From ff96ed16619160740d572777e4370c72150d1adc Mon Sep 17 00:00:00 2001
From: Vaclav VESELY <vaclav.vesely@ictoi.com>
Date: Fri, 27 Mar 2026 13:48:17 +0100
Subject: [PATCH] add vvm3

---
 bpfdoor_report_vvm3_2026-03-27_13-42-41.log | 39 +++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 bpfdoor_report_vvm3_2026-03-27_13-42-41.log

diff --git a/bpfdoor_report_vvm3_2026-03-27_13-42-41.log b/bpfdoor_report_vvm3_2026-03-27_13-42-41.log
new file mode 100644
index 0000000..47a5153
--- /dev/null
+++ b/bpfdoor_report_vvm3_2026-03-27_13-42-41.log
@@ -0,0 +1,39 @@
+██████╗  █████╗ ██████╗ ██╗██████╗ ███████╗
+██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
+██████╔╝███████║██████╔╝██║██║  ██║    ██╔╝
+██╔══██╗██╔══██║██╔═══╝ ██║██║  ██║   ██╔╝ 
+██║  ██║██║  ██║██║     ██║██████╔╝   ██║  
+╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝    ╚═╝  
+      M A L W A R E   L A B S              
+==========================================================
+Enhanced Linux BPFDoor Detection Script 
+==========================================================
+Host   : vvm3
+Date   : 2026-03-27_13-42-41
+Version: 1.1
+==========================================================
+[2026-03-27 13:42:41] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
+[2026-03-27 13:42:41] [SUCCESS] [1/12] No known suspicious mutex/lock files found
+[2026-03-27 13:42:41] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
+[2026-03-27 13:42:41] [WARN] [2/12] /etc/sysconfig not present; skipping
+[2026-03-27 13:42:41] [INFO] [3/12] Inspecting BPF filters via ss -0pb
+[2026-03-27 13:42:41] [WARN] [3/12] ss command not available; skipping BPF filter check
+[2026-03-27 13:42:41] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
+[2026-03-27 13:42:41] [SUCCESS] No suspicious RAW/packet socket usage detected
+[2026-03-27 13:42:41] [INFO] [5/12] Checking for suspicious environment variables
+[2026-03-27 13:42:41] [SUCCESS] [5/12] No processes with the full suspicious env var set found
+[2026-03-27 13:42:41] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
+[2026-03-27 13:42:41] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
+[2026-03-27 13:42:41] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
+[2026-03-27 13:43:24] [SUCCESS] [7/12] No process masquerading detected
+[2026-03-27 13:43:24] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
+[2026-03-27 13:43:24] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
+[2026-03-27 13:43:24] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
+[2026-03-27 13:43:24] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
+[2026-03-27 13:43:24] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
+[2026-03-27 13:43:24] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
+[2026-03-27 13:43:24] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
+[2026-03-27 13:43:24] [SUCCESS] [12/12] No hardcoded process signatures detected
+[2026-03-27 13:43:24] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
+[2026-03-27 13:43:24] [INFO] [10/12] No candidate binaries collected for deep scan
+[2026-03-27 13:43:24] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)