commit 895b866e7283b781013e6b73b6404d1c5c09dbb2 Author: Vaclav VESELY Date: Fri Mar 27 13:44:34 2026 +0100 add eve diff --git a/bpfdoor.sh b/bpfdoor.sh new file mode 100755 index 0000000..e5337fa --- /dev/null +++ b/bpfdoor.sh @@ -0,0 +1,768 @@ +#!/usr/bin/env bash +# +# Rapid7 Labs / Enhanced – Linux BPFDoor Detection Script +# +# Detects both “classic” and newer BPFDoor variants using: +# - Known hashes (optional, extendable) +# - Suspicious mutex/lock files in /var/run +# - Auto-start hooks in /etc/sysconfig +# - BPF filter usage via ss -0pb and /proc/net/packet +# - RAW / packet socket usage (Including SOCK_DGRAM Layer 2 Stripping) +# - Suspicious env vars (HOME=/tmp, HISTFILE=/dev/null, MYSQL_HISTFILE=/dev/null) +# - Known masqueraded process names + paths (Verified against Whitelist) +# - Process-specific Binary Signatures (66666666H, ttcompat, etc.) +# - Active C2 Reverse Shell Connections +# - Memory-resident (deleted) binary execution +# - Kernel Stack Tracing (packet_recvmsg blocking) +# - Suspicious ports (42391–43390, 8000) +# - Suspicious strings & UPX packing in candidate binaries +# - Basic persistence checks (cron, systemd, rc scripts) +# +# Requires: bash, grep, awk, ps, readlink, stat, ss OR netstat, lsof (optional), strings, find, hexdump, dd, dig (optional) +# +# This script is best-effort and may produce false positives. Use results as +# triage input, not as a sole source of truth. + +set -o pipefail + +VERSION="1.1" +HOSTNAME="$(hostname)" +DATE="$(date +%Y-%m-%d_%H-%M-%S)" +LOGFILE="bpfdoor_report_${HOSTNAME}_${DATE}.log" + +# Global script PIDs to exclude from our own checks +SCRIPT_PID=$$ +SCRIPT_PPID=$PPID + +# ---- Colours --------------------------------------------------------------- +#if [ -t 1 ]; then +RED=$'\033[1;31m' +GREEN=$'\033[1;32m' +YELLOW=$'\033[1;33m' +BLUE=$'\033[1;34m' +CYAN=$'\033[1;36m' +MAGENTA=$'\033[1;35m' +ORANGE=$'\033[38;5;208m' +NC=$'\033[0m' +#else + #RED=""; GREEN=""; YELLOW=""; BLUE=""; CYAN=""; MAGENTA=""; NC=""; ORANGE="" +#fi + +# ---- Known malicious hashes (minimal baseline, extend as needed) ----------- +declare -A MALWARE_SHA256=() +declare -A MALWARE_MD5=() + +# ---- Suspicious names and patterns ---------------------------------------- +SUSPICIOUS_MUTEX_FILES=( + "/var/run/aepmonend.pid" "/var/run/auditd.lock" "/var/run/cma.lock" + "/var/run/console-kit.pid" "/var/run/consolekit.pid" "/var/run/daemon.pid" + "/var/run/hald-addon.pid" "/var/run/hald-smartd.pid" "/var/run/hp-health.pid" + "/var/run/hpasmlit.lock" "/var/run/hpasmlited.pid" "/var/run/lldpad.lock" + "/var/run/mcelog.pid" "/var/run/system.pid" "/var/run/uvp-srv.pid" + "/var/run/vmtoolagt.pid" "/var/run/xinetd.lock" +) + +# Command-line strings BPFDoor uses to hide +SUSPICIOUS_PROCS=( + "/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/sgaSolAgent" "/sbin/udevd" + "/usr/bin/python -Es /usr/sbin/tuned" "/usr/bin/uvp-srv" "/usr/lib/polkit-1/polkitd" + "/usr/lib/systemd/systemd-journald" "/usr/lib/systemd/systemd-machined" + "/usr/libexec/hald-addon-volume" "/usr/libexec/postfix/master" "/usr/libexec/rtkit-daemon" + "/usr/libexec/upowerd" "/usr/sbin/NetworkManager" "/usr/sbin/abrtd" "/usr/sbin/acpid" + "/usr/sbin/atd" "/usr/sbin/chronyd" "/usr/sbin/console-kit" "/usr/sbin/console-kit-daemon" + "/usr/sbin/crond" "/usr/sbin/mcelog" "/usr/sbin/rsyslogd" "/usr/sbin/smartd" + "/usr/sbin/sshd" "[charger_manager]" "[kaluad_sync]" "[scsi_tmf_6]" "[watchdogd]" + "[cpu/0]" "avahi-daemon: chroot helper" "cmathreshd" "dbus-daemon --system" + "hald-addon-acpi" "hald-runner" "hpasmlited" "lldpad -d" "nginx: master process" + "pickup -l -t fifo -u" "/sbin/ora_ppmond" "/usr/bin/pulse-helper" +) + +# The ACTUAL physical paths of legitimate daemons. If a process masquerades as one of +# the above but isn't running from one of these files, it gets flagged. +WHITELIST_EXES=( + "/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/udevd" + "/usr/bin/python" "/usr/bin/python2" "/usr/bin/python3" + "/usr/sbin/tuned" "/usr/lib/polkit-1/polkitd" "/usr/libexec/postfix/pickup" + "/usr/libexec/postfix/master" "/usr/sbin/NetworkManager" + "/usr/sbin/console-kit-daemon" "/usr/sbin/crond" "/usr/sbin/mcelog" + "/usr/sbin/rsyslogd" "/usr/sbin/smartd" "/usr/sbin/avahi-daemon" + "/usr/bin/dbus-daemon" "/usr/libexec/hald-addon-acpi" "/usr/libexec/hald-runner" + "/usr/sbin/lldpad" "/usr/sbin/nginx" "/usr/sbin/sshd" "/usr/sbin/acpid" + "/usr/sbin/atd" "/usr/sbin/chronyd" "/usr/sbin/console-kit" + "/usr/libexec/rtkit-daemon" "/usr/libexec/upowerd" "/usr/sbin/abrtd" +) + +SUSPICIOUS_STRINGS=( + "HISTFILE=/dev/null" "MYSQL_HISTFILE=/dev/null" "ttcompat" ":h:d:l:s:b:t:" + ":f:wiunomc" ":f:x:wiuoc" "LibTomCrypt 