Compare commits
6 Commits
a31e9f0ec3
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
 Vaclav VESELY
|
2b434f8466 | ||
|
Vaclav VESELY
|
2c073c9aa0 | ||
|
Vaclav VESELY
|
653eeb215a | ||
|
Vaclav VESELY
|
43a0c77d6d | ||
|
Vaclav VESELY
|
ed2d402209 | ||
|
Vaclav VESELY
|
f5f6e10ced |
@@ -0,0 +1,55 @@
|
||||
# Security Audit of The Script via Gemini
|
||||
|
||||
## Prompt
|
||||
|
||||
Take the attached shell script and provide me a full security audit for it? Can it be harmfull for my Debian Linux system in any way? It should work as a BPFDoor detection only.
|
||||
|
||||
## Result
|
||||
|
||||
Here is a full security audit of the `bpfdoor.sh` script you provided.
|
||||
|
||||
**The short answer:** **No, this script is not harmful to your Debian Linux system.** It is a non-destructive, read-only diagnostic tool designed strictly to detect indicators of compromise (IoCs) associated with BPFDoor malware.
|
||||
|
||||
Here is the detailed breakdown of what the script does, how it operates, and a few minor bugs and compatibility notes for your Debian system.
|
||||
|
||||
### 1. File Modifications and System Impact (Read-Only)
|
||||
|
||||
The script is fundamentally **read-only** regarding your system's configuration and binaries.
|
||||
|
||||
* **No System Changes:** It does not use commands like `rm`, `mv`, `chmod` (to alter permissions), or `useradd`. It will not delete files, kill processes, or alter your firewall rules.
|
||||
* **Logging:** The only file it creates or modifies is its own log file (`bpfdoor_report_<hostname>_<date>.log`) in the directory from which you execute the script.
|
||||
* **Resource Usage:** The script performs some mildly intensive operations, such as running `hexdump` on memory maps (`check_maps_hex`) and using `grep` to scan binaries for signatures. However, the author included a safeguard (`[ "$size" -gt 5242880 ] && continue`) to skip files larger than 5MB, preventing accidental CPU or memory exhaustion.
|
||||
|
||||
### 2. Network Activity
|
||||
|
||||
The script does not "phone home," download external payloads, or send your data to a third party (no `curl` or `wget` commands are present).
|
||||
The only network activity it generates is in the `check_c2_connections` function, where it uses `dig` to perform DNS lookups against four known BPFDoor Command & Control (C2) domains. It then cross-references those IP addresses with your active network connections using `ss`.
|
||||
|
||||
### 3. Privilege Requirements
|
||||
|
||||
The script enforces execution as `root` (`require_root` function). While running unknown scripts as root is generally risky, it is **strictly necessary** here. Without root privileges, the script cannot read other users' process memory (`/proc/<pid>/maps`), check environment variables of suspicious processes (`/proc/<pid>/environ`), or view low-level socket information via `ss -p`.
|
||||
|
||||
### 4. Code Quality and Minor Bugs
|
||||
|
||||
While the script is safe, it was likely stitched together from multiple sources and contains a few minor scripting flaws that won't harm your system, but might cause minor hiccups:
|
||||
|
||||
* **Undefined Variables:** In the `check_raw_and_packet_sockets` function, the script attempts to exclude itself from being flagged by checking against `$SELF_PID` and `$SELF_EXE`. However, these variables are never defined in the script (the author used `$SCRIPT_PID` globally instead). This won't break the script, but it might result in the script accidentally flagging itself during that specific check.
|
||||
* **Path Parsing:** It uses `awk` and `sed` to parse process outputs and paths. If a legitimate binary path contains unusual characters or spaces, it might throw a harmless parsing error in the terminal.
|
||||
|
||||
### 5. Debian Linux Compatibility
|
||||
|
||||
The script is written in standard Bash, but there are a few things to keep in mind regarding your Debian system:
|
||||
|
||||
* **The `/etc/sysconfig` Check:** In the `check_autostart_files` function, the script looks for persistence hooks in `/etc/sysconfig`. This directory is native to Red Hat/CentOS/Fedora systems. On Debian, the equivalent is `/etc/default`. The script won't break (it safely checks if the directory exists first and skips it if not), but it means it is missing an autostart check specific to Debian architecture.
|
||||
* **Dependencies:** To run successfully, ensure you have the required tools installed. Most are native to Debian, but you might need to install `dnsutils` (for `dig`), `net-tools` (for `netstat`), and `binutils` (for `strings`).
|
||||
* *Command:* `sudo apt update && sudo apt install dnsutils net-tools binutils bsdmainutils iproute2 procps`
|
||||
|
||||
### Final Verdict
|
||||
|
||||
You are safe to run this on your Debian system. It is a well-intentioned, read-only hunting script. To execute it safely and collect the data:
|
||||
|
||||
1. Save it as `bpfdoor.sh`.
|
||||
2. Make it executable: `chmod +x bpfdoor.sh`
|
||||
3. Run it: `sudo ./bpfdoor.sh`
|
||||
|
||||
Review the generated `.log` file for any `ALERT` or `CRITICAL` tags. Keep in mind that as a heuristic script, it may generate false positives (flagging legitimate software that happens to act similarly to the malware), so use the results as a starting point for investigation rather than absolute proof of a breach.
|
||||
+128
-49
@@ -25,7 +25,7 @@
|
||||
|
||||
set -o pipefail
|
||||
|
||||
VERSION="1.1"
|
||||
VERSION="1.2"
|
||||
HOSTNAME="$(hostname)"
|
||||
DATE="$(date +%Y-%m-%d_%H-%M-%S)"
|
||||
LOGFILE="bpfdoor_report_${HOSTNAME}_${DATE}.log"
|
||||
@@ -80,7 +80,8 @@ SUSPICIOUS_PROCS=(
|
||||
# The ACTUAL physical paths of legitimate daemons. If a process masquerades as one of
|
||||
# the above but isn't running from one of these files, it gets flagged.
|
||||
WHITELIST_EXES=(
|
||||
"/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/udevd"
|
||||
"/usr/sbin/agetty" "/usr/sbin/auditd" "/usr/sbin/mingetty" "/usr/sbin/udevd"
|
||||
"/usr/lib/systemd/systemd-journald" "/usr/lib/systemd/systemd-machined" "/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/udevd"
|
||||
"/usr/bin/python" "/usr/bin/python2" "/usr/bin/python3"
|
||||
"/usr/sbin/tuned" "/usr/lib/polkit-1/polkitd" "/usr/libexec/postfix/pickup"
|
||||
"/usr/libexec/postfix/master" "/usr/sbin/NetworkManager"
|
||||
@@ -96,7 +97,7 @@ SUSPICIOUS_STRINGS=(
|
||||
"HISTFILE=/dev/null" "MYSQL_HISTFILE=/dev/null" "ttcompat" ":h:d:l:s:b:t:"
|
||||
":f:wiunomc" ":f:x:wiuoc" "LibTomCrypt 1.17"
|
||||
"Private key does not match the public certificate"
|
||||
"I5*AYbs@LdaWbsO" "3458" "8543" "1234"
|
||||
"I5*AYbs@LdaWbsO"
|
||||
)
|
||||
|
||||
KNOWN_C2_HOSTS=(
|
||||
@@ -394,7 +395,10 @@ check_raw_and_packet_sockets() {
|
||||
|
||||
# Skip if it's this detection script
|
||||
[ "$exe_path" == "$SELF_EXE" ] && continue
|
||||
|
||||
#exclude legitimate networking tools
|
||||
if [[ "$exe_path" == *"/NetworkManager"* ]] || [[ "$exe_path" == *"/dhclient"* ]] || [[ "$exe_path" == *"/systemd-networkd"* ]]; then
|
||||
continue
|
||||
fi
|
||||
local cmd_line=$(ps -p "$pid" -o args= 2>/dev/null | head -n1)
|
||||
|
||||
# If we got here, we found something
|
||||
@@ -517,16 +521,27 @@ check_process_masquerade() {
|
||||
fi
|
||||
done
|
||||
|
||||
# 2. Unmask and Verify the suspect against the Whitelist
|
||||
# 2. Unmask and Verify the suspect against the Whitelist
|
||||
if [ "$is_suspect" -eq 1 ]; then
|
||||
local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")"
|
||||
# Read the exact execution path from the kernel
|
||||
local raw_exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")"
|
||||
|
||||
# Skip if no executable path can be resolved (e.g. kernel threads)
|
||||
[ -z "$exe" ] && continue
|
||||
# FIX 1: Strip the " (deleted)" suffix caused by legitimate package updates
|
||||
local exe="${raw_exe%" (deleted)"}"
|
||||
|
||||
# Skip real kernel threads
|
||||
if [[ -z "$exe" ]] || [[ "$raw_exe" == "/proc/$pid/exe" ]]; then
|
||||
if [ ! -s "/proc/$pid/cmdline" ]; then
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
local is_whitelisted=0
|
||||
for wl in "${WHITELIST_EXES[@]}"; do
|
||||
if [ "$exe" = "$wl" ]; then
|
||||
# FIX 2: Canonicalize the whitelist path to account for merged-/usr symlinks
|
||||
local canonical_wl="$(readlink -m "$wl" 2>/dev/null || echo "$wl")"
|
||||
|
||||
if [ "$exe" = "$canonical_wl" ]; then
|
||||
is_whitelisted=1
|
||||
break
|
||||
fi
|
||||
@@ -534,7 +549,7 @@ check_process_masquerade() {
|
||||
|
||||
# 3. Trap: It's a suspect name, but not running from a whitelisted binary file
|
||||
if [ "$is_whitelisted" -eq 0 ]; then
|
||||
log "CRITICAL" "[7/12] Process Masquerading Detected! PID=$pid claims to be '$args' but is actually executing '$exe'"
|
||||
log "CRITICAL" "[7/12] Process Masquerading Detected! PID=$pid claims to be '$args' but is actually executing '$raw_exe'"
|
||||
mark_suspicious_file "$exe"
|
||||
found=1
|
||||
fi
|
||||
@@ -599,13 +614,13 @@ check_kernel_stack() {
|
||||
[ "$found" -eq 0 ] && log "SUCCESS" "[9/12] No processes blocking on suspicious packet socket kernel functions"
|
||||
}
|
||||
|
||||
# ---- Check 10: Deep scan suspicious files (hash, strings, UPX packer) -----
|
||||
# ---- Check 12: Deep scan suspicious files (hash, strings, UPX packer) -----
|
||||
deep_scan_suspicious_files() {
|
||||
log "INFO" "[10/12] Deep scanning candidate binaries (hash, strings, UPX packing)"
|
||||
log "INFO" "[12/12] Deep scanning candidate binaries (hash, strings, UPX packing)"
|
||||
local uniq_files=($(printf "%s\n" "${SUSPICIOUS_FILES_TMP[@]}" | sort -u))
|
||||
|
||||
if [ "${#uniq_files[@]}" -eq 0 ]; then
|
||||
log "INFO" "[10/12] No candidate binaries collected for deep scan"
|
||||
log "INFO" "[12/12] No candidate binaries collected for deep scan"
|
||||
return
|
||||
fi
|
||||
|
||||
@@ -631,45 +646,97 @@ deep_scan_suspicious_files() {
|
||||
done
|
||||
}
|
||||
|
||||
# ---- Check 11: C2 Connections (DNS Resolving & SS Tracking) ---------------
|
||||
# ---- Helper: Check if IP is a globally routable address -------------------
|
||||
is_global_ip() {
|
||||
local ip="$1"
|
||||
|
||||
# 1. IPv6 FAST-PATH (Regex Bypass for performance and Bash compatibility)
|
||||
if [[ "$ip" == *":"* ]]; then
|
||||
# Filter common IPv6 sinkholes/local: ::1, ::, fc00::/7, fe80::/10
|
||||
if [[ "$ip" == "::1" ]] || [[ "$ip" == "::" ]] || \
|
||||
[[ "$ip" =~ ^[fF][cCdD] ]] || [[ "$ip" =~ ^[fF][eE][89aAbB] ]]; then
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
fi
|
||||
|
||||
# 2. IPv4 CIDR MATH PATH
|
||||
[[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || return 1
|
||||
|
||||
local IFS='.' nums
|
||||
read -r -a nums <<< "$ip"
|
||||
for o in "${nums[@]}"; do (( o > 255 )) && return 1; done
|
||||
local ipnum=$(( (nums[0] << 24) | (nums[1] << 16) | (nums[2] << 8) | nums[3] ))
|
||||
|
||||
in_cidr() {
|
||||
local IFS='/' parts
|
||||
read -r -a parts <<< "$1"
|
||||
local IFS='.' net
|
||||
read -r -a net <<< "${parts[0]}"
|
||||
local netnum=$(( (net[0] << 24) | (net[1] << 16) | (net[2] << 8) | net[3] ))
|
||||
local mask=$(( 0xFFFFFFFF << (32 - parts[1]) & 0xFFFFFFFF ))
|
||||
(( (ipnum & mask) == (netnum & mask) ))
|
||||
}
|
||||
|
||||
# Non-global ranges per IANA
|
||||
local non_global=(
|
||||
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16
|
||||
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16
|
||||
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4
|
||||
)
|
||||
|
||||
for cidr in "${non_global[@]}"; do
|
||||
in_cidr "$cidr" && return 1
|
||||
done
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
# ---- Check 10: C2 Connections (DNS Resolving & SS Tracking) ---------------
|
||||
check_c2_connections() {
|
||||
log "INFO" "[11/12] Checking for active connections to known BPFDoor C2 domains"
|
||||
log "INFO" "[10/12] Checking for active connections to known BPFDoor C2 domains"
|
||||
local found=0
|
||||
|
||||
if ! cmd_exists dig || ! cmd_exists ss; then
|
||||
log "WARN" "[11/12] 'dig' or 'ss' missing; skipping C2 connection checks."
|
||||
log "WARN" "[10/12] 'dig' or 'ss' missing; skipping C2 connection checks."
