ictoi/bpfdoor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Compare commits

base: ictoi/bpfdoor:ed2d402209d9c156e5bb9229b1b7a33d388b828a
Branches Tags
ictoi/bpfdoor:master
...
compare: ictoi/bpfdoor:master
Branches Tags
ictoi/bpfdoor:master

4 Commits
ed2d402209 ... master

Author SHA1 Message Date
Vaclav VESELY 2b434f8466 Upgrade to 1.2 2026-04-07 12:16:10 +02:00
Vaclav VESELY 2c073c9aa0 add thnk 2026-03-31 11:55:00 +02:00
Vaclav VESELY 653eeb215a Merge branch 'master' of https://git.ictoi.io/ictoi/bpfdoor 2026-03-30 10:31:08 +02:00
Vaclav VESELY 43a0c77d6d add readme 2026-03-30 10:30:50 +02:00
4 changed files with 623 additions and 50 deletions
Expand all files Collapse all files
README.md
+55
View File
@@ -0,0 +1,55 @@
# Security Audit of The Script via Gemini
## Prompt
Take the attached shell script and provide me a full security audit for it? Can it be harmfull for my Debian Linux system in any way? It should work as a BPFDoor detection only.
## Result
Here is a full security audit of the `bpfdoor.sh` script you provided.
**The short answer:** **No, this script is not harmful to your Debian Linux system.** It is a non-destructive, read-only diagnostic tool designed strictly to detect indicators of compromise (IoCs) associated with BPFDoor malware.
Here is the detailed breakdown of what the script does, how it operates, and a few minor bugs and compatibility notes for your Debian system.
### 1. File Modifications and System Impact (Read-Only)
The script is fundamentally **read-only** regarding your system's configuration and binaries.
* **No System Changes:** It does not use commands like `rm`, `mv`, `chmod` (to alter permissions), or `useradd`. It will not delete files, kill processes, or alter your firewall rules.
* **Logging:** The only file it creates or modifies is its own log file (`bpfdoor_report_<hostname>_<date>.log`) in the directory from which you execute the script.
* **Resource Usage:** The script performs some mildly intensive operations, such as running `hexdump` on memory maps (`check_maps_hex`) and using `grep` to scan binaries for signatures. However, the author included a safeguard (`[ "$size" -gt 5242880 ] && continue`) to skip files larger than 5MB, preventing accidental CPU or memory exhaustion.
### 2. Network Activity
The script does not "phone home," download external payloads, or send your data to a third party (no `curl` or `wget` commands are present).
The only network activity it generates is in the `check_c2_connections` function, where it uses `dig` to perform DNS lookups against four known BPFDoor Command & Control (C2) domains. It then cross-references those IP addresses with your active network connections using `ss`.
### 3. Privilege Requirements
The script enforces execution as `root` (`require_root` function). While running unknown scripts as root is generally risky, it is **strictly necessary** here. Without root privileges, the script cannot read other users' process memory (`/proc/<pid>/maps`), check environment variables of suspicious processes (`/proc/<pid>/environ`), or view low-level socket information via `ss -p`.
### 4. Code Quality and Minor Bugs
While the script is safe, it was likely stitched together from multiple sources and contains a few minor scripting flaws that won't harm your system, but might cause minor hiccups:
* **Undefined Variables:** In the `check_raw_and_packet_sockets` function, the script attempts to exclude itself from being flagged by checking against `$SELF_PID` and `$SELF_EXE`. However, these variables are never defined in the script (the author used `$SCRIPT_PID` globally instead). This won't break the script, but it might result in the script accidentally flagging itself during that specific check.
* **Path Parsing:** It uses `awk` and `sed` to parse process outputs and paths. If a legitimate binary path contains unusual characters or spaces, it might throw a harmless parsing error in the terminal.
### 5. Debian Linux Compatibility
The script is written in standard Bash, but there are a few things to keep in mind regarding your Debian system:
* **The `/etc/sysconfig` Check:** In the `check_autostart_files` function, the script looks for persistence hooks in `/etc/sysconfig`. This directory is native to Red Hat/CentOS/Fedora systems. On Debian, the equivalent is `/etc/default`. The script won't break (it safely checks if the directory exists first and skips it if not), but it means it is missing an autostart check specific to Debian architecture.
* **Dependencies:** To run successfully, ensure you have the required tools installed. Most are native to Debian, but you might need to install `dnsutils` (for `dig`), `net-tools` (for `netstat`), and `binutils` (for `strings`).
* *Command:* `sudo apt update && sudo apt install dnsutils net-tools binutils bsdmainutils iproute2 procps`
### Final Verdict
You are safe to run this on your Debian system. It is a well-intentioned, read-only hunting script. To execute it safely and collect the data:
1. Save it as `bpfdoor.sh`.
2. Make it executable: `chmod +x bpfdoor.sh`
3. Run it: `sudo ./bpfdoor.sh`
Review the generated `.log` file for any `ALERT` or `CRITICAL` tags. Keep in mind that as a heuristic script, it may generate false positives (flagging legitimate software that happens to act similarly to the malware), so use the results as a starting point for investigation rather than absolute proof of a breach.
bpfdoor.sh
+118 -39
View File
@@ -25,7 +25,7 @@
set -o pipefail set -o pipefail
VERSION="1.1" VERSION="1.2"
HOSTNAME="$(hostname)" HOSTNAME="$(hostname)"
DATE="$(date +%Y-%m-%d_%H-%M-%S)" DATE="$(date +%Y-%m-%d_%H-%M-%S)"
LOGFILE="bpfdoor_report_${HOSTNAME}_${DATE}.log" LOGFILE="bpfdoor_report_${HOSTNAME}_${DATE}.log"
@@ -80,7 +80,8 @@ SUSPICIOUS_PROCS=(
# The ACTUAL physical paths of legitimate daemons. If a process masquerades as one of # The ACTUAL physical paths of legitimate daemons. If a process masquerades as one of
# the above but isn't running from one of these files, it gets flagged. # the above but isn't running from one of these files, it gets flagged.
WHITELIST_EXES=( WHITELIST_EXES=(
"/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/udevd" "/usr/sbin/agetty" "/usr/sbin/auditd" "/usr/sbin/mingetty" "/usr/sbin/udevd"
"/usr/lib/systemd/systemd-journald" "/usr/lib/systemd/systemd-machined" "/sbin/agetty" "/sbin/auditd" "/sbin/mingetty" "/sbin/udevd"
"/usr/bin/python" "/usr/bin/python2" "/usr/bin/python3" "/usr/bin/python" "/usr/bin/python2" "/usr/bin/python3"
"/usr/sbin/tuned" "/usr/lib/polkit-1/polkitd" "/usr/libexec/postfix/pickup" "/usr/sbin/tuned" "/usr/lib/polkit-1/polkitd" "/usr/libexec/postfix/pickup"
"/usr/libexec/postfix/master" "/usr/sbin/NetworkManager" "/usr/libexec/postfix/master" "/usr/sbin/NetworkManager"
@@ -96,7 +97,7 @@ SUSPICIOUS_STRINGS=(
"HISTFILE=/dev/null" "MYSQL_HISTFILE=/dev/null" "ttcompat" ":h:d:l:s:b:t:" "HISTFILE=/dev/null" "MYSQL_HISTFILE=/dev/null" "ttcompat" ":h:d:l:s:b:t:"
":f:wiunomc" ":f:x:wiuoc" "LibTomCrypt 1.17" ":f:wiunomc" ":f:x:wiuoc" "LibTomCrypt 1.17"
"Private key does not match the public certificate" "Private key does not match the public certificate"
"I5*AYbs@LdaWbsO" "3458" "8543" "1234" "I5*AYbs@LdaWbsO"
) )
KNOWN_C2_HOSTS=( KNOWN_C2_HOSTS=(
@@ -394,7 +395,10 @@ check_raw_and_packet_sockets() {
# Skip if it's this detection script # Skip if it's this detection script
[ "$exe_path" == "$SELF_EXE" ] && continue [ "$exe_path" == "$SELF_EXE" ] && continue
#exclude legitimate networking tools
if [[ "$exe_path" == *"/NetworkManager"* ]] || [[ "$exe_path" == *"/dhclient"* ]] || [[ "$exe_path" == *"/systemd-networkd"* ]]; then
continue
fi
local cmd_line=$(ps -p "$pid" -o args= 2>/dev/null | head -n1) local cmd_line=$(ps -p "$pid" -o args= 2>/dev/null | head -n1)
# If we got here, we found something # If we got here, we found something
@@ -519,14 +523,25 @@ check_process_masquerade() {
# 2. Unmask and Verify the suspect against the Whitelist # 2. Unmask and Verify the suspect against the Whitelist
if [ "$is_suspect" -eq 1 ]; then if [ "$is_suspect" -eq 1 ]; then
local exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" # Read the exact execution path from the kernel
local raw_exe="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")"
# Skip if no executable path can be resolved (e.g. kernel threads) # FIX 1: Strip the " (deleted)" suffix caused by legitimate package updates
[ -z "$exe" ] && continue local exe="${raw_exe%" (deleted)"}"
# Skip real kernel threads
if [[ -z "$exe" ]] || [[ "$raw_exe" == "/proc/$pid/exe" ]]; then
if [ ! -s "/proc/$pid/cmdline" ]; then
continue
fi
fi
local is_whitelisted=0 local is_whitelisted=0
for wl in "${WHITELIST_EXES[@]}"; do for wl in "${WHITELIST_EXES[@]}"; do
if [ "$exe" = "$wl" ]; then # FIX 2: Canonicalize the whitelist path to account for merged-/usr symlinks
local canonical_wl="$(readlink -m "$wl" 2>/dev/null || echo "$wl")"
if [ "$exe" = "$canonical_wl" ]; then
is_whitelisted=1 is_whitelisted=1
break break
fi fi
@@ -534,7 +549,7 @@ check_process_masquerade() {
# 3. Trap: It's a suspect name, but not running from a whitelisted binary file # 3. Trap: It's a suspect name, but not running from a whitelisted binary file
if [ "$is_whitelisted" -eq 0 ]; then if [ "$is_whitelisted" -eq 0 ]; then
log "CRITICAL" "[7/12] Process Masquerading Detected! PID=$pid claims to be '$args' but is actually executing '$exe'" log "CRITICAL" "[7/12] Process Masquerading Detected! PID=$pid claims to be '$args' but is actually executing '$raw_exe'"
mark_suspicious_file "$exe" mark_suspicious_file "$exe"
found=1 found=1
fi fi
@@ -599,13 +614,13 @@ check_kernel_stack() {
[ "$found" -eq 0 ] && log "SUCCESS" "[9/12] No processes blocking on suspicious packet socket kernel functions" [ "$found" -eq 0 ] && log "SUCCESS" "[9/12] No processes blocking on suspicious packet socket kernel functions"
} }
# ---- Check 10: Deep scan suspicious files (hash, strings, UPX packer) ----- # ---- Check 12: Deep scan suspicious files (hash, strings, UPX packer) -----
deep_scan_suspicious_files() { deep_scan_suspicious_files() {
log "INFO" "[10/12] Deep scanning candidate binaries (hash, strings, UPX packing)" log "INFO" "[12/12] Deep scanning candidate binaries (hash, strings, UPX packing)"
local uniq_files=($(printf "%s\n" "${SUSPICIOUS_FILES_TMP[@]}" | sort -u)) local uniq_files=($(printf "%s\n" "${SUSPICIOUS_FILES_TMP[@]}" | sort -u))
if [ "${#uniq_files[@]}" -eq 0 ]; then if [ "${#uniq_files[@]}" -eq 0 ]; then
log "INFO" "[10/12] No candidate binaries collected for deep scan" log "INFO" "[12/12] No candidate binaries collected for deep scan"
return return
fi fi
@@ -631,45 +646,97 @@ deep_scan_suspicious_files() {
done done
} }
# ---- Check 11: C2 Connections (DNS Resolving & SS Tracking) --------------- # ---- Helper: Check if IP is a globally routable address -------------------
is_global_ip() {
local ip="$1"
# 1. IPv6 FAST-PATH (Regex Bypass for performance and Bash compatibility)
if [[ "$ip" == *":"* ]]; then
# Filter common IPv6 sinkholes/local: ::1, ::, fc00::/7, fe80::/10
if [[ "$ip" == "::1" ]] || [[ "$ip" == "::" ]] || \
[[ "$ip" =~ ^[fF][cCdD] ]] || [[ "$ip" =~ ^[fF][eE][89aAbB] ]]; then
return 1
fi
return 0
fi
# 2. IPv4 CIDR MATH PATH
[[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]] || return 1
local IFS='.' nums
read -r -a nums <<< "$ip"
for o in "${nums[@]}"; do (( o > 255 )) && return 1; done
local ipnum=$(( (nums[0] << 24) | (nums[1] << 16) | (nums[2] << 8) | nums[3] ))
in_cidr() {
local IFS='/' parts
read -r -a parts <<< "$1"
local IFS='.' net
read -r -a net <<< "${parts[0]}"
local netnum=$(( (net[0] << 24) | (net[1] << 16) | (net[2] << 8) | net[3] ))
local mask=$(( 0xFFFFFFFF << (32 - parts[1]) & 0xFFFFFFFF ))
(( (ipnum & mask) == (netnum & mask) ))
}
# Non-global ranges per IANA
local non_global=(
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 192.168.0.0/16
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 224.0.0.0/4 240.0.0.0/4
)
for cidr in "${non_global[@]}"; do
in_cidr "$cidr" && return 1
done
return 0
}
# ---- Check 10: C2 Connections (DNS Resolving & SS Tracking) ---------------
check_c2_connections() { check_c2_connections() {
log "INFO" "[11/12] Checking for active connections to known BPFDoor C2 domains" log "INFO" "[10/12] Checking for active connections to known BPFDoor C2 domains"
local found=0 local found=0
if ! cmd_exists dig || ! cmd_exists ss; then if ! cmd_exists dig || ! cmd_exists ss; then
log "WARN" "[11/12] 'dig' or 'ss' missing; skipping C2 connection checks." log "WARN" "[10/12] 'dig' or 'ss' missing; skipping C2 connection checks."
return return
fi fi
for host in "${KNOWN_C2_HOSTS[@]}"; do for host in "${KNOWN_C2_HOSTS[@]}"; do
local ips="$(dig +short "$host" A "$host" AAAA 2>/dev/null || true)" local ips
ips="$(dig +short "$host" A "$host" AAAA 2>/dev/null | grep -E '^[0-9a-fA-F:.]+$' | grep -E '\.|\:'|| true)"
for ip in $ips; do for ip in $ips; do
if [[ "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] || [[ "$ip" =~ ^[0-9a-fA-F:]+$ && "$ip" =~ .*[:].* ]]; then if ! is_global_ip "$ip"; then
local ss_output="$(ss -tnp state established dst "$ip" 2>/dev/null || true)" log "INFO" "Skipping non-global IP for $host: $ip (likely sinkhole/private)"
continue
fi
local ss_output
ss_output="$(ss -H -tnp state established dst "$ip" 2>/dev/null || true)"
if [ -n "$ss_output" ]; then if [ -n "$ss_output" ]; then
log "CRITICAL" "Active Reverse Shell to BPFDoor C2: $host ($ip)" log "CRITICAL" "Active connection to known BPFDoor C2: $host ($ip)"
echo "$ss_output" | tee -a "$LOGFILE" echo "$ss_output" | tee -a "$LOGFILE"
local c2_pids="$(echo "$ss_output" | grep -oP 'pid=\K[0-9]+' | sort -u)" local c2_pids
c2_pids="$(echo "$ss_output" | grep -oP 'pid=\K[0-9]+' | sort -u)"
for c2pid in $c2_pids; do for c2pid in $c2_pids; do
is_self "$c2pid" && continue is_self "$c2pid" && continue
[ -d "/proc/$c2pid" ] || continue [ -d "/proc/$c2pid" ] || continue
local exe="$(readlink -f "/proc/$c2pid/exe" 2>/dev/null || echo "")" local exe
exe="$(readlink -f "/proc/$c2pid/exe" 2>/dev/null || echo "")"
[ -n "$exe" ] && mark_suspicious_file "$exe" [ -n "$exe" ] && mark_suspicious_file "$exe"
done done
found=1 found=1
fi fi
fi
done done
done done
[ "$found" -eq 0 ] && log "SUCCESS" "[11/12] No active connections to known C2 domains found" [ "$found" -eq 0 ] && log "SUCCESS" "[10/12] No active connections to known C2 domains found"
} }
# ---- Check 11: Process-Specific Signatures --------------------------------
# ---- Check 12: Process-Specific Signatures --------------------------------
check_process_signatures() { check_process_signatures() {
log "INFO" "[12/12] Checking specific processes for hardcoded BPFDoor file signatures" log "INFO" "[11/12] Checking specific processes for hardcoded BPFDoor file signatures"
local found=0 local found=0
local sig_checks=( local sig_checks=(
@@ -689,6 +756,7 @@ check_process_signatures() {
for pid in $pids; do for pid in $pids; do
is_self "$pid" && continue is_self "$pid" && continue
[ -d "/proc/$pid" ] || continue [ -d "/proc/$pid" ] || continue
local exe_path=$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "unknown")
local path="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")" local path="$(readlink -f "/proc/$pid/exe" 2>/dev/null || echo "")"
[ -z "$path" ] && continue [ -z "$path" ] && continue
@@ -707,32 +775,44 @@ check_process_signatures() {
done done
done done
[ "$found" -eq 0 ] && log "SUCCESS" "[12/12] No hardcoded process signatures detected" [ "$found" -eq 0 ] && log "SUCCESS" "[11/12] No hardcoded process signatures detected"
} }
# ---- Optional: Basic persistence checks ----------------------------------- # ---- Optional: Basic persistence checks -----------------------------------
check_persistence() { check_persistence() {
log "INFO" "[-] Basic persistence triage (cron, systemd, rc scripts)" log "INFO" "[-] Basic persistence triage (cron, systemd, rc scripts)"
# 1. Define the regex ONCE (Safely removed the generic 'bpf' trap)
local persist_regex="bpfdoor|dbus-srv|hpasmmld|smartadm|hald-addon-volume"
# 2. Check Cron
for file in /etc/crontab /var/spool/cron/* /var/spool/cron/crontabs/*; do for file in /etc/crontab /var/spool/cron/* /var/spool/cron/crontabs/*; do
[ -f "$file" ] || continue [ -f "$file" ] || continue
if grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | grep -q .; then if grep -E "$persist_regex" "$file" 2>/dev/null | grep -q .; then
log "ALERT" "Suspicious entry in cron file: $file" log "CRITICAL" "Suspicious persistence entry in cron: $file"
grep -E "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$file" 2>/dev/null | tee -a "$LOGFILE" grep -HnE "$persist_regex" "$file" >> "$LOGFILE"
fi fi
done done
# 3. Check Systemd
for dir in /etc/systemd/system /usr/lib/systemd/system /run/systemd/system; do for dir in /etc/systemd/system /usr/lib/systemd/system /run/systemd/system; do
[ -d "$dir" ] || continue [ -d "$dir" ] || continue
if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$dir" 2>/dev/null | grep -q .; then # Grab the exact files that match, instead of blindly alerting on the directory
log "ALERT" "Suspicious pattern in systemd units under $dir" local matches="$(grep -rlE "$persist_regex" "$dir" 2>/dev/null || true)"
if [ -n "$matches" ]; then
for m in $matches; do
log "CRITICAL" "Suspicious persistence pattern found in systemd unit: $m"
# Log the exact line of code that triggered it to the report
grep -HnE "$persist_regex" "$m" >> "$LOGFILE"
done
fi fi
done done
for rc in /etc/rc.local /etc/init.d; do # 4. Check RC / Init scripts
[ -e "$rc" ] || continue for rc in /etc/rc.local /etc/init.d/*; do
if grep -rE "bpf|dbus-srv|hpasmmld|smartadm|hald-addon-volume" "$rc" 2>/dev/null | grep -q .; then [ -f "$rc" ] || continue
log "ALERT" "Suspicious pattern in rc script(s) under $rc" if grep -E "$persist_regex" "$rc" 2>/dev/null | grep -q .; then
log "CRITICAL" "Suspicious persistence pattern in rc script: $rc"
grep -HnE "$persist_regex" "$rc" >> "$LOGFILE"
fi fi
done done
} }
@@ -760,9 +840,8 @@ main() {
echo echo
echo -e "${CYAN}[*] Scan complete. Report written to: ${LOGFILE}${NC}" echo -e "${CYAN}[*] Scan complete. Report written to: ${LOGFILE}${NC}"
echo -e "${YELLOW}[!] Any CRITICAL or ALERT entries should be investigated promptly.${NC}" echo -e "${YELLOW}[!] Any CRITICAL or ALERT entries should be investigated, considering there could be an acceptable rate of false positives depending on the execution environment.${NC}"
} }
main "$@" main "$@"
bpfdoor_report_rockpi-4c_2026-03-27_13-28-27.log → bpfdoor_report_rck_2026-03-27_13-28-27.log
+1 -1
View File
@@ -8,7 +8,7 @@
========================================================== ==========================================================
Enhanced Linux BPFDoor Detection Script Enhanced Linux BPFDoor Detection Script
========================================================== ==========================================================
Host : rockpi-4c Host : rck
Date : 2026-03-27_13-28-27 Date : 2026-03-27_13-28-27
Version: 1.1 Version: 1.1
========================================================== ==========================================================
bpfdoor_report_thnk_2026-03-31_11-48-45.log
+439
View File
@@ -0,0 +1,439 @@
██████╗ █████╗ ██████╗ ██╗██████╗ ███████╗
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
██████╔╝███████║██████╔╝██║██║ ██║ ██╔╝
██╔══██╗██╔══██║██╔═══╝ ██║██║ ██║ ██╔╝
██║ ██║██║ ██║██║ ██║██████╔╝ ██║
╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚═╝
M A L W A R E L A B S
==========================================================
Enhanced Linux BPFDoor Detection Script
==========================================================
Host : thnk
Date : 2026-03-31_11-48-45
Version: 1.1
==========================================================
[2026-03-31 11:48:45] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-31 11:48:45] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-31 11:48:45] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-31 11:48:45] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-31 11:48:45] [INFO] [3/12] Inspecting BPF filters via ss -0pb
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
p_dgr 0 0 [34958]:* * users:(("wpa_supplicant",pid=917,fd=12))
bpf filter (4): 0x30 0 0 4294963204, 0x15 1 0 3, 0x06 0 0 4294967295, 0x06 0 0 0,
p_dgr 0 0 [35085]:wlp61s0 * users:(("wpa_supplicant",pid=917,fd=13))
p_dgr 0 0 arp:wlp61s0 * users:(("NetworkManager",pid=908,fd=25))
[2026-03-31 11:48:45] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
[2026-03-31 11:48:46] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-31 11:48:46] [ALERT] Suspicious Socket detected: PID 908 (/usr/sbin/NetworkManager --no-daemon) -> /usr/sbin/NetworkManager
[2026-03-31 11:48:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wifi.so (PID: 908)
------- HEXDUMP CONTEXT -------
000000000000000000000000000000002133000010000000000000000000000000000000
-------------------------------
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wwan.so (PID: 908)
------- HEXDUMP CONTEXT -------
effff0f1f400083fb02744b4d85f60f8482000000498b0649898424a8000000488d0de00
-------------------------------
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-wwan.so (PID: 908)
------- HEXDUMP CONTEXT -------
88945c8488b05b2b20000f64008200f848200000089d7e8c1adffff4989c44885c00f84a
-------------------------------
[2026-03-31 11:48:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 908)
------- HEXDUMP CONTEXT -------
10f854af8ffffe998feffff4939cc0f84820000000fb69154030000f6c2087576498b442
4000048894588e9eef7ffff4939cc0f84820000000fb69154030000f6c2087576498b442
b0f8481000000488975b04183fd020f848200000089da83e2018955c483f802740a89d98
-------------------------------
[2026-03-31 11:48:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 908)
------- HEXDUMP CONTEXT -------
492000000488b88900000004885c90f8482000000488b46284883c04048c1e806741d31d
a4801c34889dee893f5ffff4885c00f8482000000418b56e8458b46d0498b7ec881e2ff0
5c00f848f000000488b78084885ff0f8482000000488d3535710100e8862fffff4c8b558
-------------------------------
[2026-03-31 11:48:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libbluetooth.so.3.19.12 (PID: 908)
------- HEXDUMP CONTEXT -------
406766b410fb645003c0174523c800f8482000000e8c53dffffc7004700000041bcfffff
411000000000000071002000000000005110000000000001110020000000000061100000
411000000000000e0100200000000001511000000000000eb10020000000000161100000
-------------------------------
[2026-03-31 11:48:51] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.1.0 (PID: 908)
------- HEXDUMP CONTEXT -------
35353535363636363737373738383838393939393a3a3a3a3b3b3b3b3c3c3c3c3d3d3d3d
3130303031303234313339343030303039393939636f6d6f6dc3a1736573746565737461
-------------------------------
[2026-03-31 11:48:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 908)
------- HEXDUMP CONTEXT -------
0f0811600000000000002000000000000f270000012001100c08c1400000000008600000
0000000000000547300002200110050b51100000000002000000000000000a3740000220
1000000000000a56f00001200110050b51100000000002000000000000000e27b0000120
-------------------------------
[2026-03-31 11:48:59] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 (PID: 908)
------- HEXDUMP CONTEXT -------
800000085c00f84b200000083f8010f8482000000f6c3107437488d3d1d440000e808f8f
-------------------------------
[2026-03-31 11:49:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0 (PID: 908)
------- HEXDUMP CONTEXT -------
1498b4518c60300488945884d85f60f8482000000418b86d000000083f8040f844202000
b7dc0488b15a58405000fb6073c2f0f84820000003c5c747effd2488b7dc0498986a8040
9c6b80000004c8d3c0249837f18000f8482000000498b37498b7c2408e8c5a2feff85c07
-------------------------------
[2026-03-31 11:49:02] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4 (PID: 908)
------- HEXDUMP CONTEXT -------
54889e5534889f34883ec084885f60f848200000048393e742d488b5df8b9870c0000488
885ff0f84c60000004989f44885f60f84820000004889fb488b7f08e8ae4f0100808b000
f1efa554889e5534883ec084885ff0f84820000008b0570b002004889fb3987980000007
-------------------------------
[2026-03-31 11:49:04] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3 (PID: 908)
------- HEXDUMP CONTEXT -------
488b402085c074638d50ff89c05d81fa0f270000ba00000000480f43c2c3660f1f440000
3d488b402089c285c0745283e8015d3d0f270000b8000000000f43d089d0c30f1f800000
741f488b402089c285c0741e83e8013d0f270000410f43d4895324eba90f1f400031d2eb
-------------------------------
[2026-03-31 11:49:08] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8000.0 (PID: 908)
------- HEXDUMP CONTEXT -------
0000000000000ef1c010012000e0050d51100000000006202000000000000ade80000120
0000000000000631e010012000e0090e5110000000000840000000000000035760000120
0000000000000ee14010012000e002025110000000000990000000000000043440000120
-------------------------------
[2026-03-31 11:49:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8000.0 (PID: 908)
------- HEXDUMP CONTEXT -------
54885f60f841a0100008b460885c00f84820000000fb677144989fc4989d683f8ff75064
000f009c8894304e80affffff85c00f8482000000804b0402488b45e864482b042528000
74889dfe8b144feff4989c44885c00f84820000004489e64889dfb90100000029de488d1
-------------------------------
[2026-03-31 11:49:20] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0 (PID: 908)
------- HEXDUMP CONTEXT -------
2e0f8e830000004883f9627e454881fe511000007e3c660fefc0660fefc9f20f1015aca8
6c4983fe2e7e664983fe627e454881fb511000007e3c660fefc0660fefc9f20f10150fa6
000048837d10620f8eba0300004981ff511000000f8ead030000660fefc0660fefc9f20f
-------------------------------
[2026-03-31 11:49:23] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgnutls.so.30.37.1 (PID: 908)
------- HEXDUMP CONTEXT -------
0000000000000f29b000012000f00f045110000000000560700000000000030110000120
70b40900000000001a010000000000005572000012000f0040e70d0000000000ad050000
e1e00000000000800000000000000f065110000000000e0be1e000000000008000000000
-------------------------------
[2026-03-31 11:49:30] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8000.0 (PID: 908)
------- HEXDUMP CONTEXT -------
201445248050d45170b210210335180c48200000000df000000e00000000000000000000
0004889cf4889cbe87a90010085c00f8482000000488b050be303004c89e64589f84c89f
d85ed747a4c89e7e84a7a010085c00f8482000000488b73184939f574134c89e7e8e17b0
-------------------------------
[2026-03-31 11:49:31] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0 (PID: 908)
------- HEXDUMP CONTEXT -------
415c5dc30f1f4000488b7708498bbc2448200000ffd04883f8ff74344c8b63484885c074
c24c29e24885d27e7a488b7308498bbe482000004c01e641ffd54883f8ff75d3488b4320
a6682000000f11432031d231f6498bbe4820000041ffd54585ff752f31c04883c4085b41
-------------------------------
[2026-03-31 11:49:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2 (PID: 908)
------- HEXDUMP CONTEXT -------
885ff0f848e0000004989f44885f60f8482000000c707000000004989fd4989d64885d20
-------------------------------
[2026-03-31 11:49:34] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libhogweed.so.6.8 (PID: 908)
------- HEXDUMP CONTEXT -------
2311000011f00e00fe100000330a02005110000001ff0000f00f0000b79c0900920f0000
-------------------------------
[2026-03-31 11:49:35] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libidn2.so.0.4.0 (PID: 908)
------- HEXDUMP CONTEXT -------
480000002186201d481000002187a01d48200000201aa01d483000002163a01d48400000
50f000002063201d510000002019a01d511000002175a01d51200000202e201d51300000
a9a050f000000000105100000028aaa0511000000000105120000028aba0513000000000
-------------------------------
[2026-03-31 11:49:35] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1 (PID: 908)
------- HEXDUMP CONTEXT -------
8c1e702e8bad9ffff4889c64885c00f84820000004d63e44c8d05243f0200488d0d153f0
411000000110000041000000110000005110000011100000500000800000008040100080
-------------------------------
[2026-03-31 11:49:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3 (PID: 908)
------- HEXDUMP CONTEXT -------
84b80000004989c4488b05fa7d0900be48200000bf010000004989442408e8de24ffff48
b7d180f1104d0e8735bfcff4885c00f8482000000498b550049894518660fefc04c89e74
04983c5084a8b14294885d27463817a048200000075ea488b7a10e8b12efcff498b54240
-------------------------------
[2026-03-31 11:49:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200 (PID: 908)
------- HEXDUMP CONTEXT -------
0f87010100003de7030000766331d23d0f2700000f97c283c20501d34d8b65104d85e474
84c89e64c89f7e8b5fbffff83f8050f848200000083f8030f85b70000008d43fe4439e87
885f60f848e000000803e004989f60f84820000004989d44885d2747a48c702000000004
-------------------------------
[2026-03-31 11:49:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5 (PID: 908)
------- HEXDUMP CONTEXT -------
9498957204183fd030f86be110000e9b51100000f1f80000000004d8bb7b0020000418b9
08430b4c0a0c07084c0b00002800000048200000f465feff2103000000410e108602430d
-------------------------------
[2026-03-31 11:49:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 908)
------- HEXDUMP CONTEXT -------
3e00383f8010f84cb00000083f8020f848200000085c0743eff75d8ff75d0ff75c8ff75c
94dc8e8d767ffff4939dc488b4dc80f8482000000660f540522e1050066490f6eccf20f1
2f20f58cbf20f59c2f20f58c885d20f848200000066480f6ec0f20f59c8f20f58c1c30f1
-------------------------------
[2026-03-31 11:49:46] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmm-glib.so.0.10.0 (PID: 908)
------- HEXDUMP CONTEXT -------
000000000000079110c00000000000805110000000000080000000000000062110c00000
0000010051100000000000800000000000000cdb40b00000
000002805110000000000080000000000000064160c00000
-------------------------------
[2026-03-31 11:49:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 908)
------- HEXDUMP CONTEXT -------
5b8488b45c04c8b384d89fe4d85ff0f8482000000498b1e4885db747a41f6460c08743b4
000031c0e8bf07fdff4189c585c00f8955110000e83f00fdff8b004189c241f7da85c00f
-------------------------------
[2026-03-31 11:49:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnetplan.so.1 (PID: 908)
------- HEXDUMP CONTEXT -------
603b03000000000026000000000000005110000012000e00b01b03000000000030000000
885c00f84b4010000488b384885ff0f8482000000498db424d8000000e856b2ffff85c00
5c00f848f000000448b48084585c90f84820000004531e44c8d35d7bd020090488b004c8
-------------------------------
[2026-03-31 11:49:52] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0 (PID: 908)
------- HEXDUMP CONTEXT -------
4920000004989fde86adafeff85c00f848200000089de4c89efe828cbfeff4885c075734
-------------------------------
[2026-03-31 11:49:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.1 (PID: 908)
------- HEXDUMP CONTEXT -------
b19000000000008000000000000000605110000000000c81b19000000000008000000000
519000000000008000000000000000e05110000000000902519000000000008000000000
000002205110000000000b82519000000000008000000000
-------------------------------
[2026-03-31 11:49:58] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 (PID: 908)
------- HEXDUMP CONTEXT -------
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
000000448c408000000400300000022951100000000c17f00000080000100000000c17f0
-------------------------------
[2026-03-31 11:50:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libresolv.so.2 (PID: 908)
------- HEXDUMP CONTEXT -------
d30000003de70300000f86d70000003d0f2700000f86db0000003d9f8601000f86df0000
-------------------------------
[2026-03-31 11:50:01] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libselinux.so.1 (PID: 908)
------- HEXDUMP CONTEXT -------
000000000000000000000000000000005110000012000f00f07801000000000036000000
00f1f0085c90f848b00000083f92d0f848200000083f92e400f94c783f95f410f94c0440
04c89e7e8fe41ffff4989c54885c00f84820000004c89e14c89e231f64889c7e84244fff
-------------------------------
[2026-03-31 11:50:02] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libssh.so.4.9.6 (PID: 908)
------- HEXDUMP CONTEXT -------
4534889fb4883ec184c8b3f4885f60f848200000089ce4189d64189cde8235fffff85c07
44d8b6d00c745c4020000004d85ed0f8482000000498b7d08e8fb0efeff4989c64885c00
30a00004c8b00b9020000004d85c00f84820000004c895da84c896db04989dd4489e3458
-------------------------------
[2026-03-31 11:50:04] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0 (PID: 908)
------- HEXDUMP CONTEXT -------
f000000000f298510ffffff4885f60f84820000004885db0f84a9000000488d45104c8da
883ec084885ff746e4889f34885f60f8482000000f6471e1074144883be6001000000743
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
-------------------------------
[2026-03-31 11:50:06] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.3 (PID: 908)
------- HEXDUMP CONTEXT -------
0f82f30000004c29f34c8d63014981ff0f2700000f8f64080000b8102700004d01ff4939
85c00f844212000066490f6ec541c74548200000000f160523e000004889051ce000000f
6b504489635831dbe9d7fcffff488d350f2700004c89e7e89b48ffff85c00f84c3010000
-------------------------------
[2026-03-31 11:50:07] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libteamdctl.so.0.1.5 (PID: 908)
------- HEXDUMP CONTEXT -------
8020f8f54010000410fb6450184c00f84820000004531edeb184d85ed4d0f44ea410fb64
-------------------------------
[2026-03-31 11:50:07] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8 (PID: 908)
------- HEXDUMP CONTEXT -------
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
04c89fae89ef9ffff4189c483f8da0f848200000083f8db7c6583f8e7747885c00f8820f
7415641554154534883ec184885ff0f84820000004189f4488d35c18100004889fb4989d
-------------------------------
[2026-03-31 11:50:09] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libunistring.so.5.0.0 (PID: 908)
------- HEXDUMP CONTEXT -------
889fb4989f44889d74d89cf4d85c90f8482000000488d45b04889fe4889cf4889c248894
dff4c8b8510fcffff4885c04889c10f8482000000488b8500fcffff488d1c014d85ff742
0c30f1f440000f30f1efa8b0685c00f8482000000554889e541544989f453418b5424044
-------------------------------
[2026-03-31 11:50:13] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.9 (PID: 908)
------- HEXDUMP CONTEXT -------
975c8e86f16ffff488945b84885c00f84820000004889c3488b45c04c8bb0e80000004c8
b7d7c85ff0f858c000000837b1c020f8482000000498b8dc0000000498b95c8000000b80
34889fb85d20f85fb000000833e080f84820000004531c031c9488d35f46a000031d2e8d
-------------------------------
[2026-03-31 11:50:14] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libz.so.1.3 (PID: 908)
------- HEXDUMP CONTEXT -------
af81b0000be01000000ffd04885c00f8482000000ba010000004489e148894338d3e2c74
-------------------------------
[2026-03-31 11:50:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5 (PID: 908)
------- HEXDUMP CONTEXT -------
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
8470b002c000000a4270000d8c8f8fff511000000450e108602460d06428f034a8e048d0
-------------------------------
[2026-03-31 11:50:19] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/sbin/NetworkManager (PID: 908)
------- HEXDUMP CONTEXT -------
000000000000000000000000000000004820000012000000000000000000000000000000
d3300000000000800000000000000a0f5110000000000880d33000000000008000000000
0000000000000010b516000000000000213300000000000800000000000000e097080000
-------------------------------
[2026-03-31 11:50:28] [ALERT] Suspicious Socket detected: PID 917 (/usr/sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev) -> /usr/sbin/wpa_supplicant
[2026-03-31 11:50:28] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 917)
------- HEXDUMP CONTEXT -------
10f854af8ffffe998feffff4939cc0f84820000000fb69154030000f6c2087576498b442
4000048894588e9eef7ffff4939cc0f84820000000fb69154030000f6c2087576498b442
b0f8481000000488975b04183fd020f848200000089da83e2018955c483f802740a89d98
-------------------------------
[2026-03-31 11:50:30] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 917)
------- HEXDUMP CONTEXT -------
0f0811600000000000002000000000000f270000012001100c08c1400000000008600000
0000000000000547300002200110050b51100000000002000000000000000a3740000220
1000000000000a56f00001200110050b51100000000002000000000000000e27b0000120
-------------------------------
[2026-03-31 11:50:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4 (PID: 917)
------- HEXDUMP CONTEXT -------
54889e5534889f34883ec084885f60f848200000048393e742d488b5df8b9870c0000488
885ff0f84c60000004989f44885f60f84820000004889fb488b7f08e8ae4f0100808b000
f1efa554889e5534883ec084885ff0f84820000008b0570b002004889fb3987980000007
-------------------------------
[2026-03-31 11:50:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3 (PID: 917)
------- HEXDUMP CONTEXT -------
488b402085c074638d50ff89c05d81fa0f270000ba00000000480f43c2c3660f1f440000
3d488b402089c285c0745283e8015d3d0f270000b8000000000f43d089d0c30f1f800000
741f488b402089c285c0741e83e8013d0f270000410f43d4895324eba90f1f400031d2eb
-------------------------------
[2026-03-31 11:50:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0 (PID: 917)
------- HEXDUMP CONTEXT -------
415c5dc30f1f4000488b7708498bbc2448200000ffd04883f8ff74344c8b63484885c074
c24c29e24885d27e7a488b7308498bbe482000004c01e641ffd54883f8ff75d3488b4320
a6682000000f11432031d231f6498bbe4820000041ffd54585ff752f31c04883c4085b41
-------------------------------
[2026-03-31 11:50:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5 (PID: 917)
------- HEXDUMP CONTEXT -------
9498957204183fd030f86be110000e9b51100000f1f80000000004d8bb7b0020000418b9
08430b4c0a0c07084c0b00002800000048200000f465feff2103000000410e108602430d
-------------------------------
[2026-03-31 11:50:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 917)
------- HEXDUMP CONTEXT -------
3e00383f8010f84cb00000083f8020f848200000085c0743eff75d8ff75d0ff75c8ff75c
94dc8e8d767ffff4939dc488b4dc80f8482000000660f540522e1050066490f6eccf20f1
2f20f58cbf20f59c2f20f58c885d20f848200000066480f6ec0f20f59c8f20f58c1c30f1
-------------------------------
[2026-03-31 11:50:46] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnl-3.so.200.26.0 (PID: 917)
------- HEXDUMP CONTEXT -------
b0a000000000000011000000000000005110000012000e00b0080100000000004b000000
-------------------------------
[2026-03-31 11:50:47] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.26.0 (PID: 917)
------- HEXDUMP CONTEXT -------
f0700000fb7ffe81aaeffff4885c00f8482000000488b7dc8498904244531c04885ff741
00f8490000000e89b04feff4885c00f84820000004889c2488d351264010031c04c89e7e
0100004989df4d29d74881bd70ebffff0f2700004d8d6f010f8f6b0b000048d1a570ebff
-------------------------------
[2026-03-31 11:50:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcsclite.so.1.0.0 (PID: 917)
------- HEXDUMP CONTEXT -------
dc4e8d6eeffff85c07e52f645c6010f84820000004889da4c89e64489efe80aeeffff85c
-------------------------------
[2026-03-31 11:50:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libssl.so.3 (PID: 917)
------- HEXDUMP CONTEXT -------
189c483f8017537498b7d104885ff0f84820000004889dee84a3affff85c00f95c04883c
04989c6e82ed0feff4989c54885c00f84820000004c8d251b5b0500498d5424184d85f67
049c78424500200002000000085c00f848200000049c784245002000000000000b801000
-------------------------------
[2026-03-31 11:50:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0 (PID: 917)
------- HEXDUMP CONTEXT -------
f000000000f298510ffffff4885f60f84820000004885db0f84a9000000488d45104c8da
883ec084885ff746e4889f34885f60f8482000000f6471e1074144883be6001000000743
800004889830808000041807e08000f84820000004531ff498bb424a0000000488d48014
-------------------------------
[2026-03-31 11:50:56] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5 (PID: 917)
------- HEXDUMP CONTEXT -------
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
8470b002c000000a4270000d8c8f8fff511000000450e108602460d06428f034a8e048d0
-------------------------------
[2026-03-31 11:51:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/sbin/wpa_supplicant (PID: 917)
------- HEXDUMP CONTEXT -------
053300000000000800000000000000704820000000000038053300000000000800000000
053300000000000800000000000000f04820000000000048053300000000000800000000
000000000000005e4a2d000000000050213300000000000800000000000000b19c2e0000
-------------------------------
[2026-03-31 11:51:09] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-31 11:51:11] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-31 11:51:11] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-31 11:51:11] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-31 11:51:11] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-31 11:51:24] [CRITICAL] [7/12] Process Masquerading Detected! PID=62 claims to be '[watchdogd]' but is actually executing '/proc/62/exe'
[2026-03-31 11:51:31] [CRITICAL] [7/12] Process Masquerading Detected! PID=279 claims to be '/usr/lib/systemd/systemd-journald' but is actually executing '/usr/lib/systemd/systemd-journald'
[2026-03-31 11:51:59] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-31 11:51:59] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
[2026-03-31 11:51:59] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-31 11:51:59] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-31 11:51:59] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-31 11:52:00] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpussl.instanthq.com (204.16.169.54)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-31 11:52:01] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpd.casacam.net (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-31 11:52:01] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpupdate.ygto.com (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-31 11:52:01] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-31 11:52:01] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-31 11:52:01] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-journald
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wifi.so
[2026-03-31 11:52:01] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-device-plugin-wwan.so
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/NetworkManager/1.46.0/libnm-wwan.so
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-31 11:52:02] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-31 11:52:02] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libbluetooth.so.3.19.12
[2026-03-31 11:52:02] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1.1.0
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4.8.0
[2026-03-31 11:52:03] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
[2026-03-31 11:52:04] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
[2026-03-31 11:52:04] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4
[2026-03-31 11:52:04] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3
[2026-03-31 11:52:04] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0.8000.0
[2026-03-31 11:52:05] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8000.0
[2026-03-31 11:52:05] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
[2026-03-31 11:52:06] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
[2026-03-31 11:52:06] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgmp.so.10.5.0
[2026-03-31 11:52:06] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgnutls.so.30.37.1
[2026-03-31 11:52:06] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0.8000.0
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-31 11:52:07] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-31 11:52:07] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2.2
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libhogweed.so.6.8
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libidn2.so.0.4.0
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libk5crypto.so.3.1
[2026-03-31 11:52:07] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libkrb5.so.3.3
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
[2026-03-31 11:52:08] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
[2026-03-31 11:52:08] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libldap.so.2.0.200
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libm.so.6
[2026-03-31 11:52:08] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmm-glib.so.0.10.0
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnetplan.so.1
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
[2026-03-31 11:52:09] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
[2026-03-31 11:52:09] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libnghttp2.so.14.26.0
[2026-03-31 11:52:09] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnl-3.so.200.26.0
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libnl-route-3.so.200.26.0
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.1
[2026-03-31 11:52:10] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcsclite.so.1.0.0
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libresolv.so.2
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libresolv.so.2
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libresolv.so.2
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-31 11:52:11] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-31 11:52:11] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libssh.so.4.9.6
[2026-03-31 11:52:11] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libssl.so.3
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libsystemd.so.0.38.0
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libtasn1.so.6.6.3
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libteamdctl.so.0.1.5
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
[2026-03-31 11:52:12] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
[2026-03-31 11:52:12] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libudev.so.1.7.8
[2026-03-31 11:52:12] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libunistring.so.5.0.0
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libyaml-0.so.2.0.9
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libz.so.1.3
[2026-03-31 11:52:13] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5
[2026-03-31 11:52:14] [INFO] >>> Analyzing candidate binary: /usr/sbin/NetworkManager
[2026-03-31 11:52:15] [INFO] >>> Analyzing candidate binary: /usr/sbin/wpa_supplicant
[2026-03-31 11:52:16] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
[2026-03-31 11:52:16] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system