1.17" + "Private key does not match the public certificate" + "I5*AYbs@LdaWbsO" "3458" "8543" "1234" +) + +KNOWN_C2_HOSTS=( + "ntpupdate.ddnsgeek.com" "ntpussl.instanthq.com" "ntpd.casacam.net" "ntpupdate.ygto.com" +) + +SUSPICIOUS_PORTS_RANGE_START=42391 +SUSPICIOUS_PORTS_RANGE_END=43390 +SUSPICIOUS_PORT_SINGLE=8000 + +SUSPICIOUS_FILES_TMP=() + +# ---- Logging helpers ------------------------------------------------------- +log() { + local level="$1"; shift + local msg="$*" + local ts + ts="$(date +'%Y-%m-%d %H:%M:%S')" + + # Log cleanly to file + echo "[$ts] [$level] $msg" >> "$LOGFILE" + + # Apply colors for terminal output + local color="${NC}" + case "$level" in + "CRITICAL") color="${RED}" ;; + "ALERT") color="${YELLOW}" ;; + "INFO") color="${BLUE}" ;; + "SUCCESS") color="${GREEN}" ;; + "WARN") color="${MAGENTA}" ;; + esac + + # Print colored output to terminal + echo -e "${NC}[$ts] [${color}${level}${NC}] $msg" +} + +banner() { + local b=$(cat << "EOF" +██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗ +██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║ +██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝ +██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝ +██║ ██║██║ ██║██║ ██║██████╔╝ ██║ +╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝ + M A L W A R E L A B S +========================================================== +Enhanced Linux BPFDoor Detection Script +========================================================== +EOF +) + echo -e "${ORANGE}${b}${NC}" + echo "$b" >> "$LOGFILE" + echo "Host : ${HOSTNAME}" | tee -a "$LOGFILE" + echo "Date : ${DATE}" | tee -a "$LOGFILE" + echo "Version: ${VERSION}" | tee -a "$LOGFILE" + echo "==========================================================" | tee -a "$LOGFILE" +} + +require_root() { + if [ "$EUID" -ne 0 ]; then + echo -e "${RED}[!] This script requires root privileges.${NC}" + exit 1 + fi +} + +cmd_exists() { + command -v "$1" >/dev/null 2>&1 +} + +mark_suspicious_file() { + local file="$1" + SUSPICIOUS_FILES_TMP+=("$file") +} + +is_self() { + # Excludes the script itself from being flagged during execution + local p="$1" + if [ "$p" = "$SCRIPT_PID" ] || [ "$p" = "$SCRIPT_PPID" ]; then + return 0 + fi + return 1 +} + +# ---- Helper: Hash check --------------------------------------------------- +hash_matches_malware() { + local file="$1" + if cmd_exists sha256sum; then + local h="$(sha256sum "$file" 2>/dev/null | awk '{print $1}')" + [ -n "${MALWARE_SHA256[$h]}" ] && return 0 + fi + if cmd_exists md5sum; then + local h="$(md5sum "$file" 2>/dev/null | awk '{print $1}')" + [ -n "${MALWARE_MD5[$h]}" ] && return 0 + fi + return 1 +} + +# ---- Helper: Strings check ------------------------------------------------ +scan_strings_for_bpfdoor() { + local file="$1" + cmd_exists strings || return 1 + local found=0 + local file_strings="$(strings "$file" 2>/dev/null)" + for s in "${SUSPICIOUS_STRINGS[@]}"; do + if echo "$file_strings" | grep -Fq "$s"; then + log "ALERT" "String match '$s' found in $file" + found=1 + fi + done + [ "$found" -eq 1 ] && return 0 + return 1 +} + +# ---- Helper: Hexdump Mapped Memory for Magic Bytes ------------------------ +check_maps_hex() { + local pid="$1" + is_self "$pid" && return + [ -r "/proc/$pid/maps" ] || return + cmd_exists hexdump || return + + local maps_paths="$(awk '{ if ($6 ~ /^\//) print $6 }' "/proc/$pid/maps" 2>/dev/null | sort -u)" + + # Combined 32-bit Little-Endian hex strings of all magic bytes from BPF filters + local magic_hex_regex="55720000|93520000|39393939|6c8d0000|4f9f0000|0f270000|48200000|55110000|33540000|82310000|51100000|21330000|adde0000" + + for path in $maps_paths; do + [ -r "$path" ] || continue + + local size="$(stat -c '%s' "$path" 2>/dev/null || echo 0)" + [ "$size" -gt 5242880 ] && continue + + # Create a single continuous string of hex characters + local hexdata="$(hexdump -ve '1/1 "%02x"' "$path" 2>/dev/null)" + + if echo "$hexdata" | grep -qiE "$magic_hex_regex"; then + log "CRITICAL" "Little-Endian Magic Bytes found in mapped file: $path (PID: $pid)" + mark_suspicious_file "$path" + + # Extract the magic bytes along with ~16 bytes (32 hex characters) of context on either side + local context="$(echo "$hexdata" | grep -ioE ".{0,32}($magic_hex_regex).