██████╗  █████╗ ██████╗ ██╗██████╗ ███████╗
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
██████╔╝███████║██████╔╝██║██║  ██║    ██╔╝
██╔══██╗██╔══██║██╔═══╝ ██║██║  ██║   ██╔╝ 
██║  ██║██║  ██║██║     ██║██████╔╝   ██║  
╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝    ╚═╝  
      M A L W A R E   L A B S              
==========================================================
Enhanced Linux BPFDoor Detection Script 
==========================================================
Host   : vvm3
Date   : 2026-03-27_13-42-41
Version: 1.1
==========================================================
[2026-03-27 13:42:41] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 13:42:41] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 13:42:41] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 13:42:41] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 13:42:41] [INFO] [3/12] Inspecting BPF filters via ss -0pb
[2026-03-27 13:42:41] [WARN] [3/12] ss command not available; skipping BPF filter check
[2026-03-27 13:42:41] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 13:42:41] [SUCCESS] No suspicious RAW/packet socket usage detected
[2026-03-27 13:42:41] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 13:42:41] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 13:42:41] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 13:42:41] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-27 13:42:41] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 13:43:24] [SUCCESS] [7/12] No process masquerading detected
[2026-03-27 13:43:24] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 13:43:24] [SUCCESS] [8/12] No critical memory-resident/deleted binary execution found
[2026-03-27 13:43:24] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 13:43:24] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 13:43:24] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 13:43:24] [WARN] [11/12] 'dig' or 'ss' missing; skipping C2 connection checks.
[2026-03-27 13:43:24] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 13:43:24] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 13:43:24] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 13:43:24] [INFO] [10/12] No candidate binaries collected for deep scan
[2026-03-27 13:43:24] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)