Demo entry 6353343

test

   

Submitted by anonymous on Mar 31, 2017 at 08:54
Language: Python 3. Code size: 8.2 kB.

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
Rootkit Clean.
'''
import os
import platform

print "####################################################"
print "#                                                  #"
print "#             Clean rootkit for Linux              #"
print "#             Version 1.0                          #"
print "#             iliuyi@outlook.com                   #"
print "#             2017.03.10                           #"
print "#                                                  #"
print "####################################################"

def get_file_md5(i):
    """
    Get file Md5
    """
    if platform.system() == 'Linux':
        command    = "md5sum " + i
        file_md5   = (os.popen(command).readline()).split(' ')[0]
    if platform.system() == 'Darwin':
        command  = "md5 " + i
        file_md5 = ((os.popen(command).readline()).split(' ')[-1])[:-1]
    return file_md5

def sys_cmd_chk():
    """
    Check ps, netstat, ss, lsof ocmmand
    """
    evil_cmd = {}
    line     = "[ # ] Begin system command check, wait......"
    print line
    cmd_ps      = ('ps','4d503063a95ec2dfc1e6fa38eb1da7b1', 'e30714c10bf0f32d5db211e4548dc764')
    cmd_netstat = ('netstat','3adb02328f112627e3334977a81b09cc')
    cmd_ss      = ('ss','c934db730e7b2482c5a20daaa556f9ff')
    cmd_lsof    = ('lsof','d1dcfc0a4ba0d3a9954f3aea05da3ed8')
    sys_cmd     = [cmd_ps, cmd_netstat, cmd_ss, cmd_lsof]
    while True:
        if len(sys_cmd) == 0:
            break
        command = sys_cmd.pop(0)
        if os.system("which "+command[0]+" >/dev/null 2>&1") == 0:
            line = "[ * ] Check system command '" + command[0] +"'....... "
            command_path = os.popen('which '+command[0]).readline()[: -1]
            command_md5  = get_file_md5(command_path)
            if command_md5 not in command[1:]:
                result = 'Failed'
                line   = line + result + "   [Warning]"
                print line
                evil_cmd.update({command_md5:command_path})
            else:
                result = 'Success'
                line   = line + result + "   [OK]"
                print line
            line = "[ + ] MD5: " + command_md5 + " " + command_path
            print line
    # print evil_cmd
    return evil_cmd

def sys_cmd_rec(evil_cmd={}):
    """
    Recover system command!
    """
    line     = "[ # ] Begin system command recovery, wait......"
    print line
    if len(evil_cmd) == 0:
        line = "[ + ] No evil command found...... [Return]"
        print line
        return
    if not os.path.isdir('cmd_bak'):
        line = "[ + ] Backup commands dir not foud, make sure it exists...... [ERR]"
        return
    for key in evil_cmd.keys():
        evil_file = evil_cmd[key]
        backup_cmd = os.path.join(os.getcwd()+os.path.sep+'cmd_bak', os.path.basename(evil_file))
        line = "[ + ] Remove backdoor cmd file '" + evil_file + "', wait......"
        print line
         # os.remove(evil_file)-----------
        print "[ * ] Success...... [ OK ]"
        if os.path.isfile(backup_cmd):
            line = "[ + ] Recover backdoor cmd file '" + evil_file + "', wait......"
            command = "mv " + backup_cmd + " " + evil_file
            # os.system(command)-----------
            print "[ * ] Success...... [ OK ]"
        else:
            line = "[ * ] Backup commands not foud, make sure it exists...... [ERR]"
            print line
            continue
        # print md5
        # print evil_file
        # os.mv(evil_cmd, backup)
        # os.mv(back, evil_cmd)
    

def sys_cfg_chk():
    """
    System config check
    """
    line     = "[ # ] Begin system config check, wait......"
    print line
    evil_cfg_file = []
    evil_list = (' /tmp/bin/****.elf',
                 '/etc/init.d/DbSecuritySpt',
                 '/etc/rc1.d/S97DbSecuritySpt',
                 '/etc/rc2.d/S97DbSecuritySpt',
                 '/etc/rc3.d/S97DbSecuritySpt',
                 '/etc/rc4.d/S97DbSecuritySpt',
                 '/etc/rc5.d/S97DbSecuritySpt',
                 '/usr/bin/bsd-port/getty',
                 '/tmp/gates.lod')