|
||||
return
|
||||
fi
|
||||
|
||||
for host in "${KNOWN_C2_HOSTS[@]}"; do
|
||||
local ips="$(dig +short "$host" A "$host" AAAA 2>/dev/null || true)"
|
||||
local ips
|
||||
ips="$(dig +short "$host" A "$host" AAAA 2>/dev/null | grep -E '^[0-9a-fA-F:.]+$' | grep -E '\.|\:'|| true)"
|
||||
|
||||
for ip in $ips; do
|
||||
if [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ "$ip" =~ ^[0-9a-fA-F:]+$ && "$ip" =~ .*[:].* ]]; then
|
||||
local ss_output="$(ss -tnp state established dst "$ip" 2>/dev/null || true)"
|
||||
if ! is_global_ip "$ip"; then
|
||||
log "INFO" "Skipping non-global IP for $host: $ip (likely sinkhole/private)"
|
||||
continue
|
||||
fi
|
||||
|
||||
local ss_output
|
||||
ss_output="$(ss -H -tnp state established dst "$ip" 2>/dev/null || true)"
|
||||
|
||||
if [ -n "$ss_output" ]; then
|
||||
log "CRITICAL" "Active connection to known BPFDoor C2: $host ($ip)"
|
||||
echo "$ss_output" | tee -a "$LOGFILE"
|
||||
|
||||
if [ -n "$ss_output" ]; then
|
||||
log "CRITICAL" "Active Reverse Shell to BPFDoor C2: $host ($ip)"
|
||||
echo "$ss_output" | tee -a "$LOGFILE"
|
||||
|
||||
local c2_pids="$(echo "$ss_output" | grep -oP 'pid=\K[0-9]+' | sort -u)"
|
||||
for c2pid in $c2_pids; do
|
||||
is_self "$c2pid" && continue
|
||||
[ -d "/proc/$c2pid" ] || continue
|
||||
local exe="$(readlink -f "/proc/$c2pid/exe" 2>/dev/null || echo "")"
|
||||
[ -n "$exe" ] && mark_suspicious_file "$exe"
|
||||
done
|
||||
found=1
|
||||
fi
|
||||
local c2_pids
|
||||
c2_pids="$(echo "$ss_output" | grep -oP 'pid=\K[0-9]+' | sort -u)"
|
||||
for c2pid in $c2_pids; do
|
||||
is_self "$c2pid" && continue
|
||||
[ -d "/proc/$c2pid" ] || continue
|
||||
local exe
|
||||
exe="$(readlink -f "/proc/$c2pid/exe" 2>/dev/null || echo "")"
|
||||
[ -n "$exe" ] && mark_suspicious_file "$exe"
|
||||
done
|
||||
found=1
|
||||
fi
|
||||
done
|
||||
done
|
||||
[ "$found" -eq 0 ] && log "SUCCESS" "[11/12] No active connections to known C2 domains found"
|
||||
[ "$found" -eq 0 ] && log "SUCCESS" "[10/12] No active connections to known C2 domains found"
|
||||
}
|
||||
|
||||
# ---- Check 12: Process-Specific Signatures --------------------------------
|
||||
# ---- Check 11: Process-Specific Signatures --------------------------------
|
||||
check_process_signatures() {
|
||||
log "INFO" "[12/12] Checking specific processes for hardcoded BPFDoor file signatures"
|
||||
log "INFO" "[11/12] Checking specific processes for hardcoded BPFDoor file signatures"
|
||||
local found=0
|
||||
|
||||
local sig_checks=(
|
||||
@@ -689,6 +756,7 @@ check_process_signatures() {
|
||||
for pid in $pids; do
|
||||
is_self "$pid" && continue
|
||||
[ -d "/proc/$pid" ] || continue
|
||||
local exe_path=$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "unknown")
|
||||
local path="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")"
|
||||
[ -z "$path" ] && continue
|
||||
|
||||
@@ -707,32 +775,44 @@ check_process_signatures() {
|
||||
done
|
||||
done
|
||||
|
||||
[ "$found" -eq 0 ] && log "SUCCESS" "[12/12] No hardcoded process signatures detected"
|
||||
[ "$found" -eq 0 ] && log "SUCCESS" "[11/12] No hardcoded process signatures detected"
|
||||
}
|
||||
|
||||
# ---- Optional: Basic persistence checks -----------------------------------
|
||||
check_persistence() {
|
||||
log "INFO" "[-] Basic persistence triage (cron, systemd, rc scripts)"
|
||||
|
||||
# 1. Define the regex ONCE (Safely removed the generic 'bpf' trap)
|
||||
local persist_regex="bpfdoor|dbus-srv|hpasmmld|smartadm|hald-addon-volume"
|
||||
|
||||
# 2. Check Cron
|
||||
for file in /etc/crontab /var/spool/cron/* /var/spool/cron/crontabs/*; do
|
||||
[ -f "$file" ] || continue
|
||||
if grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | grep -q .; then
|
||||
log "ALERT" "Suspicious entry in cron file: $file"
|
||||
grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | tee -a "$LOGFILE"
|
||||
if grep -E "$persist_regex" "$file" 2>/dev/null | grep -q .; then
|
||||
log "CRITICAL" "Suspicious persistence entry in cron: $file"
|
||||
grep -HnE "$persist_regex" "$file" >> "$LOGFILE"
|
||||
fi
|
||||
done
|
||||
|
||||
# 3. Check Systemd
|
||||
for dir in /etc/systemd/system /usr/lib/systemd/system /run/systemd/system; do
|
||||
[ -d "$dir" ] || continue
|
||||
if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$dir" 2>/dev/null | grep -q .; then
|
||||
log "ALERT" "Suspicious pattern in systemd units under $dir"
|
||||
# Grab the exact files that match, instead of blindly alerting on the directory
|
||||
local matches="$(grep -rlE "$persist_regex" "$dir" 2>/dev/null || true)"
|
||||
if [ -n "$matches" ]; then
|
||||
for m in $matches; do
|
||||
log "CRITICAL" "Suspicious persistence pattern found in systemd unit: $m"
|
||||
# Log the exact line of code that triggered it to the report
|
||||
grep -HnE "$persist_regex" "$m" >> "$LOGFILE"
|
||||
done
|
||||
fi
|
||||
done
|
||||
|
||||
for rc in /etc/rc.local /etc/init.d; do
|
||||
[ -e "$rc" ] || continue
|
||||
if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$rc" 2>/dev/null | grep -q .; then
|
||||
log "ALERT" "Suspicious pattern in rc script(s) under $rc"
|
||||
# 4. Check RC / Init scripts
|
||||
for rc in /etc/rc.local /etc/init.d/*; do
|
||||
[ -f "$rc" ] || continue
|
||||
if grep -E "$persist_regex" "$rc" 2>/dev/null | grep -q .; then
|
||||
log "CRITICAL" "Suspicious persistence pattern in rc script: $rc"
|
||||
grep -HnE "$persist_regex" "$rc" >> "$LOGFILE"
|
||||
fi
|
||||
done
|
||||
}
|
||||
@@ -760,9 +840,8 @@ main() {
|
||||
|
||||
echo
|
||||
echo -e "${CYAN}[*] Scan complete. Report written to: ${LOGFILE}${NC}"
|
||||
echo -e "${YELLOW}[!] Any CRITICAL or ALERT entries should be investigated promptly.${NC}"
|
||||
echo -e "${YELLOW}[!] Any CRITICAL or ALERT entries should be investigated, considering there could be an acceptable rate of false positives depending on the execution environment.${NC}"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
||||
|
||||
|
||||
+1
-1
@@ -8,7 +8,7 @@
|
||||
==========================================================
|
||||
Enhanced Linux BPFDoor Detection Script
|
||||
==========================================================
|
||||
Host : rockpi-4c
|
||||
Host : rck
|
||||
Date : 2026-03-27_13-28-27
|
||||
Version: 1.1
|
||||
==========================================================
|
||||
@@ -0,0 +1,260 @@
|
||||
██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗
|
||||
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
|
||||
██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝
|
||||
██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝
|
||||
██║ ██║██║ ██║██║ ██║██████╔╝ ██║
|
||||
╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝
|
||||
M A L W A R E L A B S
|
||||
==========================================================
|
||||
Enhanced Linux BPFDoor Detection Script
|
||||
==========================================================
|
||||
Host : spk
|
||||
Date : 2026-03-27_12-55-37
|
||||
Version: 1.1
|
||||
==========================================================
|
||||
[2026-03-27 12:55:37] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
|
||||
[2026-03-27 12:55:37] [SUCCESS] [1/12] No known suspicious mutex/lock files found
|
||||
[2026-03-27 12:55:37] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
|
||||
[2026-03-27 12:55:37] [WARN] [2/12] /etc/sysconfig not present; skipping
|
||||
[2026-03-27 12:55:37] [INFO] [3/12] Inspecting BPF filters via ss -0pb
|
||||
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
p_raw 0 0 LLDP:ens4 * users:(("systemd-network",pid=329,fd=27))
|
||||
bpf filter (12): 0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295,
|
||||
p_dgr 0 0 arp:* * users:(("charon-systemd",pid=232103,fd=7))
|
||||
bpf filter (12): 0x28 0 0 2, 0x15 0 9 2048, 0x30 0 0 4, 0x15 0 7 6, 0x30 0 0 5, 0x15 0 5 4, 0x28 0 0 6, 0x15 0 3 1, 0x80 0 0 0, 0x35 0 1 28, 0x06 0 0 28, 0x06 0 0 0,
|
||||
p_dgr 0 0 ip:* * users:(("charon-systemd",pid=232103,fd=22))
|
||||
bpf filter (19): 0x30 0 0 9, 0x15 0 16 17, 0x28 0 0 20, 0x15 0 14 67, 0x28 0 0 22, 0x15 2 0 68, 0x15 1 0 67, 0x05 0 0 10, 0x30 0 0 28, 0x15 0 8 2, 0x30 0 0 29, 0x15 0 6 1, 0x30 0 0 30, 0x15 0 4 6, 0x20 0 0 264, 0x15 0 2 1669485411, 0x80 0 0 0, 0x16 0 0 0, 0x06 0 0 0,
|
||||
p_dgr 0 0 ip:* * users:(("charon-systemd",pid=232103,fd=23))
|
||||
bpf filter (12): 0x30 0 0 4294963220, 0x15 0 2 0, 0x30 0 0 4294963208, 0x15 0 5 2, 0x20 0 0 16, 0x15 4 0 176422914, 0x15 3 0 4294967295, 0x54 0 0 4026531840, 0x15 1 0 3758096384, 0x06 0 0 0, 0x80 0 0 0, 0x16 0 0 0,
|
||||
[2026-03-27 12:55:37] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
|
||||
[2026-03-27 12:55:37] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
|
||||
[2026-03-27 12:55:37] [ALERT] Suspicious Socket detected: PID 232103 (/usr/sbin/charon-systemd) -> /usr/sbin/charon-systemd
|
||||
[2026-03-27 12:55:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/libcharon.so.0.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
b83980100004889c7ff50104885c00f8482000000836804014889c57429488b838001000
|
||||
100004c89e741ff542430663df4010f84820000004c89ef41ff5530663df40174754889d
|
||||
0084889c7ff5048f683ac010000020f84820000008b836c010000f30f6f83580100008b9
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/libstrongswan.so.0.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
b30e880e2fcff488b54243883f8ff0f84820000004c89efbeffffffffe815d8fcff488b3
|
||||
48830c24004881ece800000048898c244820000089fd4889f34c898424502000004c898c
|
||||
302550a0e08460b500e08001c000000d48200000014fdff3600000000450e108302550a0
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/libtnccs.so.0.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
f85400000000000008000000000000002133000000000000005500000000000008000000
|
||||
03000000000000000000000000000000213300000000000025330000000000002a330000
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/plugins/libstrongswan-connmark.so (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
1142684883c408c390f30f1efa488d0555110000c30f1f4000f30f1efa488d0555300000
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/plugins/libstrongswan-forecast.so (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0498b47200f1184249000000048c7842482000000756470004889c7ff50304189c5498b4
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/plugins/libstrongswan-vici.so (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
88d35051701004889dfff5308488d8c24820000004889ea31c0488d35f31601004889dff
|
||||
e0fdfeff14000000000000001000000048200000ecfdfeff140000000000000010000000
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/ipsec/plugins/libstrongswan-x509.so (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9c54889c731c0ff55004189c484c00f8482000000488b04244889e64889ef4989450031c
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
04885c0740f0fb64004c0e8043c020f8482000000f60571a60200017579488b04244885c
|
||||
15d415e415fc30fb61631c04885d20f84820000000fb6450184c00f84cc00000048c1e20
|
||||
d75cf83fa020f858b0000004084ed0f84820000004183fa0477bd0f1f8000000000418db
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:51] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
d100000e7100000f8100000ff100000051100000d110000161100001e110000241100002
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
800000085c00f84b300000083f8010f8482000000f6c3107437488d3d0e460000e8e9f7f
|
||||
-------------------------------
|
||||
[2026-03-27 12:55:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000001255000022000f00b0511000000000001e00000000000000c819000012
|
||||
00000000000001559000012000f00e02511000000000022000000000000004f7e0000120
|
||||
00000000000001b45000012000f0050051100000000002100000000000000f86b0000120
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:08] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
00000000000000000000000000000006482000000000000eb00000000000000000000000
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:09] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
fffffd9eedb6c2430dbe9ddd97a0a0f8482000000ddd8eb06ddd80f1f4000d97c240edb6
|
||||
9d10f828f000000488b0c244809d10f848200000048be000000000000ff7fb902c0ffff4
|
||||
f0424660fefc9e84b8205004885c00f8482000000bf000c0000e8c8c7fdff660f6f4c244
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:16] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.40.0 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0405010420440922106890004000000051100000000a1d00000048801226011004806448
|
||||
208608000000000045000000000000004820000012000d0080ee0400000000003a000000
|
||||
0000000000000d0fe10000000000000051100000000000800000000000000d0fe1000000
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:25] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libz.so.1.3.1 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
30000000f1181a00000004183f80b0f84820000000f1181b00000004183f80c74750f118
|
||||
b4129c84a8d3c1a4b8d741d0039c80f8482000000418d48ff4489c083f90676204a8b141
|
||||
984249c00000066034424406644898424820000004189f0668984249e00000031c085f67
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:26] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7 (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000080f9030f84a100000080f9010f848200000048c7c1ffffffff4084f6740c420fb64
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so (PID: 232103)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
04889eee8b694ffff4889c34885c00f84820000004c8920498b7538488d4838488d50304
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:33] [ALERT] Suspicious Socket detected: PID 329 (/usr/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd
|
||||
[2026-03-27 12:56:33] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/aa_DJ.utf8/LC_COLLATE (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
3e0b48000000003e0b48100000003e0b48200000003e0b48300000003e0b48400000003e
|
||||
3e0a48000000003e0a48100000003e0a48200000003e0a48300000003e0a48400000003e
|
||||
0000002d48000000002d48100000002d48200000002d48300000002d48400000002d4850
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:52] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/aa_DJ.utf8/LC_CTYPE (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
40200000422000004420000046200000482000004a2000004c2000004e20000050200000
|
||||
7a3100007c3100007e31000080310000823100008431000086310000883100008a310000
|
||||
44200000000000004720000000000000482000000000000049200000000000004a200000
|
||||
-------------------------------
|
||||
[2026-03-27 12:56:55] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000000000000000000000000f27000012000000000000000000000000000000
|
||||
f1500000000000800000000000000b0e511000000000060cf15000000000008000000000
|
||||
a16000000000008000000000000004ff5110000000000400a16000000000008000000000
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:09] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
04885c0740f0fb64004c0e8043c020f8482000000f60571a60200017579488b04244885c
|
||||
15d415e415fc30fb61631c04885d20f84820000000fb6450184c00f84cc00000048c1e20
|
||||
d75cf83fa020f858b0000004084ed0f84820000004183fa0477bd0f1f8000000000418db
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:11] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
d100000e7100000f8100000ff100000051100000d110000161100001e110000241100002
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:12] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9000200a541a60d1400000024000000b511000008000000aa11000000000000010000000
|
||||
400000024000000c011000008000000b511000000000000010000000b0002009112a60d1
|
||||
01000064488b042528000000488984244820000031c048c74424200000000048c7442428
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libbpf.so.1.5.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
04889df4889c6e89405ffff4885c00f84820000004989c44889e5eb170f1f004c89f2488
|
||||
8ffff31c0b9001000004889ef4c8d8c2482000000ba01000000be001000004c8d058a060
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:18] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
800000085c00f84b300000083f8010f8482000000f6c3107437488d3d0e460000e8e9f7f
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:19] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000001255000022000f00b0511000000000001e00000000000000c819000012
|
||||
00000000000001559000012000f00e02511000000000022000000000000004f7e0000120
|
||||
00000000000001b45000012000f0050051100000000002100000000000000f86b0000120
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:34] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libelf-0.192.so (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
f81f0000409bffff20200000c09bffff48200000909cffff78200000909dffffa8200000
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:35] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9e6e80ec4fcff85c00f88c60000000f84820000004c8b7424104d85f60f84c2000000498
|
||||
74989f4e84ef1fbff4989c64885db0f84820000004c8b2b4989df31ed4c89ef4d85ed750
|
||||
00a0e18410e10420e08430b28000000b48200000028fdffc401000000450e108602410e1
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
fffffd9eedb6c2430dbe9ddd97a0a0f8482000000ddd8eb06ddd80f1f4000d97c240edb6
|
||||
9d10f828f000000488b0c244809d10f848200000048be000000000000ff7fb902c0ffff4
|
||||
f0424660fefc9e84b8205004885c00f8482000000bf000c0000e8c8c7fdff660f6f4c244
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:46] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.14.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
c000000e947e9ffff4c8b7c2428c70424820000004c8bb424800000004983c702e908cff
|
||||
fff488b4424388078010a8b44240c0f84820000004139c50f8d7ba2ffff83c3014983c40
|
||||
f1f84000000000066900fb61084d20f84820000008d4a9080f921770d0fb6c948630c8e4
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:52] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libseccomp.so.2.6.0 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
8c7402800000000488b7f184885ff0f8482000000488b064885c074d2448b0feb1266662
|
||||
8c7402800000000488b7f184885ff0f8482000000488b064885c074d2448b4f04eb11666
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libz.so.1.3.1 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
30000000f1181a00000004183f80b0f84820000000f1181b00000004183f80c74750f118
|
||||
b4129c84a8d3c1a4b8d741d0039c80f8482000000418d48ff4489c083f90676204a8b141
|
||||
984249c00000066034424406644898424820000004189f0668984249e00000031c085f67
|
||||
-------------------------------
|
||||
[2026-03-27 12:57:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7 (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000080f9030f84a100000080f9010f848200000048c7c1ffffffff4084f6740c420fb64
|
||||
-------------------------------
|
||||
[2026-03-27 12:58:01] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-257.so (PID: 329)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000004f10000000000000501000005110000052100000531000005510000056100000
|
||||
4f1100005011000051110000531100005511000000000000561100000000000000000000
|
||||
000000080110000821100008311000085110000000000000000000087110000000000000
|
||||
-------------------------------
|
||||
[2026-03-27 12:58:33] [INFO] [5/12] Checking for suspicious environment variables
|
||||
[2026-03-27 12:58:34] [SUCCESS] [5/12] No processes with the full suspicious env var set found
|
||||
[2026-03-27 12:58:34] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
|
||||
[2026-03-27 12:58:34] [ALERT] [6/12] Potentially suspicious connections on historical BPFDoor ports:
|
||||
tcp 0 0 10.132.0.2:43230 74.125.206.95:443 ESTABLISHED 659/google_guest_ag
|
||||
|
||||
[2026-03-27 12:58:34] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
|
||||
[2026-03-27 12:58:38] [CRITICAL] [7/12] Process Masquerading Detected! PID=264 claims to be '/usr/lib/systemd/systemd-journald' but is actually executing '/usr/lib/systemd/systemd-journald'
|
||||
[2026-03-27 12:58:39] [CRITICAL] [7/12] Process Masquerading Detected! PID=615 claims to be '/sbin/agetty -o -- \u --noreset --noclear - linux' but is actually executing '/usr/sbin/agetty'
|
||||
[2026-03-27 12:58:39] [CRITICAL] [7/12] Process Masquerading Detected! PID=616 claims to be '/sbin/agetty -o -- \u --noreset --noclear --keep-baud 115200,57600,38400,9600 - vt220' but is actually executing '/usr/sbin/agetty'
|
||||
[2026-03-27 12:58:41] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
|
||||
[2026-03-27 12:58:41] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
|
||||
[2026-03-27 12:58:41] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
|
||||
[2026-03-27 12:58:41] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
|
||||
[2026-03-27 12:58:41] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
|
||||
[2026-03-27 12:58:42] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
|
||||
[2026-03-27 12:58:42] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
|
||||
[2026-03-27 12:58:42] [SUCCESS] [12/12] No hardcoded process signatures detected
|
||||
[2026-03-27 12:58:42] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/bin/google_guest_agent_manager
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/libcharon.so.0.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/libstrongswan.so.0.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/libtnccs.so.0.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/plugins/libstrongswan-connmark.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/plugins/libstrongswan-forecast.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/plugins/libstrongswan-vici.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/ipsec/plugins/libstrongswan-x509.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-journald
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libaudit.so.1.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libbpf.so.1.5.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libelf-0.192.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libm.so.6
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.14.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libseccomp.so.2.6.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.40.0
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libz.so.1.3.1
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.7
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ossl-modules/legacy.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-257.so
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty
|
||||
[2026-03-27 12:58:42] [INFO] >>> Analyzing candidate binary: /usr/sbin/charon-systemd
|
||||
[2026-03-27 12:58:42] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
|
||||
[2026-03-27 12:58:42] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system
|
||||
@@ -0,0 +1,439 @@
|
||||
██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗
|
||||
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
|
||||
██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝
|
||||
██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝
|
||||
██║ ██║██║ ██║██║ ██║██████╔╝ ██║
|
||||
╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝
|
||||
M A L W A R E L A B S
|
||||
==========================================================
|
||||
Enhanced Linux BPFDoor Detection Script
|
||||
==========================================================
|
||||
Host : thnk
|
||||
Date : 2026-03-31_11-48-45
|
||||
Version: 1.1
|
||||
==========================================================
|
||||
[2026-03-31 11:48:45] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
|
||||
[2026-03-31 11:48:45] [SUCCESS] [1/12] No known suspicious mutex/lock files found
|
||||
[2026-03-31 11:48:45] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
|
||||
[2026-03-31 11:48:45] [WARN] [2/12] /etc/sysconfig not present; skipping
|
||||
[2026-03-31 11:48:45] [INFO] [3/12] Inspecting BPF filters via ss -0pb
|
||||
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
p_dgr 0 0 [34958]:* * users:(("wpa_supplicant",pid=917,fd=12))
|
||||
bpf filter (4): 0x30 0 0 4294963204, 0x15 1 0 3, 0x06 0 0 4294967295, 0x06 0 0 0,
|
||||
p_dgr 0 0 [35085]:wlp61s0 * users:(("wpa_supplicant",pid=917,fd=13))
|
||||
p_dgr 0 0 arp:wlp61s0 * users:(("NetworkManager",pid=908,fd=25))
|
||||
[2026-03-31 11:48:45] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
|
||||
[2026-03-31 11:48:46] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
|
||||
[2026-03-31 11:48:46] [ALERT] Suspicious Socket detected: PID 908 (/usr/sbin/NetworkManager --no-daemon) -> /usr/sbin/NetworkManager
|
||||
[2026-03-31 11:48:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wifi.so (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000000000000000000000002133000010000000000000000000000000000000
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wwan.so (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
effff0f1f400083fb02744b4d85f60f8482000000498b0649898424a8000000488d0de00
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-wwan.so (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
88945c8488b05b2b20000f64008200f848200000089d7e8c1adffff4989c44885c00f84a
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
10f854af8ffffe998feffff4939cc0f84820000000fb69154030000f6c2087576498b442
|
||||
4000048894588e9eef7ffff4939cc0f84820000000fb69154030000f6c2087576498b442
|
||||
b0f8481000000488975b04183fd020f848200000089da83e2018955c483f802740a89d98
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
492000000488b88900000004885c90f8482000000488b46284883c04048c1e806741d31d
|
||||
a4801c34889dee893f5ffff4885c00f8482000000418b56e8458b46d0498b7ec881e2ff0
|
||||
5c00f848f000000488b78084885ff0f8482000000488d3535710100e8862fffff4c8b558
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libbluetooth.so.3.19.12 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
406766b410fb645003c0174523c800f8482000000e8c53dffffc7004700000041bcfffff
|
||||
411000000000000071002000000000005110000000000001110020000000000061100000
|
||||
411000000000000e0100200000000001511000000000000eb10020000000000161100000
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:51] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.1.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
35353535363636363737373738383838393939393a3a3a3a3b3b3b3b3c3c3c3c3d3d3d3d
|
||||
3130303031303234313339343030303039393939636f6d6f6dc3a1736573746565737461
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0f0811600000000000002000000000000f270000012001100c08c1400000000008600000
|
||||
0000000000000547300002200110050b51100000000002000000000000000a3740000220
|
||||
1000000000000a56f00001200110050b51100000000002000000000000000e27b0000120
|
||||
-------------------------------
|
||||
[2026-03-31 11:48:59] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
800000085c00f84b200000083f8010f8482000000f6c3107437488d3d1d440000e808f8f
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
1498b4518c60300488945884d85f60f8482000000418b86d000000083f8040f844202000
|
||||
b7dc0488b15a58405000fb6073c2f0f84820000003c5c747effd2488b7dc0498986a8040
|
||||
9c6b80000004c8d3c0249837f18000f8482000000498b37498b7c2408e8c5a2feff85c07
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:02] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
54889e5534889f34883ec084885f60f848200000048393e742d488b5df8b9870c0000488
|
||||
885ff0f84c60000004989f44885f60f84820000004889fb488b7f08e8ae4f0100808b000
|
||||
f1efa554889e5534883ec084885ff0f84820000008b0570b002004889fb3987980000007
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:04] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
488b402085c074638d50ff89c05d81fa0f270000ba00000000480f43c2c3660f1f440000
|
||||
3d488b402089c285c0745283e8015d3d0f270000b8000000000f43d089d0c30f1f800000
|
||||
741f488b402089c285c0741e83e8013d0f270000410f43d4895324eba90f1f400031d2eb
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:08] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8000.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000000000000ef1c010012000e0050d51100000000006202000000000000ade80000120
|
||||
0000000000000631e010012000e0090e5110000000000840000000000000035760000120
|
||||
0000000000000ee14010012000e002025110000000000990000000000000043440000120
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8000.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
54885f60f841a0100008b460885c00f84820000000fb677144989fc4989d683f8ff75064
|
||||
000f009c8894304e80affffff85c00f8482000000804b0402488b45e864482b042528000
|
||||
74889dfe8b144feff4989c44885c00f84820000004489e64889dfb90100000029de488d1
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:20] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
2e0f8e830000004883f9627e454881fe511000007e3c660fefc0660fefc9f20f1015aca8
|
||||
6c4983fe2e7e664983fe627e454881fb511000007e3c660fefc0660fefc9f20f10150fa6
|
||||
000048837d10620f8eba0300004981ff511000000f8ead030000660fefc0660fefc9f20f
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:23] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgnutls.so.30.37.1 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000000000000f29b000012000f00f045110000000000560700000000000030110000120
|
||||
70b40900000000001a010000000000005572000012000f0040e70d0000000000ad050000
|
||||
e1e00000000000800000000000000f065110000000000e0be1e000000000008000000000
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:30] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8000.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
201445248050d45170b210210335180c48200000000df000000e00000000000000000000
|
||||
0004889cf4889cbe87a90010085c00f8482000000488b050be303004c89e64589f84c89f
|
||||
d85ed747a4c89e7e84a7a010085c00f8482000000488b73184939f574134c89e7e8e17b0
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:31] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
415c5dc30f1f4000488b7708498bbc2448200000ffd04883f8ff74344c8b63484885c074
|
||||
c24c29e24885d27e7a488b7308498bbe482000004c01e641ffd54883f8ff75d3488b4320
|
||||
a6682000000f11432031d231f6498bbe4820000041ffd54585ff752f31c04883c4085b41
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
885ff0f848e0000004989f44885f60f8482000000c707000000004989fd4989d64885d20
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:34] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libhogweed.so.6.8 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
2311000011f00e00fe100000330a02005110000001ff0000f00f0000b79c0900920f0000
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:35] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libidn2.so.0.4.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
480000002186201d481000002187a01d48200000201aa01d483000002163a01d48400000
|
||||
50f000002063201d510000002019a01d511000002175a01d51200000202e201d51300000
|
||||
a9a050f000000000105100000028aaa0511000000000105120000028aba0513000000000
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:35] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
8c1e702e8bad9ffff4889c64885c00f84820000004d63e44c8d05243f0200488d0d153f0
|
||||
411000000110000041000000110000005110000011100000500000800000008040100080
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
84b80000004989c4488b05fa7d0900be48200000bf010000004989442408e8de24ffff48
|
||||
b7d180f1104d0e8735bfcff4885c00f8482000000498b550049894518660fefc04c89e74
|
||||
04983c5084a8b14294885d27463817a048200000075ea488b7a10e8b12efcff498b54240
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0f87010100003de7030000766331d23d0f2700000f97c283c20501d34d8b65104d85e474
|
||||
84c89e64c89f7e8b5fbffff83f8050f848200000083f8030f85b70000008d43fe4439e87
|
||||
885f60f848e000000803e004989f60f84820000004989d44885d2747a48c702000000004
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9498957204183fd030f86be110000e9b51100000f1f80000000004d8bb7b0020000418b9
|
||||
08430b4c0a0c07084c0b00002800000048200000f465feff2103000000410e108602430d
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
3e00383f8010f84cb00000083f8020f848200000085c0743eff75d8ff75d0ff75c8ff75c
|
||||
94dc8e8d767ffff4939dc488b4dc80f8482000000660f540522e1050066490f6eccf20f1
|
||||
2f20f58cbf20f59c2f20f58c885d20f848200000066480f6ec0f20f59c8f20f58c1c30f1
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:46] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmm-glib.so.0.10.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000079110c00000000000805110000000000080000000000000062110c00000
|
||||
0000010051100000000000800000000000000cdb40b00000
|
||||
000002805110000000000080000000000000064160c00000
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
5b8488b45c04c8b384d89fe4d85ff0f8482000000498b1e4885db747a41f6460c08743b4
|
||||
000031c0e8bf07fdff4189c585c00f8955110000e83f00fdff8b004189c241f7da85c00f
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnetplan.so.1 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
603b03000000000026000000000000005110000012000e00b01b03000000000030000000
|
||||
885c00f84b4010000488b384885ff0f8482000000498db424d8000000e856b2ffff85c00
|
||||
5c00f848f000000448b48084585c90f84820000004531e44c8d35d7bd020090488b004c8
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:52] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
4920000004989fde86adafeff85c00f848200000089de4c89efe828cbfeff4885c075734
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.1 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
b19000000000008000000000000000605110000000000c81b19000000000008000000000
|
||||
519000000000008000000000000000e05110000000000902519000000000008000000000
|
||||
000002205110000000000b82519000000000008000000000
|
||||
-------------------------------
|
||||
[2026-03-31 11:49:58] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
|
||||
000000448c408000000400300000022951100000000c17f00000080000100000000c17f0
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libresolv.so.2 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
d30000003de70300000f86d70000003d0f2700000f86db0000003d9f8601000f86df0000
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:01] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libselinux.so.1 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000000000000000000000005110000012000f00f07801000000000036000000
|
||||
00f1f0085c90f848b00000083f92d0f848200000083f92e400f94c783f95f410f94c0440
|
||||
04c89e7e8fe41ffff4989c54885c00f84820000004c89e14c89e231f64889c7e84244fff
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:02] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libssh.so.4.9.6 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
4534889fb4883ec184c8b3f4885f60f848200000089ce4189d64189cde8235fffff85c07
|
||||
44d8b6d00c745c4020000004d85ed0f8482000000498b7d08e8fb0efeff4989c64885c00
|
||||
30a00004c8b00b9020000004d85c00f84820000004c895da84c896db04989dd4489e3458
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:04] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
f000000000f298510ffffff4885f60f84820000004885db0f84a9000000488d45104c8da
|
||||
883ec084885ff746e4889f34885f60f8482000000f6471e1074144883be6001000000743
|
||||
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:06] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.3 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0f82f30000004c29f34c8d63014981ff0f2700000f8f64080000b8102700004d01ff4939
|
||||
85c00f844212000066490f6ec541c74548200000000f160523e000004889051ce000000f
|
||||
6b504489635831dbe9d7fcffff488d350f2700004c89e7e89b48ffff85c00f84c3010000
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:07] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libteamdctl.so.0.1.5 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
8020f8f54010000410fb6450184c00f84820000004531edeb184d85ed4d0f44ea410fb64
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:07] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
|
||||
04c89fae89ef9ffff4189c483f8da0f848200000083f8db7c6583f8e7747885c00f8820f
|
||||
7415641554154534883ec184885ff0f84820000004189f4488d35c18100004889fb4989d
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:09] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libunistring.so.5.0.0 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
889fb4989f44889d74d89cf4d85c90f8482000000488d45b04889fe4889cf4889c248894
|
||||
dff4c8b8510fcffff4885c04889c10f8482000000488b8500fcffff488d1c014d85ff742
|
||||
0c30f1f440000f30f1efa8b0685c00f8482000000554889e541544989f453418b5424044
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:13] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.9 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
975c8e86f16ffff488945b84885c00f84820000004889c3488b45c04c8bb0e80000004c8
|
||||
b7d7c85ff0f858c000000837b1c020f8482000000498b8dc0000000498b95c8000000b80
|
||||
34889fb85d20f85fb000000833e080f84820000004531c031c9488d35f46a000031d2e8d
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:14] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libz.so.1.3 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
af81b0000be01000000ffd04885c00f8482000000ba010000004489e148894338d3e2c74
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5 (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
|
||||
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
|
||||
8470b002c000000a4270000d8c8f8fff511000000450e108602460d06428f034a8e048d0
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:19] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/sbin/NetworkManager (PID: 908)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
000000000000000000000000000000004820000012000000000000000000000000000000
|
||||
d3300000000000800000000000000a0f5110000000000880d33000000000008000000000
|
||||
0000000000000010b516000000000000213300000000000800000000000000e097080000
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:28] [ALERT] Suspicious Socket detected: PID 917 (/usr/sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev) -> /usr/sbin/wpa_supplicant
|
||||
[2026-03-31 11:50:28] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
10f854af8ffffe998feffff4939cc0f84820000000fb69154030000f6c2087576498b442
|
||||
4000048894588e9eef7ffff4939cc0f84820000000fb69154030000f6c2087576498b442
|
||||
b0f8481000000488975b04183fd020f848200000089da83e2018955c483f802740a89d98
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:30] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
0f0811600000000000002000000000000f270000012001100c08c1400000000008600000
|
||||
0000000000000547300002200110050b51100000000002000000000000000a3740000220
|
||||
1000000000000a56f00001200110050b51100000000002000000000000000e27b0000120
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
54889e5534889f34883ec084885f60f848200000048393e742d488b5df8b9870c0000488
|
||||
885ff0f84c60000004989f44885f60f84820000004889fb488b7f08e8ae4f0100808b000
|
||||
f1efa554889e5534883ec084885ff0f84820000008b0570b002004889fb3987980000007
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
488b402085c074638d50ff89c05d81fa0f270000ba00000000480f43c2c3660f1f440000
|
||||
3d488b402089c285c0745283e8015d3d0f270000b8000000000f43d089d0c30f1f800000
|
||||
741f488b402089c285c0741e83e8013d0f270000410f43d4895324eba90f1f400031d2eb
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
415c5dc30f1f4000488b7708498bbc2448200000ffd04883f8ff74344c8b63484885c074
|
||||
c24c29e24885d27e7a488b7308498bbe482000004c01e641ffd54883f8ff75d3488b4320
|
||||
a6682000000f11432031d231f6498bbe4820000041ffd54585ff752f31c04883c4085b41
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9498957204183fd030f86be110000e9b51100000f1f80000000004d8bb7b0020000418b9
|
||||
08430b4c0a0c07084c0b00002800000048200000f465feff2103000000410e108602430d
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
3e00383f8010f84cb00000083f8020f848200000085c0743eff75d8ff75d0ff75c8ff75c
|
||||
94dc8e8d767ffff4939dc488b4dc80f8482000000660f540522e1050066490f6eccf20f1
|
||||
2f20f58cbf20f59c2f20f58c885d20f848200000066480f6ec0f20f59c8f20f58c1c30f1
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:46] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnl-3.so.200.26.0 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
b0a000000000000011000000000000005110000012000e00b0080100000000004b000000
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.26.0 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
f0700000fb7ffe81aaeffff4885c00f8482000000488b7dc8498904244531c04885ff741
|
||||
00f8490000000e89b04feff4885c00f84820000004889c2488d351264010031c04c89e7e
|
||||
0100004989df4d29d74881bd70ebffff0f2700004d8d6f010f8f6b0b000048d1a570ebff
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcsclite.so.1.0.0 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
dc4e8d6eeffff85c07e52f645c6010f84820000004889da4c89e64489efe80aeeffff85c
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libssl.so.3 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
189c483f8017537498b7d104885ff0f84820000004889dee84a3affff85c00f95c04883c
|
||||
04989c6e82ed0feff4989c54885c00f84820000004c8d251b5b0500498d5424184d85f67
|
||||
049c78424500200002000000085c00f848200000049c784245002000000000000b801000
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
f000000000f298510ffffff4885f60f84820000004885db0f84a9000000488d45104c8da
|
||||
883ec084885ff746e4889f34885f60f8482000000f6471e1074144883be6001000000743
|
||||
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
|
||||
-------------------------------
|
||||
[2026-03-31 11:50:56] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5 (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
|
||||
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
|
||||
8470b002c000000a4270000d8c8f8fff511000000450e108602460d06428f034a8e048d0
|
||||
-------------------------------
|
||||
[2026-03-31 11:51:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/sbin/wpa_supplicant (PID: 917)
|
||||
------- HEXDUMP CONTEXT -------
|
||||
053300000000000800000000000000704820000000000038053300000000000800000000
|
||||
053300000000000800000000000000f04820000000000048053300000000000800000000
|
||||
000000000000005e4a2d000000000050213300000000000800000000000000b19c2e0000
|
||||
-------------------------------
|
||||
[2026-03-31 11:51:09] [INFO] [5/12] Checking for suspicious environment variables
|
||||
[2026-03-31 11:51:11] [SUCCESS] [5/12] No processes with the full suspicious env var set found
|
||||
[2026-03-31 11:51:11] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
|
||||
[2026-03-31 11:51:11] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
|
||||
[2026-03-31 11:51:11] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
|
||||
[2026-03-31 11:51:24] [CRITICAL] [7/12] Process Masquerading Detected! PID=62 claims to be '[watchdogd]' but is actually executing '/proc/62/exe'
|
||||
[2026-03-31 11:51:31] [CRITICAL] [7/12] Process Masquerading Detected! PID=279 claims to be '/usr/lib/systemd/systemd-journald' but is actually executing '/usr/lib/systemd/systemd-journald'
|
||||
[2026-03-31 11:51:59] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
|
||||
[2026-03-31 11:51:59] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
|
||||
[2026-03-31 11:51:59] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
|
||||
[2026-03-31 11:51:59] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
|
||||
[2026-03-31 11:51:59] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
|
||||
[2026-03-31 11:52:00] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpussl.instanthq.com (204.16.169.54)
|
||||
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
[2026-03-31 11:52:01] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpd.casacam.net (127.0.0.1)
|
||||
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
[2026-03-31 11:52:01] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpupdate.ygto.com (127.0.0.1)
|
||||
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
|
||||
[2026-03-31 11:52:01] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
|
||||
[2026-03-31 11:52:01] [SUCCESS] [12/12] No hardcoded process signatures detected
|
||||
[2026-03-31 11:52:01] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
|
||||
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-journald
|
||||
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wifi.so
|
||||
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wwan.so
|
||||
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-wwan.so
|
||||
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
|
||||
[2026-03-31 11:52:02] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
|
||||
[2026-03-31 11:52:02] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
|
||||
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
|
||||
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libbluetooth.so.3.19.12
|
||||
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.1.0
|
||||
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6
|
||||
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
|
||||
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0
|
||||
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
|
||||
[2026-03-31 11:52:04] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
|
||||
[2026-03-31 11:52:04] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
|
||||
[2026-03-31 11:52:04] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3
|
||||
[2026-03-31 11:52:04] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8000.0
|
||||
[2026-03-31 11:52:05] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8000.0
|
||||
[2026-03-31 11:52:05] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
|
||||
[2026-03-31 11:52:06] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
|
||||
[2026-03-31 11:52:06] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
|
||||
[2026-03-31 11:52:06] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgnutls.so.30.37.1
|
||||
[2026-03-31 11:52:06] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8000.0
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
|
||||
[2026-03-31 11:52:07] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
|
||||
[2026-03-31 11:52:07] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libhogweed.so.6.8
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libidn2.so.0.4.0
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
|
||||
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
|
||||
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
|
||||
[2026-03-31 11:52:08] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
|
||||
[2026-03-31 11:52:08] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
|
||||
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5
|
||||
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libm.so.6
|
||||
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmm-glib.so.0.10.0
|
||||
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0
|
||||
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnetplan.so.1
|
||||
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
|
||||
[2026-03-31 11:52:09] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
|
||||
[2026-03-31 11:52:09] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
|
||||
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnl-3.so.200.26.0
|
||||
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.26.0
|
||||
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.1
|
||||
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
|
||||
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
|
||||
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
|
||||
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcsclite.so.1.0.0
|
||||
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libresolv.so.2
|
||||
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libresolv.so.2
|
||||
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libresolv.so.2
|
||||
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libselinux.so.1
|
||||
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
|
||||
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
|
||||
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libssh.so.4.9.6
|
||||
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libssl.so.3
|
||||
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0
|
||||
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.3
|
||||
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libteamdctl.so.0.1.5
|
||||
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
|
||||
[2026-03-31 11:52:12] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
|
||||
[2026-03-31 11:52:12] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
|
||||
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libunistring.so.5.0.0
|
||||
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.9
|
||||
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libz.so.1.3
|
||||
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5
|
||||
[2026-03-31 11:52:14] [INFO] >>> Analyzing candidate binary: /usr/sbin/NetworkManager
|
||||
[2026-03-31 11:52:15] [INFO] >>> Analyzing candidate binary: /usr/sbin/wpa_supplicant
|
||||
[2026-03-31 11:52:16] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
|
||||
[2026-03-31 11:52:16] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system
|
||||
Reference in New Issue
Block a user