ictoi/bpfdoor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
653eeb215a96a9db5eaf43accd40a77407767baf
bpfdoor/README.md
Vaclav VESELY 43a0c77d6d add readme
2026-03-30 10:30:50 +02:00

4.6 KiB
Raw Blame History

Security Audit of The Script via Gemini

Prompt

Take the attached shell script and provide me a full security audit for it? Can it be harmfull for my Debian Linux system in any way? It should work as a BPFDoor detection only.

Result

Here is a full security audit of the bpfdoor.sh script you provided.

The short answer: No, this script is not harmful to your Debian Linux system. It is a non-destructive, read-only diagnostic tool designed strictly to detect indicators of compromise (IoCs) associated with BPFDoor malware.

Here is the detailed breakdown of what the script does, how it operates, and a few minor bugs and compatibility notes for your Debian system.

1. File Modifications and System Impact (Read-Only)

The script is fundamentally read-only regarding your system's configuration and binaries.

  • No System Changes: It does not use commands like rm, mv, chmod (to alter permissions), or useradd. It will not delete files, kill processes, or alter your firewall rules.
  • Logging: The only file it creates or modifies is its own log file (bpfdoor_report_<hostname>_<date>.log) in the directory from which you execute the script.
  • Resource Usage: The script performs some mildly intensive operations, such as running hexdump on memory maps (check_maps_hex) and using grep to scan binaries for signatures. However, the author included a safeguard ([ "$size" -gt 5242880 ] && continue) to skip files larger than 5MB, preventing accidental CPU or memory exhaustion.

2. Network Activity

The script does not "phone home," download external payloads, or send your data to a third party (no curl or wget commands are present). The only network activity it generates is in the check_c2_connections function, where it uses dig to perform DNS lookups against four known BPFDoor Command & Control (C2) domains. It then cross-references those IP addresses with your active network connections using ss.

3. Privilege Requirements

The script enforces execution as root (require_root function). While running unknown scripts as root is generally risky, it is strictly necessary here. Without root privileges, the script cannot read other users' process memory (/proc/<pid>/maps), check environment variables of suspicious processes (/proc/<pid>/environ), or view low-level socket information via ss -p.

4. Code Quality and Minor Bugs

While the script is safe, it was likely stitched together from multiple sources and contains a few minor scripting flaws that won't harm your system, but might cause minor hiccups:

  • Undefined Variables: In the check_raw_and_packet_sockets function, the script attempts to exclude itself from being flagged by checking against $SELF_PID and $SELF_EXE. However, these variables are never defined in the script (the author used $SCRIPT_PID globally instead). This won't break the script, but it might result in the script accidentally flagging itself during that specific check.
  • Path Parsing: It uses awk and sed to parse process outputs and paths. If a legitimate binary path contains unusual characters or spaces, it might throw a harmless parsing error in the terminal.

5. Debian Linux Compatibility

The script is written in standard Bash, but there are a few things to keep in mind regarding your Debian system:

  • The /etc/sysconfig Check: In the check_autostart_files function, the script looks for persistence hooks in /etc/sysconfig. This directory is native to Red Hat/CentOS/Fedora systems. On Debian, the equivalent is /etc/default. The script won't break (it safely checks if the directory exists first and skips it if not), but it means it is missing an autostart check specific to Debian architecture.
  • Dependencies: To run successfully, ensure you have the required tools installed. Most are native to Debian, but you might need to install dnsutils (for dig), net-tools (for netstat), and binutils (for strings).
  • Command: sudo apt update && sudo apt install dnsutils net-tools binutils bsdmainutils iproute2 procps

Final Verdict

You are safe to run this on your Debian system. It is a well-intentioned, read-only hunting script. To execute it safely and collect the data:

  1. Save it as bpfdoor.sh.
  2. Make it executable: chmod +x bpfdoor.sh
  3. Run it: sudo ./bpfdoor.sh

Review the generated .log file for any ALERT or CRITICAL tags. Keep in mind that as a heuristic script, it may generate false positives (flagging legitimate software that happens to act similarly to the malware), so use the results as a starting point for investigation rather than absolute proof of a breach.

Reference in New Issue View Git Blame Copy Permalink