Skip to content

Instantly share code, notes, and snippets.

@judotens
Last active August 29, 2015 14:02
Show Gist options
  • Save judotens/49910a747e98bc056350 to your computer and use it in GitHub Desktop.
Save judotens/49910a747e98bc056350 to your computer and use it in GitHub Desktop.
Botnet .IptabLes & .IptabLex cleaner
# botnet .IptabLes & .IptabLex cleaner
# tested on my ec2 based on Amazon AMI
# here i attached my version -> http://filebin.ca/1PPeWObrq63q/IptabLesx.zip
# https://malwr.com/analysis/MDIyMmEzZmU1ZjIzNGU4ZGIxNTQ1NmViNmYxNjc0NTQ/
# @judotens
# 1.1M
getsetup_sum="27fff3d371fff67bf14cb91e7b1f6623"
# 706K
iptablex_sum="e261d4c31425a31fd40308b6c5b9154c"
rm -f scan.log
echo "-> Killing running trojan"
tmp=`ps -ef | grep boot | grep "IptabLes" | awk '{print $2}' | xargs kill -9`
tmp=`ps -ef | grep boot | grep "IptabLex" | awk '{print $2}' | xargs kill -9`
echo "-> Deleting main sources on known locations"
rm -f /boot/.IptabLes
rm -f /boot/.IptabLex
rm -fr /boot/IptabLes
rm -fr /boot/IptabLex
rm -fr ~/.mylisthb*
rm -f /etc/init.d/IptabLes
rm -f /etc/init.d/IptabLex
echo "-> Scanning system for duplicated trojan"
for i in `find / -type f -size +500k`;
do
sidik=`md5sum $i | awk '{print $1}'`
echo "- Scanning $i: $sidik"
if [ "$sidik" = "$getsetup_sum" ] || [ "$sidik" = "$iptablex_sum" ]; then
echo "-> $i marked as trojan."
echo $i >> scan.log
echo "-> Deleting .."
rm -f $i
fi
done;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment