ictoi/bpfdoor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
9 Commits 1 Branch 0 Tags
653eeb215a96a9db5eaf43accd40a77407767baf
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

README.md

Security Audit of The Script via Gemini

Prompt

Take the attached shell script and provide me a full security audit for it? Can it be harmfull for my Debian Linux system in any way? It should work as a BPFDoor detection only.

Result

Here is a full security audit of the bpfdoor.sh script you provided.

The short answer: No, this script is not harmful to your Debian Linux system. It is a non-destructive, read-only diagnostic tool designed strictly to detect indicators of compromise (IoCs) associated with BPFDoor malware.

Here is the detailed breakdown of what the script does, how it operates, and a few minor bugs and compatibility notes for your Debian system.

1. File Modifications and System Impact (Read-Only)

The script is fundamentally read-only regarding your system's configuration and binaries.

  • No System Changes: It does not use commands like rm, mv, chmod (to alter permissions), or useradd. It will not delete files, kill processes, or alter your firewall rules.
  • Logging: The only file it creates or modifies is its own log file (bpfdoor_report_<hostname>_<date>.log) in the directory from which you execute the script.
  • Resource Usage: The script performs some mildly intensive operations, such as running hexdump on memory maps (check_maps_hex) and using grep to scan binaries for signatures. However, the author included a safeguard ([ "$size" -gt 5242880 ] && continue) to skip files larger than 5MB, preventing accidental CPU or memory exhaustion.

2. Network Activity

The script does not "phone home," download external payloads, or send your data to a third party (no curl or wget commands are present). The only network activity it generates is in the check_c2_connections function, where it uses dig to perform DNS lookups against four known BPFDoor Command & Control (C2) domains. It then cross-references those IP addresses with your active network connections using ss.

3. Privilege Requirements

The script enforces execution as root (require_root function). While running unknown scripts as root is generally risky, it is strictly necessary here. Without root privileges, the script cannot read other users' process memory (/proc/<pid>/maps), check environment variables of suspicious processes (/proc/<pid>/environ), or view low-level socket information via ss -p.

4. Code Quality and Minor Bugs

While the script is safe, it was likely stitched together from multiple sources and contains a few minor scripting flaws that won't harm your system, but might cause minor hiccups:

  • Undefined Variables: In the check_raw_and_packet_sockets function, the script attempts to exclude itself from being flagged by checking against $SELF_PID and $SELF_EXE. However, these variables are never defined in the script (the author used $SCRIPT_PID globally instead). This won't break the script, but it might result in the script accidentally flagging itself during that specific check.
  • Path Parsing: It uses awk and sed to parse process outputs and paths. If a legitimate binary path contains unusual characters or spaces, it might throw a harmless parsing error in the terminal.

5. Debian Linux Compatibility

The script is written in standard Bash, but there are a few things to keep in mind regarding your Debian system:

  • The /etc/sysconfig Check: In the check_autostart_files function, the script looks for persistence hooks in /etc/sysconfig. This directory is native to Red Hat/CentOS/Fedora systems. On Debian, the equivalent is /etc/default. The script won't break (it safely checks if the directory exists first and skips it if not), but it means it is missing an autostart check specific to Debian architecture.
  • Dependencies: To run successfully, ensure you have the required tools installed. Most are native to Debian, but you might need to install dnsutils (for dig), net-tools (for netstat), and binutils (for strings).
  • Command: sudo apt update && sudo apt install dnsutils net-tools binutils bsdmainutils iproute2 procps

Final Verdict

You are safe to run this on your Debian system. It is a well-intentioned, read-only hunting script. To execute it safely and collect the data:

  1. Save it as bpfdoor.sh.
  2. Make it executable: chmod +x bpfdoor.sh
  3. Run it: sudo ./bpfdoor.sh

Review the generated .log file for any ALERT or CRITICAL tags. Keep in mind that as a heuristic script, it may generate false positives (flagging legitimate software that happens to act similarly to the malware), so use the results as a starting point for investigation rather than absolute proof of a breach.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 67 KiB
Languages
Shell 100%