ictoi/bpfdoor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Merge branch 'master' of https://git.ictoi.io/ictoi/bpfdoor

Browse Source
This commit is contained in:
Vaclav VESELY
2026-03-27 13:19:48 +00:00
parent f5f6e10ced a31e9f0ec3
commit ed2d402209
1 changed files with 26 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
bpfdoor_report_vvm3_2026-03-27_13-42-41.log → bpfdoor_report_vvm3_2026-03-27_14-07-33.log
View File

@@ -9,31 +9,31 @@
Enhanced Linux BPFDoor Detection Script
==========================================================
Host : vvm3
Date : 2026-03-27_13-42-41
Date : 2026-03-27_14-07-33
Version: 1.1
==========================================================
[2026-03-27 13:42:41] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 13:42:41] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 13:42:41] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 13:42:41] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 13:42:41] [INFO] [3/12] Inspecting BPF filters via ss -0pb
[2026-03-27 13:42:41] [WARN] [3/12] ss command not available; skipping BPF filter check
[2026-03-27 13:42:41] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 13:42:41] [SUCCESS] No suspicious RAW/packet socket usage detected
[2026-03-27 13:42:41] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 13:42:41] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 13:42:41] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 13:42:41] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-27 13:42:41] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 13:43:24] [SUCCESS] [7/12] No process masquerading detected
[2026-03-27 13:43:24] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 13:43:24] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
[2026-03-27 13:43:24] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 13:43:24] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 13:43:24] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 13:43:24] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
[2026-03-27 13:43:24] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 13:43:24] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 13:43:24] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 13:43:24] [INFO] [10/12] No candidate binaries collected for deep scan
[2026-03-27 13:43:24] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
[2026-03-27 14:07:33] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 14:07:33] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 14:07:33] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 14:07:33] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 14:07:33] [INFO] [3/12] Inspecting BPF filters via ss -0pb
[2026-03-27 14:07:33] [WARN] [3/12] ss command not available; skipping BPF filter check
[2026-03-27 14:07:33] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 14:07:33] [SUCCESS] No suspicious RAW/packet socket usage detected
[2026-03-27 14:07:33] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 14:07:33] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 14:07:33] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 14:07:33] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-27 14:07:33] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 14:08:17] [SUCCESS] [7/12] No process masquerading detected
[2026-03-27 14:08:17] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 14:08:17] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
[2026-03-27 14:08:17] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 14:08:17] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 14:08:17] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 14:08:17] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
[2026-03-27 14:08:17] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 14:08:17] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 14:08:17] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 14:08:17] [INFO] [10/12] No candidate binaries collected for deep scan
[2026-03-27 14:08:17] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)