Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
A small script to detect Linux/Cdorked.A malware on a linux system using the tool from ESET

Linux/Cdorked.A detector

This script uses the tool from ESET to check the RAM of a linux system for the Linux/Cdorked.A malware. It uses the tool as of April 2013. As of this date the malware had only been known about for a month with research still ongoing. For this reason there may be a later version of the tool available.

I found the tool on the ESET page describing the Linux/Cdorked.A malware so that would likely be the best place to check for updates, if there are any.

How to run it

If you are here, you can probably tell that the below script does nothing harmful so run one of the following commands at terminal to execute it in a single command:

curl | sh
wget --no-check-certificate -O - | sh

If you are good you will see this printed out:

No shared memory matching Cdorked signature was found.
To further verify your server, run "ipcs -m -p" and look for a memory segments created by your http server.

More info

For more information please see the ESETs We Live Security blog post at

# Jump into tmp
cd /tmp
# Get the source from ESET
wget -O dump_cdorked_config.c -q
# Make sure we have GCC available
if [ "$(which gcc 2>&1 > /dev/null ; echo $?)" != "0" ]; then
echo "GCC is not installed. Please install it before running this script";
echo " Debian: sudo apt-get install build-essential";
echo " Fedora: sudo yum groupinstall \"Development Tools\"";
exit 1;
# Build the lib
gcc -o dump_cdorked_config dump_cdorked_config.c
# check if building the tool worked
if [ "$?" != "0" ]; then
echo "Building the tool failed... :(";
exit 1;
# Run the tool
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment