██████╗  █████╗ ██████╗ ██╗██████╗ ███████╗
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
██████╔╝███████║██████╔╝██║██║  ██║    ██╔╝
██╔══██╗██╔══██║██╔═══╝ ██║██║  ██║   ██╔╝ 
██║  ██║██║  ██║██║     ██║██████╔╝   ██║  
╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝    ╚═╝  
      M A L W A R E   L A B S              
==========================================================
Enhanced Linux BPFDoor Detection Script 
==========================================================
Host   : rck
Date   : 2026-03-27_13-28-27
Version: 1.1
==========================================================
[2026-03-27 13:28:27] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 13:28:27] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 13:28:27] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 13:28:27] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 13:28:27] [INFO] [3/12] Inspecting BPF filters via ss -0pb
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
p_raw 0      0               LLDP:end0             *     users:(("systemd-network",pid=697,fd=10))
[2026-03-27 13:28:27] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
[2026-03-27 13:28:27] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 13:28:27] [ALERT] Suspicious Socket detected: PID 697 (/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd
[2026-03-27 13:28:27] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache (PID: 697)
------- HEXDUMP CONTEXT -------
9730bd2d973000008e0cbd2d8231bd2d823100007e01bd2d092fbd2d092f0000c90fbd2d
-------------------------------
[2026-03-27 13:28:29] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0 (PID: 697)
------- HEXDUMP CONTEXT -------
2f11000040110000471100004d110000551100005a110000621100006b11000073110000
9708000042080000280e0000af04000055110000650a000094090000a1080000120e0000
-------------------------------
[2026-03-27 13:28:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libblkid.so.1.1.0 (PID: 697)
------- HEXDUMP CONTEXT -------
c0002009612a60d140000002400000085110000080000007a11000000000000010000000
400000000000000901100000800000085110000000000000000000001000100f41000001
-------------------------------
[2026-03-27 13:28:45] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libcrypto.so.3 (PID: 697)
------- HEXDUMP CONTEXT -------
491000004b1000004d1000004e1000005110000000000000541000000000000000000000
0000000021100000311000000000000051100000611000007110000091100000c1100000
f1100001011000012110000141100001511000000000000181100001a1100001b1100001
-------------------------------
[2026-03-27 13:30:37] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libc.so.6 (PID: 697)
------- HEXDUMP CONTEXT -------
10000000000008765000012000c005025110000000000a40500000000000049390000120
0000000000000dd43000012000c00b0d51100000000001000000000000000a3440000120
0000000000000b963000012000c00c0d511000000000008000000000000001d6c0000120
-------------------------------
[2026-03-27 13:31:18] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libgcrypt.so.20.4.1 (PID: 697)
------- HEXDUMP CONTEXT -------
304000000000000f00d0400000000001823100000000000030400000000000070f803000
304000000000000500104000000000038231000000000000304000000000000c41004000
304000000000000286b0a000000000058231000000000000304000000000000386b0a000
-------------------------------
[2026-03-27 13:31:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libgpg-error.so.0.33.1 (PID: 697)
------- HEXDUMP CONTEXT -------
e41f000054b9feff20200000a0b9feff4820000000bafeff6820000020bafeff7c200000
-------------------------------
[2026-03-27 13:31:48] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/liblzma.so.5.4.1 (PID: 697)
------- HEXDUMP CONTEXT -------
0051001c00121f2400714813005426339352000080522633a37204000014f40304aa1f00
-------------------------------
[2026-03-27 13:31:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libmount.so.1.1.0 (PID: 697)
------- HEXDUMP CONTEXT -------
7d5d6d3d40e00410b0000003000000034820000088dfdff3401000000410e509d0a9e094
-------------------------------
[2026-03-27 13:32:06] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libm.so.6 (PID: 697)
------- HEXDUMP CONTEXT -------
10ea000000000000f8000000000000004820000022000d00409b0400000000001c000000
8820000d03afdff20820000e43afdff34820000003bfdff48820000103bfdff5c8200002
-------------------------------
[2026-03-27 13:32:21] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2 (PID: 697)
------- HEXDUMP CONTEXT -------
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
000000448c408000000400300000022951100000000c17f00000080000100000000c17f0
-------------------------------
[2026-03-27 13:32:36] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/libselinux.so.1 (PID: 697)
------- HEXDUMP CONTEXT -------
50060100000000007c010000000000005110000012000c00808001000000000044000000
-------------------------------
[2026-03-27 13:32:43] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-252.so (PID: 697)
------- HEXDUMP CONTEXT -------
4c1000004d1000004e100000000000005110000053100000000000005410000000000000
c1100001f110000221100002411000025110000000000002711000000000000281100000
000000000000000301100003111000035110000000000003611000000000000371100003
-------------------------------
[2026-03-27 13:34:08] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/locale-archive (PID: 697)
------- HEXDUMP CONTEXT -------
40200000422000004420000046200000482000004a2000004c2000004e20000050200000
44200000000000004720000000000000482000000000000049200000000000004a200000
803100000000000081310000000000008231000000000000833100000000000084310000
-------------------------------
[2026-03-27 13:35:23] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 697)
------- HEXDUMP CONTEXT -------
000000000000000000000000000004cf51100000000004cf511000000000000000100000
000000000000000000000000000000004820000012000000000000000000000000000000
036170000000000030400000000000088231000000000005836170000000000030400000
-------------------------------
[2026-03-27 13:36:03] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 13:36:04] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 13:36:04] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 13:36:04] [ALERT] [6/12] Potentially suspicious connections on historical BPFDoor ports:
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      1548039/docker-prox 
tcp6       0      0 :::8000                 :::*                    LISTEN      1548047/docker-prox 

[2026-03-27 13:36:05] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 13:36:19] [CRITICAL] [7/12] Process Masquerading Detected! PID=69 claims to be '[watchdogd]' but is actually executing '/proc/69/exe'
[2026-03-27 13:36:41] [CRITICAL] [7/12] Process Masquerading Detected! PID=1367 claims to be '/sbin/agetty -o -p -- \u --noclear - linux' but is actually executing '/usr/sbin/agetty'
[2026-03-27 13:36:41] [CRITICAL] [7/12] Process Masquerading Detected! PID=1368 claims to be '/sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - linux' but is actually executing '/usr/sbin/agetty'
[2026-03-27 13:36:58] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 13:36:58] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
[2026-03-27 13:36:58] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 13:36:58] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 13:36:58] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 13:36:58] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
[2026-03-27 13:36:58] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 13:36:58] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 13:36:58] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/bin/docker-proxy
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/gconv/gconv-modules.cache
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libaudit.so.1.0.0
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libblkid.so.1.1.0
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libcrypto.so.3
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libc.so.6
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libgcrypt.so.20.4.1
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libgpg-error.so.0.33.1
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/liblzma.so.5.4.1
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libmount.so.1.1.0
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libm.so.6
[2026-03-27 13:36:58] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/libselinux.so.1
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/aarch64-linux-gnu/systemd/libsystemd-shared-252.so
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/locale-archive
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd
[2026-03-27 13:36:59] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty
[2026-03-27 13:36:59] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
[2026-03-27 13:36:59] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system