Hello,
It is not good to hear such smarter malware backdoor in Linux.
http://www.theregister.co.uk/2013/11/15/stealthy_linux_backdoor/
http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol
The guys in kumina has prepared a checker script.
https://github.com/kumina/nagios-plugins-kumina/blob/master/check_fokirtor.sh
However this will not work for older gdb. I have modified it for working with older gdb’s, below:
check_fokirtor.sh.zip
#!/bin/sh
#
# A simple check to see if running ssh processes contain any string that have
# been designated an indication of Fokirtor by Symantec.
#
# More info here:
# http://www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol
#
# (c) 2013, Kumina bv, [email protected]
#
# You are free to use, modify and distribute this check in any way you see
# fit. Just don't say you wrote it.
#
# This check is created for Debian Squeeze/Wheezy, no idea if it'll work in
# other distros. You'll need gdb-minimal (for gcore) installed.
#
# modified for older gdb by Oguz Yilmaz
# We need to be root
if [ `/usr/bin/id -u` -ne 0 ]; then
echo “You need root for this script. Sorry.”
exit 1
fi
FILE1=”set pagination off\\n\
set height 0\\n\
set width 0″
FILE2=”detach\\n\
quit”
if [ ! -f /tmp/check_fokirtor.gdb ]; then
echo -e “$FILE1” > /tmp/check_fokirtor.gdb
fi
if [ ! -f /tmp/check_fokirtor.gdb2 ]; then
echo -e “$FILE2” > /tmp/check_fokirtor.gdb2
fi
# For all pids of the ssh process, do the check
for pid in `pidof sshd`; do
t=$(/bin/mktemp)
echo “gcore $t” > /tmp/check_fokirtor.tmp1
/usr/bin/gdb –nx –pid $pid \
-x /tmp/check_fokirtor.gdb \
-x /tmp/check_fokirtor.tmp1 \
-x /tmp/check_fokirtor.gdb2 > /dev/null 2>/dev/null
#/usr/bin/gdb # -ex “set pagination off” -ex “set height 0 ” -ex “set width 0” \
# -ex “attach $pid” -ex “gcore $t” -ex detach -ex quit
i=0
for str in hbt= key= dhost= sp= sk= dip=; do
/usr/bin/strings $t | /bin/grep “${str}[[:digit:]]”
if [ $? -eq 0 ]; then
i=$(($i + 1))
fi
done
/bin/rm $t
/bin/rm /tmp/check_fokirtor.tmp1
if [ $i -eq 6 ]; then
echo “CRITICAL: Fokirtor strings found in sshd process ${pid}!”
exit 2
fi
done
echo “OK: No indication of Fokirtor found.”
exit 0