{0,32}" | head -n 3)" + + if [ -n "$context" ]; then + echo "------- HEXDUMP CONTEXT -------" >> "$LOGFILE" + echo "$context" >> "$LOGFILE" + echo "-------------------------------" >> "$LOGFILE" + + echo -e "${CYAN}------- HEXDUMP CONTEXT -------${NC}" + echo "$context" | grep --color=always -iE "$magic_hex_regex" + echo -e "${CYAN}-------------------------------${NC}" + fi + fi + done +} + +# ---- Check 1: Mutex / lock files ------------------------------------------ +check_mutex_files() { + log "INFO" "[1/12] Checking /var/run for suspicious zero-byte mutex/lock files" + local found=0 + + for f in /var/run/*.pid /var/run/*.lock; do + [ -e "$f" ] || continue + local size="$(stat -c '%s' "$f" 2>/dev/null || echo "")" + local perm="$(stat -c '%a' "$f" 2>/dev/null || echo "")" + if [ "$size" = "0" ] && [ "$perm" = "644" ]; then + for known in "${SUSPICIOUS_MUTEX_FILES[@]}"; do + if [ "$f" = "$known" ]; then + log "ALERT" "Suspicious mutex/lock file: $f (size=0, perm=644)" + found=1 + fi + done + fi + done + [ "$found" -eq 0 ] && log "SUCCESS" "[1/12] No known suspicious mutex/lock files found" +} + +# ---- Check 2: Auto-exec / sysconfig hooks --------------------------------- +check_autostart_files() { + log "INFO" "[2/12] Checking /etc/sysconfig for suspicious auto-start entries" + local dir="/etc/sysconfig" + local pat='\[[[:space:]]*-f[[:space:]]+/[^]]+\][[:space:]]*&&[[:space:]]*/' + + if [ ! -d "$dir" ]; then + log "WARN" "[2/12] /etc/sysconfig not present; skipping" + return + fi + + local results="$(find "$dir" -type f -exec grep -EH "$pat" {} + 2>/dev/null || true)" + if [ -z "$results" ]; then + log "SUCCESS" "[2/12] No suspicious auto-start patterns found in /etc/sysconfig" + return + fi + + log "ALERT" "[2/12] Potential suspicious auto-start entries detected:" + echo "$results" | tee -a "$LOGFILE" + + while IFS= read -r line; do + local filepath="$(echo "$line" | sed -nE 's/.*\[ *-f *([^ ]+).*/\1/p')" + if [ -n "$filepath" ] && [ -e "$filepath" ]; then + log "ALERT" "Auto-start target candidate: $filepath" + mark_suspicious_file "$filepath" + fi + done <<< "$results" +} + +# ---- Check 3: BPF filter usage (old + new variants) ----------------------- +check_bpf_filters() { + log "INFO" "[3/12] Inspecting BPF filters via ss -0pb" + if ! cmd_exists ss; then + log "WARN" "[3/12] ss command not available; skipping BPF filter check" + return + fi + + local out="$(ss -0pb 2>/dev/null || true)" + if [ -z "$out" ]; then + log "INFO" "[3/12] No packet sockets reported by ss -0pb" + return + fi + + echo "$out" >> "$LOGFILE" + + local magic_regex='0x5293|21139|0x7255|29269|0x39393939|960051133|0x8D6C|36204|0x9F4F|40783|12674|13089|57005|4437|21555|4177|8264|0x270f|0x2048|0x1155|0x5433|0x3182|0x1051|0x3321|0xdead' + local matches="$(echo "$out" | grep -EB1 "$magic_regex" || true)" + + if [ -n "$matches" ]; then + log "CRITICAL" "[3/12] BPFDoor magic pattern found in BPF filter output!" + + echo "------- MATCH CONTEXT -------" >> "$LOGFILE" + echo "$matches" >> "$LOGFILE" + echo "-----------------------------" >> "$LOGFILE" + + echo -e "${CYAN}------- MATCH CONTEXT -------${NC}" + echo "$matches" | grep --color=always -E "$magic_regex" + echo -e "${CYAN}-----------------------------${NC}" + + local pids="$(echo "$matches" | sed -n 's/.*pid=\([0-9]\+\).*/\1/p' | sort -u)" + + if [ -n "$pids" ]; then + for pid in $pids; do + is_self "$pid" && continue + [ -d "/proc/$pid" ] || continue + local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + local cmd="$(ps -p "$pid" -o user=,pid=,cmd= 2>/dev/null || echo "")" + log "ALERT" " PID $pid -> $exe :: $cmd" + [ -n "$exe" ] && mark_suspicious_file "$exe" + + check_maps_hex "$pid" + done + fi + else + log "SUCCESS" "[3/12] No obvious BPFDoor-like BPF filters found" + fi +} + +# ---- Check 4: RAW + packet socket usage (Enhanced) ------------------------ +check_raw_and_packet_sockets() { + log "INFO" "[4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)" + + local pids_found="" + local flagged=0 + + # 1. Collect PIDs from 'ss' + if cmd_exists ss; then + pids_found+="$(ss -0 -w -n -p 2>/dev/null | grep -oP 'pid=\K[0-9]+')" + fi + + # 2. Collect PIDs from /proc/net forensics + # We combine all potential inodes first, then find their owners + local all_inodes="" + for netfile in /proc/net/packet /proc/net/raw /proc/net/raw6; do + if [ -r "$netfile" ]; then + all_inodes+=" $(awk 'NR>1 && $NF ~ /^[0-9]+$/ {print $NF}' "$netfile" 2>/dev/null)" + fi + done + + # Process each unique inode found + for ino in $(echo "$all_inodes" | tr ' ' '\n' | sort -u); do + [ -z "$ino" ] && continue + [ "$ino" -eq 0 ] 2>/dev/null && continue + + # Find PIDs for this inode and add to our list + local p=$(grep -rlE "ino(de)?:\s*$ino" /proc/[0-9]*/fdinfo 2>/dev/null | cut -d/ -f3) + pids_found+=" $p" + done + + # 3. Analyze the collected PIDs + # Unique-sort the list of PIDs to avoid duplicate alerts + local unique_pids=$(echo "$pids_found" | tr ' ' '\n' | grep -E '^[0-9]+$' | sort -u) + + for pid in $unique_pids; do + # Self-exclusion + [ "$pid" -eq "$SELF_PID" ] 2>/dev/null && continue + [ -d "/proc/$pid" ] || continue + + local exe_path=$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "unknown") + + # Skip if it's this detection script + [ "$exe_path" == "$SELF_EXE" ] && continue + + local cmd_line=$(ps -p "$pid" -o args= 2>/dev/null | head -n1) + + # If we got here, we found something + log "ALERT" "Suspicious Socket detected: PID $pid ($cmd_line) -> $exe_path" + + if [[ -n "$exe_path" && "$exe_path" != "unknown" && -e "$exe_path" ]]; then + mark_suspicious_file "$exe_path" + fi + + check_maps_hex "$pid" + flagged=1 + done + + # 4. Final Status (Only Success if NO pids were ever flagged) + if [ "$flagged" -eq 0 ]; then + log "SUCCESS" "No suspicious RAW/packet socket usage detected" + fi +} +# ---- Check 5: Env vars used by BPFDoor shells ----------------------------- +check_env_vars() { + log "INFO" "[5/12] Checking for suspicious environment variables" + local hits=0 + + for pid_dir in /proc/[0-9]*; do + [ -r "$pid_dir/environ" ] || continue + local pid="${pid_dir##*/}" + is_self "$pid" && continue + + local env="$(tr '\0' '\n' < "$pid_dir/environ" 2>/dev/null || true)" + [ -z "$env" ] && continue + + if echo "$env" | grep -qx "HOME=/tmp" \ + && echo "$env" | grep -qx "HISTFILE=/dev/null" \ + && echo "$env" | grep -qx "MYSQL_HISTFILE=/dev/null"; then + + local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + local cmd="$(ps -p "$pid" -o user=,pid=,cmd= 2>/dev/null || echo "")" + local ppid="$(ps -p "$pid" -o ppid= 2>/dev/null | tr -d ' ' || echo "")" + log "CRITICAL" "[5/12] Process with BPFDoor-like env vars: PID=$pid, PPID=$ppid, EXE=$exe, CMD=$cmd" + [ -n "$exe" ] && mark_suspicious_file "$exe" + if [ -n "$ppid" ] && [ -e "/proc/$ppid/exe" ]; then + mark_suspicious_file "$(readlink -f "/proc/$ppid/exe" 2>/dev/null || true)" + fi + hits=$((hits+1)) + fi + done + + [ "$hits" -eq 0 ] && log "SUCCESS" "[5/12] No processes with the full suspicious env var set found" +} + +# ---- Check 6: Ports historically used by BPFDoor -------------------------- +check_suspicious_ports() { + log "INFO" "[6/12] Checking TCP ports ${SUSPICIOUS_PORTS_RANGE_START}-${SUSPICIOUS_PORTS_RANGE_END} and ${SUSPICIOUS_PORT_SINGLE}" + local net_out="" + + if cmd_exists netstat; then + net_out="$(netstat -antp 2>/dev/null || true)" + elif cmd_exists ss; then + net_out="$(ss -antp 2>/dev/null || true)" + else + log "WARN" "[6/12] Neither netstat nor ss available; skipping port check" + return + fi + + local matches="" + while IFS= read -r line; do + [[ "$line" =~ ^tcp ]] || continue + local laddr raddr state pidprog + read -r _ _ laddr raddr state pidprog <<<"$line" + local lport="${laddr##*:}" + local rport="${raddr##*:}" + + [[ "$lport" =~ ^[0-9]+$ ]] || lport=0 + [[ "$rport" =~ ^[0-9]+$ ]] || rport=0 + + if { [ "$lport" -ge "$SUSPICIOUS_PORTS_RANGE_START" ] && [ "$lport" -le "$SUSPICIOUS_PORTS_RANGE_END" ]; } \ + || { [ "$rport" -ge "$SUSPICIOUS_PORTS_RANGE_START" ] && [ "$rport" -le "$SUSPICIOUS_PORTS_RANGE_END" ]; } \ + || [ "$lport" -eq "$SUSPICIOUS_PORT_SINGLE" ] \ + || [ "$rport" -eq "$SUSPICIOUS_PORT_SINGLE" ]; then + matches+="$line"$'\n' + fi + done <<< "$net_out" + + if [ -z "$matches" ]; then + log "SUCCESS" "[6/12] No connections on known suspicious BPFDoor ports" + return + fi + + log "ALERT" "[6/12] Potentially suspicious connections on historical BPFDoor ports:" + printf "%s\n" "$matches" | tee -a "$LOGFILE" + + local pids="$(printf "%s\n" "$matches" | awk '{print $7}' | cut -d/ -f1 | grep -E '^[0-9]+$' | sort -u)" + for pid in $pids; do + is_self "$pid" && continue + [ -d "/proc/$pid" ] || continue + local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + [ -n "$exe" ] && mark_suspicious_file "$exe" + done +} + +# ---- Check 7: Process masquerading (Whitelist Integration) ---------------- +check_process_masquerade() { + log "INFO" "[7/12] Checking for masqueraded processes (Verifying true execution paths)" + local found=0 + + # Grab all processes and their arguments + local ps_output="$(ps -eo pid=,args= 2>/dev/null || true)" + [ -z "$ps_output" ] && return + + while read -r pid args; do + [ -z "$pid" ] && continue + is_self "$pid" && continue + + # 1. Identify if the process claims to be a suspect + local is_suspect=0 + for pat in "${SUSPICIOUS_PROCS[@]}"; do + if echo "$args" | grep -Fq "$pat"; then + is_suspect=1 + break + fi + done + + # 2. Unmask and Verify the suspect against the Whitelist + if [ "$is_suspect" -eq 1 ]; then + local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + + # Skip if no executable path can be resolved (e.g. kernel threads) + [ -z "$exe" ] && continue + + local is_whitelisted=0 + for wl in "${WHITELIST_EXES[@]}"; do + if [ "$exe" = "$wl" ]; then + is_whitelisted=1 + break + fi + done + + # 3. Trap: It's a suspect name, but not running from a whitelisted binary file + if [ "$is_whitelisted" -eq 0 ]; then + log "CRITICAL" "[7/12] Process Masquerading Detected! PID=$pid claims to be '$args' but is actually executing '$exe'" + mark_suspicious_file "$exe" + found=1 + fi + fi + done <<< "$ps_output" + + [ "$found" -eq 0 ] && log "SUCCESS" "[7/12] No process masquerading detected" +} + +# ---- Check 8: Memory-Resident / Deleted Binaries -------------------------- +check_deleted_binaries() { + log "INFO" "[8/12] Checking for processes executing deleted binaries (Fileless execution)" + local found=0 + local deleted_pids="$(ls -l /proc/*/exe 2>/dev/null | grep " (deleted)" | awk -F'/proc/' '{print $2}' | cut -d'/' -f1 || true)" + + if [ -n "$deleted_pids" ]; then + for d_pid in $deleted_pids; do + is_self "$d_pid" && continue + [ -d "/proc/$d_pid" ] || continue + local d_name="$(ps -p "$d_pid" -o comm= 2>/dev/null || echo "")" + local d_exe="$(readlink -f "/proc/$d_pid/exe" 2>/dev/null || echo "")" + + local is_bpf_candidate=0 + for pat in "${SUSPICIOUS_PROCS[@]}"; do + if [[ "$pat" == *"$d_name"* ]]; then + is_bpf_candidate=1 + break + fi + done + + if [ "$is_bpf_candidate" -eq 1 ]; then + log "CRITICAL" "PID: $d_pid masquerading as '$d_name' running from a deleted file: $d_exe" + mark_suspicious_file "$d_exe" + found=1 + else + log "WARN" "PID: $d_pid, ProcessName: $d_name, Exec: $d_exe (Deleted Binary)" + fi + done + fi + + [ "$found" -eq 0 ] && log "SUCCESS" "[8/12] No critical memory-resident/deleted binary execution found" +} + +# ---- Check 9: Kernel Stack Tracing ---------------------------------------- +check_kernel_stack() { + log "INFO" "[9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)" + local found=0 + local pids="$(grep -lE "packet_recvmsg|wait_for_more_packets" /proc/*/stack 2>/dev/null | awk -F/ '{print $3}' || true)" + + for pid in $pids; do + is_self "$pid" && continue + [ -d "/proc/$pid" ] || continue + local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + local cmd="$(ps -p "$pid" -o user=,pid=,cmd= 2>/dev/null || echo "")" + log "CRITICAL" "Process hanging on packet_recvmsg: PID=$pid EXE=$exe CMD=$cmd" + [ -n "$exe" ] && mark_suspicious_file "$exe" + found=1 + + check_maps_hex "$pid" + done + + [ "$found" -eq 0 ] && log "SUCCESS" "[9/12] No processes blocking on suspicious packet socket kernel functions" +} + +# ---- Check 10: Deep scan suspicious files (hash, strings, UPX packer) ----- +deep_scan_suspicious_files() { + log "INFO" "[10/12] Deep scanning candidate binaries (hash, strings, UPX packing)" + local uniq_files=($(printf "%s\n" "${SUSPICIOUS_FILES_TMP[@]}" | sort -u)) + + if [ "${#uniq_files[@]}" -eq 0 ]; then + log "INFO" "[10/12] No candidate binaries collected for deep scan" + return + fi + + for f in "${uniq_files[@]}"; do + [ -e "$f" ] || continue + log "INFO" ">>> Analyzing candidate binary: $f" + + if hash_matches_malware "$f"; then + log "CRITICAL" "Known BPFDoor hash match for $f" + continue + fi + + if cmd_exists dd; then + local dd_out="$(dd if="$f" bs=1 count=256 2>/dev/null | grep -o 'UPX!' || true)" + if [ -n "$dd_out" ]; then + log "ALERT" "Binary is UPX packed (Common for BPFdoor): $f" + fi + fi + + if scan_strings_for_bpfdoor "$f"; then + log "CRITICAL" "BPFDoor-like string pattern(s) found in $f" + fi + done +} + +# ---- Check 11: C2 Connections (DNS Resolving & SS Tracking) --------------- +check_c2_connections() { + log "INFO" "[11/12] Checking for active connections to known BPFDoor C2 domains" + local found=0 + + if ! cmd_exists dig || ! cmd_exists ss; then + log "WARN" "[11/12] 'dig' or 'ss' missing; skipping C2 connection checks." + return + fi + + for host in "${KNOWN_C2_HOSTS[@]}"; do + local ips="$(dig +short "$host" A "$host" AAAA 2>/dev/null || true)" + + for ip in $ips; do + if [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ "$ip" =~ ^[0-9a-fA-F:]+$ && "$ip" =~ .*[:].* ]]; then + local ss_output="$(ss -tnp state established dst "$ip" 2>/dev/null || true)" + + if [ -n "$ss_output" ]; then + log "CRITICAL" "Active Reverse Shell to BPFDoor C2: $host ($ip)" + echo "$ss_output" | tee -a "$LOGFILE" + + local c2_pids="$(echo "$ss_output" | grep -oP 'pid=\K[0-9]+' | sort -u)" + for c2pid in $c2_pids; do + is_self "$c2pid" && continue + [ -d "/proc/$c2pid" ] || continue + local exe="$(readlink -f "/proc/$c2pid/exe" 2>/dev/null || echo "")" + [ -n "$exe" ] && mark_suspicious_file "$exe" + done + found=1 + fi + fi + done + done + [ "$found" -eq 0 ] && log "SUCCESS" "[11/12] No active connections to known C2 domains found" +} + +# ---- Check 12: Process-Specific Signatures -------------------------------- +check_process_signatures() { + log "INFO" "[12/12] Checking specific processes for hardcoded BPFDoor file signatures" + local found=0 + + local sig_checks=( + "sshd::66666666H" + "abrtd|atd|pickup:::h:d:l:s:b:t" + "sgaSolAgent|cmathreshd|udevd|agetty|hpasmlited|\.sshd::ttcompat::127.0.0.1" + ) + + for check in "${sig_checks[@]}"; do + local proc_pat="${check%%::*}" + local remainder="${check#*::}" + local sig1="${remainder%%::*}" + local sig2="${remainder#*::}" + + local pids="$(pgrep -E "$proc_pat" 2>/dev/null || true)" + + for pid in $pids; do + is_self "$pid" && continue + [ -d "/proc/$pid" ] || continue + local path="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" + [ -z "$path" ] && continue + + if grep -a -q "$sig1" "$path" 2>/dev/null; then + if [ -n "$sig2" ] && [ "$sig1" != "$sig2" ]; then + if ! grep -a -q "$sig2" "$path" 2>/dev/null; then + continue + fi + fi + + local cmdline="$(tr '\0' ' ' < "/proc/$pid/cmdline" 2>/dev/null || echo "")" + log "CRITICAL" "Process Signature Match: PID=$pid, Path=$path, Cmd=$cmdline matched pattern '$proc_pat'" + mark_suspicious_file "$path" + found=1 + fi + done + done + + [ "$found" -eq 0 ] && log "SUCCESS" "[12/12] No hardcoded process signatures detected" +} + +# ---- Optional: Basic persistence checks ----------------------------------- +check_persistence() { + log "INFO" "[-] Basic persistence triage (cron, systemd, rc scripts)" + + for file in /etc/crontab /var/spool/cron/* /var/spool/cron/crontabs/*; do + [ -f "$file" ] || continue + if grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | grep -q .; then + log "ALERT" "Suspicious entry in cron file: $file" + grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | tee -a "$LOGFILE" + fi + done + + for dir in /etc/systemd/system /usr/lib/systemd/system /run/systemd/system; do + [ -d "$dir" ] || continue + if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$dir" 2>/dev/null | grep -q .; then + log "ALERT" "Suspicious pattern in systemd units under $dir" + fi + done + + for rc in /etc/rc.local /etc/init.d; do + [ -e "$rc" ] || continue + if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$rc" 2>/dev/null | grep -q .; then + log "ALERT" "Suspicious pattern in rc script(s) under $rc" + fi + done +} + +# ---- Main ------------------------------------------------------------------ +main() { + : > "$LOGFILE" + require_root + banner + + echo -e "\n${CYAN}[*] Running Ultimate BPFDoor triage…${NC}" + check_mutex_files + check_autostart_files + check_bpf_filters + check_raw_and_packet_sockets + check_env_vars + check_suspicious_ports + check_process_masquerade + check_deleted_binaries + check_kernel_stack + check_c2_connections + check_process_signatures + deep_scan_suspicious_files + check_persistence + + echo + echo -e "${CYAN}[*] Scan complete. Report written to: ${LOGFILE}${NC}" + echo -e "${YELLOW}[!] Any CRITICAL or ALERT entries should be investigated promptly.${NC}" +} + +main "$@" + + diff --git a/bpfdoor_report_eve_2026-03-27_13-23-32.log b/bpfdoor_report_eve_2026-03-27_13-23-32.log new file mode 100644 index 0000000..13425c1 --- /dev/null +++ b/bpfdoor_report_eve_2026-03-27_13-23-32.log @@ -0,0 +1,169 @@ +██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗ +██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║ +██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝ +██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝ +██║ ██║██║ ██║██║ ██║██████╔╝ ██║ +╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝ + M A L W A R E L A B S +========================================================== +Enhanced Linux BPFDoor Detection Script +========================================================== +Host : eve +Date : 2026-03-27_13-23-32 +Version: 1.1 +========================================================== +[2026-03-27 13:23:32] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files +[2026-03-27 13:23:32] [SUCCESS] [1/12] No known suspicious mutex/lock files found +[2026-03-27 13:23:32] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries +[2026-03-27 13:23:32] [WARN] [2/12] /etc/sysconfig not present; skipping +[2026-03-27 13:23:32] [INFO] [3/12] Inspecting BPF filters via ss -0pb +Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess +p_raw 0 0 LLDP:enp2s0 * users:(("systemd-network",pid=1036734,fd=17)) + bpf filter (12): 0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295, +p_raw 0 0 LLDP:enp1s0 * users:(("systemd-network",pid=1036734,fd=18)) + bpf filter (12): 0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295, +[2026-03-27 13:23:32] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found +[2026-03-27 13:23:32] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM) +[2026-03-27 13:23:33] [ALERT] Suspicious Socket detected: PID 1036734 (/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd +[2026-03-27 13:23:33] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/libsystemd-shared-249.so (PID: 1036734) +------- HEXDUMP CONTEXT ------- +491000004e1000005010000000000000511000005310000056100000581000005b100000 +000000000000008878000012000f000051100000000000b7010000000000005e20000012 +3000000000000bc86000012000f00b04511000000000014010000000000000b440000120 +------------------------------- +[2026-03-27 13:24:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 1036734) +------- HEXDUMP CONTEXT ------- +00000000000009074090000000000086511000000000008000000000000001d910c00000 +0000020651100000000000800000000000000507c0900000 +000004865110000000000080000000000000024910c00000 +------------------------------- +[2026-03-27 13:24:14] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +f6ec009d80b85f8feffff660f62c70f8482000000410fb6872103000041899f2c0300006 +10fb644240483e00f49837c2408000f8482000000b998fbffff488914240fa3c10f82880 +5ffff4c89e731c0e8552fffff488db42482000000488d3d53160100e831f5ffff4c89e73 +------------------------------- +[2026-03-27 13:24:17] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +5ff746b66817ff82c7175634885d20f848200000085f6752e488b4708488947104883ef0 +6817ff82c717577488d77f84885db0f848200000066817bf82c71757a488b5328b801000 +------------------------------- +[2026-03-27 13:24:17] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +8fdffffe819f8ffff4989c74885c00f8482000000f605abd902001075314889efe85cf2f +2b1425280000000f85c30200004881c4482000005b5d415c415d415e415fc30f1f800000 +58b6f0c418b5708450fafee4585ed0f8482000000410fb6470489c183e17f80f90574043 +------------------------------- +[2026-03-27 13:24:20] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +0000000000000571a000012000f00d0a5110000000000e801000000000000822a0000220 +0000000000000535b000012000f0040a51100000000008a00000000000000ff600000120 +0000000000000433e000022000f0040e51100000000000b00000000000000907a0000220 +------------------------------- +[2026-03-27 13:24:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap.so.2.44 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +0d0970000000000000800000000000000f270000000000000d8970000000000000800000 +0709a0000000000000800000000000000f270000000000000809a0000000000000800000 +0d270000000000000de70000000000000f27000000000000007710000000000001971000 +------------------------------- +[2026-03-27 13:24:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcrypto.so.3 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +000000004b1000004d1000004e1000005110000052100000561000005710000058100000 +f1000000211000003110000041100000511000006110000081100000a1100000b1100000 +0000000221100002311000024110000251100000000000028110000291100002a1100002 +------------------------------- +[2026-03-27 13:25:24] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +913000000000008000000000000003805110000000000286913000000000008000000000 +000008005110000000000306913000000000008000000000 +00000c805110000000000386913000000000008000000000 +------------------------------- +[2026-03-27 13:25:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +085b5dc30f1f440000488b7708488bbd48200000ffd04883f8ff7435488b6b484885c074 +4885d20f8ed6000000488b7308488bb8482000004801ee41ffd44883f8ff75cf488b4b20 +0048c743280000000031d231f6488bb84820000041ffd44585ed744fe889d4ffff41bdff +------------------------------- +[2026-03-27 13:25:38] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +000000000000000000000000000000064820000000000000701000000000000000000000 +------------------------------- +[2026-03-27 13:25:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +04183fd0a0f84ac0000004183fd010f84820000008b550031c085d2740a80bdc80000000 +801742b83f8020f840201000085c00f8482000000b80b0000004883c4185b5d415c415d4 +408488306014883680801c64014ff0f8482000000488b0e4839cf75da5bb8010000005d4 +------------------------------- +[2026-03-27 13:25:40] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +5bad701004889dfe8c91effff85c00f8482000000488d35ebe501004889dfe8b21effff8 +0200100e95afdffff483debe027000f84820000007e4b483deeffc00074374c8d2d5c200 +885ff0f848e000000803f004889fd0f848200000031f6e823d3fdff4989c44885c00f84b +------------------------------- +[2026-03-27 13:25:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000 +8bf00100000488b7010ff104885c00f8482000000498b5660488910498946604883c0104 +b6c242848c1e003837c2418284488bc24820000000f94c280bc24810000008648898424a +------------------------------- +[2026-03-27 13:25:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8 (PID: 1036734) +------- HEXDUMP CONTEXT ------- +04c897424584c8bb424f0000000c6842482000000008bb424e80000004c897424404c8bb +c395c24580f87f30600004589c1c6842482000000014183e00741c1e9034d29cb4c895c2 +c2440010000488984245001000080bc248200000000741a488b442438488984242001000 +------------------------------- +[2026-03-27 13:25:57] [INFO] [5/12] Checking for suspicious environment variables +[2026-03-27 13:26:06] [SUCCESS] [5/12] No processes with the full suspicious env var set found +[2026-03-27 13:26:06] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000 +[2026-03-27 13:26:06] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports +[2026-03-27 13:26:06] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths) +[2026-03-27 13:26:44] [CRITICAL] [7/12] Process Masquerading Detected! PID=1043 claims to be '/sbin/agetty -o -p -- \u --noclear tty1 linux' but is actually executing '/usr/sbin/agetty (deleted)' +[2026-03-27 13:29:14] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution) +[2026-03-27 13:29:14] [CRITICAL] PID: 1043 masquerading as 'agetty' running from a deleted file: /usr/sbin/agetty (deleted) +[2026-03-27 13:29:14] [WARN] PID: 1063, ProcessName: unattended-upgr, Exec: /usr/bin/python3.10 (deleted) (Deleted Binary) +[2026-03-27 13:29:14] [WARN] PID: 946, ProcessName: networkd-dispat, Exec: /usr/bin/python3.10 (deleted) (Deleted Binary) +[2026-03-27 13:29:14] [WARN] PID: 971, ProcessName: systemd-logind, Exec: /usr/lib/systemd/systemd-logind (deleted) (Deleted Binary) +[2026-03-27 13:29:14] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets) +[2026-03-27 13:29:14] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions +[2026-03-27 13:29:14] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains +[2026-03-27 13:29:15] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpussl.instanthq.com (204.16.169.54) +Recv-Q Send-Q Local Address:Port Peer Address:PortProcess +[2026-03-27 13:29:16] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpd.casacam.net (127.0.0.1) +Recv-Q Send-Q Local Address:Port Peer Address:PortProcess +[2026-03-27 13:29:16] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpupdate.ygto.com (127.0.0.1) +Recv-Q Send-Q Local Address:Port Peer Address:PortProcess +[2026-03-27 13:29:16] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures +[2026-03-27 13:29:16] [SUCCESS] [12/12] No hardcoded process signatures detected +[2026-03-27 13:29:16] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing) +[2026-03-27 13:29:16] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/libsystemd-shared-249.so +[2026-03-27 13:29:16] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 +[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 +[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6 +[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libc.so.6 +[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libc.so.6 +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap.so.2.44 +[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libcap.so.2.44 +[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libcap.so.2.44 +[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcrypto.so.3 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4 +[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4 +[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1 +[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1 +[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 +[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 +[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 +[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8 +[2026-03-27 13:29:19] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty +[2026-03-27 13:29:19] [ALERT] String match '1234' found in /usr/sbin/agetty +[2026-03-27 13:29:19] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/sbin/agetty +[2026-03-27 13:29:19] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts) +[2026-03-27 13:29:19] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system