    for i in evil_list:
        line = "[ * ] Check if exist '" + i +"' file, wait......"
        print line
        if os.path.isfile(i):
            evil_cfg_file.append(i)
            line = "[ + ] Found evil config file '" + i + "'..... [Warning]"
            print line
        else:
            line = "[ + ] Nothing found....... [ OK ]"
            print line
    # print evil_cfg_file
    return evil_cfg_file

def backdoor_chk():
    """
    Check backdoor file
    Return backdoor file MD5 and full path
    """
    line     = "[ # ] Begin backdoor file check, wait......"
    print line
    #Found backdoor file MD5
    backdoor_md5 = ['dc00f3ed3d5be091e7b4d31915fd7cbb',
                    'f6006871f38a348f7227255cc9c38cf1',
                    '7dc35314d81d9d0f512849e8fcf99aa9',
                    '26cba57078106665873d0fba6cd633ec',
                    'c808249f92fc0bc644e2a92a2470cb33']
    chk_dir = ["/tmp", "/home", "/etc", "/root", "/bin"]
    backdoor_sum = {}
    while True:
        if len(chk_dir) == 0:
            break
        cur_dir = chk_dir.pop(0)
        if not os.path.isdir(cur_dir):
            continue
        for i in os.walk(cur_dir):
            for exec_file in i[2]:
                # print exec_file
                fullpath = os.path.join(i[0],exec_file)
                # print fullpath
                if "executable" in os.popen("file "+fullpath).readline():
                    file_size = os.path.getsize(fullpath)/1024/1024
                    if file_size > 50:
                        continue
                    line     = "[ * ] Check executable flie '" + fullpath + "'......"
                    print line
                    file_md5 = get_file_md5(fullpath)
                    if file_md5 not in backdoor_md5:
                        result = "[ OK ]"
                    else:
                        backdoor_sum.update({file_md5:fullpath})
                        result = "[ Warining ]"
                    line     = "[ + ] MD5: " + file_md5 + " ......" + result
                    print line
    return backdoor_sum
            

def clean_backdoor(backdoor_sum={}, evil_cfg_sum=[]):
    evil_file = evil_cfg_sum
    for i in backdoor_sum.values():
        evil_file.append(i)
    # print evil_file
    line = "[ # ] Begin kill backdoor process, wait......"
    for i in evil_file:
        command = "ps -ef | grep " + os.path.basename(i)
        for i in (os.popen(command).readlines())[:-1]:
            if 'grep' in i:
                continue
            line = "[ + ] Found evil process...... "
            print line
            evil_pid = i.split()[1]
            line = "[ * ] Process: <<<" + i + ">>>, PID = [ " + evil_pid + " ]"  
            print line
            line = "[ + ] Start killing evil process, wait......"
            print line
            os.system("kill -9 "+evil_pid)
            print "[ * ] Success, [ OK ]"
            
        



if __name__ == '__main__':
    #Run this with root
    if os.getuid() != 0:
        print "\n[ > ] Please run it with root...... [Quit]"
        exit()

    print "\n\n-------------------------------------------------------"
    raw_input("\n\n[ > ] Press any key to start system command check ( 'CTRL + C' to stop)......\n")
    evil_cmd = sys_cmd_chk()
    raw_input("\n\n[ > ] Press any key to start system config check ('CTRL + C' to stop) ......\n")
    evil_cfg_sum = sys_cfg_chk()
    raw_input("\n\n[ > ] Press any key to start backdoor file check ('CTRL + C' to stop)  ......\n")
    backdoor_sum = backdoor_chk()
    raw_input("\n\n[ > ] Press any key to start system commands recover ('CTRL + C' to stop)  ......\n")
    sys_cmd_rec(evil_cmd)
    raw_input("\n\n[ > ] Press any key to start backdoor clean ('CTRL + C' to stop)  ......\n")
    clean_backdoor(backdoor_sum, evil_cfg_sum)
    

This snippet took 0.01 seconds to highlight.

Back to the Entry List or Home.

Delete this entry (admin only).