public
Last active

A small script to detect Linux/Cdorked.A malware on a linux system using the tool from ESET

  • Download Gist
README.md
Markdown

Linux/Cdorked.A detector

This script uses the tool from ESET to check the RAM of a linux system for the Linux/Cdorked.A malware. It uses the tool as of April 2013. As of this date the malware had only been known about for a month with research still ongoing. For this reason there may be a later version of the tool available.

I found the tool on the ESET page describing the Linux/Cdorked.A malware so that would likely be the best place to check for updates, if there are any.

How to run it

If you are here, you can probably tell that the below script does nothing harmful so run one of the following commands at terminal to execute it in a single command:

curl https://gist.github.com/penguinpowernz/5731076/raw/9f49d592f9281ad2e212f05dfec076985d4d8e42/cdorked_detect.sh | sh
wget https://gist.github.com/penguinpowernz/5731076/raw/9f49d592f9281ad2e212f05dfec076985d4d8e42/cdorked_detect.sh --no-check-certificate -O - | sh

If you are good you will see this printed out:

No shared memory matching Cdorked signature was found.
To further verify your server, run "ipcs -m -p" and look for a memory segments created by your http server.

More info

For more information please see the ESETs We Live Security blog post at http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/

cdorked_detect.sh
Shell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
#!/bin/bash
 
# Jump into tmp
cd /tmp
 
# Get the source from ESET
wget http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c -O dump_cdorked_config.c -q
 
# Make sure we have GCC available
if [ "$(which gcc 2>&1 > /dev/null ; echo $?)" != "0" ]; then
echo "GCC is not installed. Please install it before running this script";
echo " Debian: sudo apt-get install build-essential";
echo " Fedora: sudo yum groupinstall \"Development Tools\"";
exit 1;
fi;
 
# Build the lib
gcc -o dump_cdorked_config dump_cdorked_config.c
 
# check if building the tool worked
if [ "$?" != "0" ]; then
echo "Building the tool failed... :(";
exit 1;
fi;
 
# Run the tool
./dump_cdorked_config

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.