Last active
January 8, 2017 17:53
-
-
Save mempodippy/c69f96db76eca7ef8c557481f8cceddc to your computer and use it in GitHub Desktop.
Small bash script designed to be run on livecd environments. It mounts potentially infected system disks and then removes ld.so.preload, preserving the preloaded library in a temporary directory in the livecd environment for analysis.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
usage () | |
{ | |
echo "preload_kill - simple bash script designed for 'livecd' environments." | |
echo "Removes the ld.so.preload file on infected systems." | |
echo "Usage: $0 <device name of infected system root disk>" | |
echo "The partition should have /etc/ present on it." | |
echo "Example: $0 sda1" | |
exit | |
} | |
unmount_tmp_dir () | |
{ | |
umount -rf $MOUNT_DIR | |
rm -rf $MOUNT_DIR | |
} | |
[ -z $1 ] && { usage; } | |
DEVICE_NAME="/dev/$1" | |
[ ! -b $DEVICE_NAME ] && { echo "Disk $1 does not exist."; usage; } | |
echo "Disk exists. Mounting." | |
MOUNT_DIR="$(mktemp -d)" | |
mount $DEVICE_NAME $MOUNT_DIR | |
MOUNT_ETC="$MOUNT_DIR/etc" | |
[ ! -f "$MOUNT_ETC/ld.so.preload" ] && { echo "Couldn't find ld.so.preload on the target disk. Exiting."; unmount_tmp_dir; exit; } | |
echo "Found ld.so.preload. Checking file contents." | |
CONTENTS="$(cat $MOUNT_ETC/ld.so.preload)" | |
if [ -f "$MOUNT_DIR/$CONTENTS" ]; then | |
LIBRARY_STORAGE="$(mktemp -d)" | |
echo "/ NOTIFICATION \\" | |
echo "Potentially malicious preloaded library found. Copying to $LIBRARY_STORAGE." | |
cp $MOUNT_DIR/$CONTENTS $LIBRARY_STORAGE/ | |
echo "Potentially malicious library copied to $LIBRARY_STORAGE for future analysis." | |
echo "\\ NOTIFICATION /" | |
fi | |
echo "Removing ld.so.preload from target disk." | |
chattr -ia $MOUNT_ETC/ld.so.preload &>/dev/null | |
rm -f $MOUNT_ETC/ld.so.preload | |
echo "ld.so.preload removed." | |
unmount_tmp_dir | |
echo "Any potentially malicious preloaded malware should now be gone. If you're seeing these messages and you now know you were infected," | |
echo "you should patch any entry points the attacker exploited to gain access to your box." | |
echo "The malware may be gone, but that doesn't stop them from coming back the same way they did before." | |
echo "Goodbye!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment