██████╗  █████╗ ██████╗ ██╗██████╗ ███████╗
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
██████╔╝███████║██████╔╝██║██║  ██║    ██╔╝
██╔══██╗██╔══██║██╔═══╝ ██║██║  ██║   ██╔╝ 
██║  ██║██║  ██║██║     ██║██████╔╝   ██║  
╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝    ╚═╝  
      M A L W A R E   L A B S              
==========================================================
Enhanced Linux BPFDoor Detection Script 
==========================================================
Host   : eve
Date   : 2026-03-27_13-23-32
Version: 1.1
==========================================================
[2026-03-27 13:23:32] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 13:23:32] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 13:23:32] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 13:23:32] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 13:23:32] [INFO] [3/12] Inspecting BPF filters via ss -0pb
Netid Recv-Q Send-Q Local Address:Port   Peer Address:PortProcess                                                                                                                                                                                                                                
p_raw 0      0               LLDP:enp2s0             *     users:(("systemd-network",pid=1036734,fd=17))
	bpf filter (12):  0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295,
p_raw 0      0               LLDP:enp1s0             *     users:(("systemd-network",pid=1036734,fd=18))
	bpf filter (12):  0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295,
[2026-03-27 13:23:32] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
[2026-03-27 13:23:32] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 13:23:33] [ALERT] Suspicious Socket detected: PID 1036734 (/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd
[2026-03-27 13:23:33] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/libsystemd-shared-249.so (PID: 1036734)
------- HEXDUMP CONTEXT -------
491000004e1000005010000000000000511000005310000056100000581000005b100000
000000000000008878000012000f000051100000000000b7010000000000005e20000012
3000000000000bc86000012000f00b04511000000000014010000000000000b440000120
-------------------------------
[2026-03-27 13:24:00] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 1036734)
------- HEXDUMP CONTEXT -------
00000000000009074090000000000086511000000000008000000000000001d910c00000
0000020651100000000000800000000000000507c0900000
000004865110000000000080000000000000024910c00000
-------------------------------
[2026-03-27 13:24:14] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 1036734)
------- HEXDUMP CONTEXT -------
f6ec009d80b85f8feffff660f62c70f8482000000410fb6872103000041899f2c0300006
10fb644240483e00f49837c2408000f8482000000b998fbffff488914240fa3c10f82880
5ffff4c89e731c0e8552fffff488db42482000000488d3d53160100e831f5ffff4c89e73
-------------------------------
[2026-03-27 13:24:17] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301 (PID: 1036734)
------- HEXDUMP CONTEXT -------
5ff746b66817ff82c7175634885d20f848200000085f6752e488b4708488947104883ef0
6817ff82c717577488d77f84885db0f848200000066817bf82c71757a488b5328b801000
-------------------------------
[2026-03-27 13:24:17] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 1036734)
------- HEXDUMP CONTEXT -------
8fdffffe819f8ffff4989c74885c00f8482000000f605abd902001075314889efe85cf2f
2b1425280000000f85c30200004881c4482000005b5d415c415d415e415fc30f1f800000
58b6f0c418b5708450fafee4585ed0f8482000000410fb6470489c183e17f80f90574043
-------------------------------
[2026-03-27 13:24:20] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 1036734)
------- HEXDUMP CONTEXT -------
0000000000000571a000012000f00d0a5110000000000e801000000000000822a0000220
0000000000000535b000012000f0040a51100000000008a00000000000000ff600000120
0000000000000433e000022000f0040e51100000000000b00000000000000907a0000220
-------------------------------
[2026-03-27 13:24:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap.so.2.44 (PID: 1036734)
------- HEXDUMP CONTEXT -------
0d0970000000000000800000000000000f270000000000000d8970000000000000800000
0709a0000000000000800000000000000f270000000000000809a0000000000000800000
0d270000000000000de70000000000000f27000000000000007710000000000001971000
-------------------------------
[2026-03-27 13:24:42] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcrypto.so.3 (PID: 1036734)
------- HEXDUMP CONTEXT -------
000000004b1000004d1000004e1000005110000052100000561000005710000058100000
f1000000211000003110000041100000511000006110000081100000a1100000b1100000
0000000221100002311000024110000251100000000000028110000291100002a1100002
-------------------------------
[2026-03-27 13:25:24] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4 (PID: 1036734)
------- HEXDUMP CONTEXT -------
913000000000008000000000000003805110000000000286913000000000008000000000
000008005110000000000306913000000000008000000000
00000c805110000000000386913000000000008000000000
-------------------------------
[2026-03-27 13:25:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1 (PID: 1036734)
------- HEXDUMP CONTEXT -------
085b5dc30f1f440000488b7708488bbd48200000ffd04883f8ff7435488b6b484885c074
4885d20f8ed6000000488b7308488bb8482000004801ee41ffd44883f8ff75cf488b4b20
0048c743280000000031d231f6488bb84820000041ffd44585ed744fe889d4ffff41bdff
-------------------------------
[2026-03-27 13:25:38] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0 (PID: 1036734)
------- HEXDUMP CONTEXT -------
000000000000000000000000000000064820000000000000701000000000000000000000
-------------------------------
[2026-03-27 13:25:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5 (PID: 1036734)
------- HEXDUMP CONTEXT -------
04183fd0a0f84ac0000004183fd010f84820000008b550031c085d2740a80bdc80000000
801742b83f8020f840201000085c00f8482000000b80b0000004883c4185b5d415c415d4
408488306014883680801c64014ff0f8482000000488b0e4839cf75da5bb8010000005d4
-------------------------------
[2026-03-27 13:25:40] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 1036734)
------- HEXDUMP CONTEXT -------
5bad701004889dfe8c91effff85c00f8482000000488d35ebe501004889dfe8b21effff8
0200100e95afdffff483debe027000f84820000007e4b483deeffc00074374c8d2d5c200
885ff0f848e000000803f004889fd0f848200000031f6e823d3fdff4989c44885c00f84b
-------------------------------
[2026-03-27 13:25:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 (PID: 1036734)
------- HEXDUMP CONTEXT -------
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
8bf00100000488b7010ff104885c00f8482000000498b5660488910498946604883c0104
b6c242848c1e003837c2418284488bc24820000000f94c280bc24810000008648898424a
-------------------------------
[2026-03-27 13:25:49] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8 (PID: 1036734)
------- HEXDUMP CONTEXT -------
04c897424584c8bb424f0000000c6842482000000008bb424e80000004c897424404c8bb
c395c24580f87f30600004589c1c6842482000000014183e00741c1e9034d29cb4c895c2
c2440010000488984245001000080bc248200000000741a488b442438488984242001000
-------------------------------
[2026-03-27 13:25:57] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 13:26:06] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 13:26:06] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 13:26:06] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-27 13:26:06] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 13:26:44] [CRITICAL] [7/12] Process Masquerading Detected! PID=1043 claims to be '/sbin/agetty -o -p -- \u --noclear tty1 linux' but is actually executing '/usr/sbin/agetty (deleted)'
[2026-03-27 13:29:14] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 13:29:14] [CRITICAL] PID: 1043 masquerading as 'agetty' running from a deleted file: /usr/sbin/agetty (deleted)
[2026-03-27 13:29:14] [WARN] PID: 1063, ProcessName: unattended-upgr, Exec: /usr/bin/python3.10 (deleted) (Deleted Binary)
[2026-03-27 13:29:14] [WARN] PID: 946, ProcessName: networkd-dispat, Exec: /usr/bin/python3.10 (deleted) (Deleted Binary)
[2026-03-27 13:29:14] [WARN] PID: 971, ProcessName: systemd-logind, Exec: /usr/lib/systemd/systemd-logind (deleted) (Deleted Binary)
[2026-03-27 13:29:14] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 13:29:14] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 13:29:14] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 13:29:15] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpussl.instanthq.com (204.16.169.54)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:16] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpd.casacam.net (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:16] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpupdate.ygto.com (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:16] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 13:29:16] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 13:29:16] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 13:29:16] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/libsystemd-shared-249.so
[2026-03-27 13:29:16] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libacl.so.1.1.2301
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6
[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libc.so.6
[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libc.so.6
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap.so.2.44
[2026-03-27 13:29:17] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libcap.so.2.44
[2026-03-27 13:29:17] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libcap.so.2.44
[2026-03-27 13:29:17] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcrypto.so.3
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.3.4
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libip4tc.so.2.0.0
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.5
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
[2026-03-27 13:29:18] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
[2026-03-27 13:29:18] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
[2026-03-27 13:29:18] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.4.8
[2026-03-27 13:29:19] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty
[2026-03-27 13:29:19] [ALERT] String match '1234' found in /usr/sbin/agetty
[2026-03-27 13:29:19] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/sbin/agetty
[2026-03-27 13:29:19] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
[2026-03-27 13:29:19] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system