add rock
This commit is contained in:
139
bpfdoor_report_rockpi-4c_2026-03-27_13-28-27.log
Normal file
139
bpfdoor_report_rockpi-4c_2026-03-27_13-28-27.log
Normal file
@@ -0,0 +1,139 @@
|
||||
██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗
|
||||
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
|
||||
██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝
|
||||
██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝
|
||||
██║ ██║██║ ██║██║ ██║██████╔╝ ██║
|
||||
╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝
|
||||
M A L W A R E L A B S
|
||||
==========================================================
|
||||
Enhanced Linux BPFDoor Detection Script
|
||||
==========================================================
|
||||
Host : rockpi-4c
|
||||
Date : 2026-03-27_13-28-27
|
||||
Version: 1.1
|
||||
==========================================================
|
||||
[2026-03-27 13:28:27] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
|
||||
[2026-03-27 13:28:27] [SUCCESS] [1/12] No known suspicious mutex/lock files found
|
||||
[2026-03-27 13:28:27] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
|
||||
[2026-03-27 13:28:27] [WARN] [2/12] /etc/sysconfig not present; skipping
|
||||
[2026-03-27 13:28:27] [INFO] [3/12] Inspecting BPF filters via ss -0pb
|
||||
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
p_raw 0 0 LLDP:end0 * users:(("systemd-network",pid=697,fd=10))
|
||||
[2026-03-27 13:28:27] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
|
||||
[2026-03-27 13:28:27] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
|
||||
[2026-03-27 13:28:27] [ALERT] Suspicious Socket detected: PID 697 (/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd
|
||||
[2026-03-27 13:28:27] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9730bd2d973000008e0cbd2d8231bd2d823100007e01bd2d092fbd2d092f0000c90fbd2d
|
||||
-------------------------------
|
||||
[2026-03-27 13:28:29] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
2f11000040110000471100004d110000551100005a110000621100006b11000073110000
|
||||
9708000042080000280e0000af04000055110000650a000094090000a1080000120e0000
|
||||
-------------------------------
|
||||
[2026-03-27 13:28:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libblkid.so.1.1.0 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
c0002009612a60d140000002400000085110000080000007a11000000000000010000000
|
||||
400000000000000901100000800000085110000000000000000000001000100f41000001
|
||||
-------------------------------
|
||||
[2026-03-27 13:28:45] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libcrypto.so.3 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
491000004b1000004d1000004e1000005110000000000000541000000000000000000000
|
||||
0000000021100000311000000000000051100000611000007110000091100000c1100000
|
||||
f1100001011000012110000141100001511000000000000181100001a1100001b1100001
|
||||
-------------------------------
|
||||
[2026-03-27 13:30:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libc.so.6 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
10000000000008765000012000c005025110000000000a40500000000000049390000120
|
||||
0000000000000dd43000012000c00b0d51100000000001000000000000000a3440000120
|
||||
0000000000000b963000012000c00c0d511000000000008000000000000001d6c0000120
|
||||
-------------------------------
|
||||
[2026-03-27 13:31:18] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libgcrypt.so.20.4.1 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
304000000000000f00d0400000000001823100000000000030400000000000070f803000
|
||||
304000000000000500104000000000038231000000000000304000000000000c41004000
|
||||
304000000000000286b0a000000000058231000000000000304000000000000386b0a000
|
||||
-------------------------------
|
||||
[2026-03-27 13:31:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libgpg-error.so.0.33.1 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
e41f000054b9feff20200000a0b9feff4820000000bafeff6820000020bafeff7c200000
|
||||
-------------------------------
|
||||
[2026-03-27 13:31:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/liblzma.so.5.4.1 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0051001c00121f2400714813005426339352000080522633a37204000014f40304aa1f00
|
||||
-------------------------------
|
||||
[2026-03-27 13:31:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libmount.so.1.1.0 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
7d5d6d3d40e00410b0000003000000034820000088dfdff3401000000410e509d0a9e094
|
||||
-------------------------------
|
||||
[2026-03-27 13:32:06] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libm.so.6 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
10ea000000000000f8000000000000004820000022000d00409b0400000000001c000000
|
||||
8820000d03afdff20820000e43afdff34820000003bfdff48820000103bfdff5c8200002
|
||||
-------------------------------
|
||||
[2026-03-27 13:32:21] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
|
||||
000000448c408000000400300000022951100000000c17f00000080000100000000c17f0
|
||||
-------------------------------
|
||||
[2026-03-27 13:32:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libselinux.so.1 (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
50060100000000007c010000000000005110000012000c00808001000000000044000000
|
||||
-------------------------------
|
||||
[2026-03-27 13:32:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-252.so (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
4c1000004d1000004e100000000000005110000053100000000000005410000000000000
|
||||
c1100001f110000221100002411000025110000000000002711000000000000281100000
|
||||
000000000000000301100003111000035110000000000003611000000000000371100003
|
||||
-------------------------------
|
||||
[2026-03-27 13:34:08] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/locale-archive (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
40200000422000004420000046200000482000004a2000004c2000004e20000050200000
|
||||
44200000000000004720000000000000482000000000000049200000000000004a200000
|
||||
803100000000000081310000000000008231000000000000833100000000000084310000
|
||||
-------------------------------
|
||||
[2026-03-27 13:35:23] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 697)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000000000000000000004cf51100000000004cf511000000000000000100000
|
||||
000000000000000000000000000000004820000012000000000000000000000000000000
|
||||
036170000000000030400000000000088231000000000005836170000000000030400000
|
||||
-------------------------------
|
||||
[2026-03-27 13:36:03] [INFO] [5/12] Checking for suspicious environment variables
|
||||
[2026-03-27 13:36:04] [SUCCESS] [5/12] No processes with the full suspicious env var set found
|
||||
[2026-03-27 13:36:04] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
|
||||
[2026-03-27 13:36:04] [ALERT] [6/12] Potentially suspicious connections on historical BPFDoor ports:
|
||||
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 1548039/docker-prox
|
||||
tcp6 0 0 :::8000 :::* LISTEN 1548047/docker-prox
|
||||
|
||||
[2026-03-27 13:36:05] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
|
||||
[2026-03-27 13:36:19] [CRITICAL] [7/12] Process Masquerading Detected! PID=69 claims to be '[watchdogd]' but is actually executing '/proc/69/exe'
|
||||
[2026-03-27 13:36:41] [CRITICAL] [7/12] Process Masquerading Detected! PID=1367 claims to be '/sbin/agetty -o -p -- \u --noclear - linux' but is actually executing '/usr/sbin/agetty'
|
||||
[2026-03-27 13:36:41] [CRITICAL] [7/12] Process Masquerading Detected! PID=1368 claims to be '/sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - linux' but is actually executing '/usr/sbin/agetty'
|
||||
[2026-03-27 13:36:58] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
|
||||
[2026-03-27 13:36:58] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
|
||||
[2026-03-27 13:36:58] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
|
||||
[2026-03-27 13:36:58] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
|
||||
[2026-03-27 13:36:58] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
|
||||
[2026-03-27 13:36:58] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
|
||||
[2026-03-27 13:36:58] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
|
||||
[2026-03-27 13:36:58] [SUCCESS] [12/12] No hardcoded process signatures detected
|
||||
[2026-03-27 13:36:58] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/bin/docker-proxy
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libblkid.so.1.1.0
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libcrypto.so.3
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libc.so.6
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libgcrypt.so.20.4.1
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libgpg-error.so.0.33.1
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/liblzma.so.5.4.1
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libmount.so.1.1.0
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libm.so.6
|
||||
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2
|
||||
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libselinux.so.1
|
||||
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-252.so
|
||||
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/locale-archive
|
||||
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd
|
||||
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty
|
||||
[2026-03-27 13:36:59] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
|
||||
[2026-03-27 13:36:59] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system
|
||||
Reference in New Issue
Block a user