File metadata and controls
99 lines (97 loc) · 2.01 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/bin/bash
#must be run as root
divider() {
echo "======================="
}
#to-do: use tee to log to a file
#to-do: check history of non-root users
#to-do: https://www.computerhope.com/unix/uat.htm
#to-do: fg and bg tasks
#for more to-dos, see the end of the script
echo -n "checking for rootkits on "
date
divider
echo "Part 1: environment"
divider
echo "PATH:"
echo $PATH
divider
echo "aliases:"
alias
divider
echo "Part 2: reading shell history"
divider
echo "history containing /etc/passwd:"
history | grep /etc/passwd
divider
echo "history containing /etc/shadow:"
history | grep /etc/shadow
divider
divider
echo "history containing bash (sometimes used for reverse shells):"
history | grep bash
divider
echo "history containing /dev/tcp/ (sometimes used for reverse shells):"
history | grep /dev/tcp/
divider
echo "history containing unset HISTFILE:"
history | grep 'unset HISTFILE'
divider
echo "history containing nc (used for bind shells or listeners):"
history | grep nc
divider
echo "history containing netcat:"
history | grep netcat
divider
echo "history containing dnscat (used for data exfiltration):"
history | grep dnscat
divider
echo "history containing mysql (such as connection attempts):"
history | grep mysql
divider
echo "history containing wget:"
history | grep wget
divider
echo "history containing curl:"
history | grep curl
divider
echo "history containing cron:"
history | grep cron
divider
echo "history containing systemctl:"
history | grep systemctl
divider
echo "Part 2: logins"
divider
echo "currently logged in users:"
w
divider
echo "last:"
last
divider
echo "lastlog:"
lastlog
divider
echo "current network connections (netstat -atu):"
netstat -atu
divider
echo "Part 3: checking scheduled tasks"
divider
echo "systemd timers:"
systemctl list-timers
divider
echo "/etc/crontab:"
cat /etc/crontab
divider
echo "non-root user crontabs:"
cat /var/spool/cron/crontabs/*
divider
echo "cron.daily"
#to-do: anacron
#to-do: cron.hourly
#to-do: cron.weekly
#to-do: cron.monthly
#to-do: at
#to-do: batch
#to-do: atq
#to-do: atrm