2021-12-27 13:52:26 +01:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
|
|
|
# written by sqall
|
|
|
|
# twitter: https://twitter.com/sqall01
|
|
|
|
# blog: https://h4des.org
|
|
|
|
# github: https://github.com/sqall01
|
|
|
|
#
|
2021-12-30 20:48:17 +01:00
|
|
|
# Licensed under the MIT License.
|
2021-12-27 13:52:26 +01:00
|
|
|
|
|
|
|
"""
|
|
|
|
Short summary:
|
|
|
|
Search for binaries and scripts in /dev/shm.
|
|
|
|
Malware that tries to hide is often stored there.
|
|
|
|
|
|
|
|
Requirements:
|
|
|
|
None
|
|
|
|
|
|
|
|
Reference:
|
|
|
|
https://twitter.com/CraigHRowland/status/1268863172825346050?s=20
|
|
|
|
https://twitter.com/CraigHRowland/status/1269196509079166976
|
|
|
|
"""
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
2022-01-05 20:16:57 +01:00
|
|
|
from lib.util import output_finding
|
|
|
|
|
|
|
|
# Read configuration.
|
2021-12-27 13:52:26 +01:00
|
|
|
try:
|
|
|
|
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
|
|
|
|
from config.search_dev_shm import ACTIVATED
|
|
|
|
except:
|
|
|
|
ALERTR_FIFO = None
|
|
|
|
FROM_ADDR = None
|
|
|
|
TO_ADDR = None
|
|
|
|
ACTIVATED = True
|
|
|
|
|
|
|
|
|
|
|
|
def search_suspicious_files():
|
|
|
|
|
|
|
|
# Decide where to output results.
|
|
|
|
print_output = False
|
|
|
|
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
|
|
|
|
print_output = True
|
|
|
|
|
|
|
|
if not ACTIVATED:
|
|
|
|
if print_output:
|
|
|
|
print("Module deactivated.")
|
|
|
|
return
|
|
|
|
|
|
|
|
# Get all suspicious ELF files.
|
|
|
|
fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep ELF")
|
|
|
|
elf_raw = fd.read().strip()
|
|
|
|
fd.close()
|
|
|
|
|
|
|
|
# Get all suspicious script files.
|
|
|
|
fd = os.popen("find /dev/shm -type f -exec file -p '{}' \\; | grep script")
|
|
|
|
script_raw = fd.read().strip()
|
|
|
|
fd.close()
|
|
|
|
|
|
|
|
suspicious_files = []
|
|
|
|
if elf_raw.strip():
|
|
|
|
suspicious_files.extend(elf_raw.strip().split("\n"))
|
|
|
|
if script_raw.strip():
|
|
|
|
suspicious_files.extend(script_raw.strip().split("\n"))
|
|
|
|
|
2022-01-05 20:16:57 +01:00
|
|
|
if suspicious_files:
|
|
|
|
message = "File(s) in /dev/shm suspicious:\n\n"
|
|
|
|
message += "\n".join(suspicious_files)
|
2021-12-27 13:52:26 +01:00
|
|
|
|
2022-01-05 20:16:57 +01:00
|
|
|
output_finding(__file__, message)
|
2021-12-27 13:52:26 +01:00
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
search_suspicious_files()
|