bpfdoor/bpfdoor_report_lou_2026-03-27_13-26-28.log

██████╗  █████╗ ██████╗ ██╗██████╗ ███████╗
██╔══██╗██╔══██╗██╔══██╗██║██╔══██╗╚════██║
██████╔╝███████║██████╔╝██║██║  ██║    ██╔╝
██╔══██╗██╔══██║██╔═══╝ ██║██║  ██║   ██╔╝ 
██║  ██║██║  ██║██║     ██║██████╔╝   ██║  
╚═╝  ╚═╝╚═╝  ╚═╝╚═╝     ╚═╝╚═════╝    ╚═╝  
      M A L W A R E   L A B S              
==========================================================
Enhanced Linux BPFDoor Detection Script 
==========================================================
Host   : lou
Date   : 2026-03-27_13-26-28
Version: 1.1
==========================================================
[2026-03-27 13:26:28] [INFO] [1/12] Checking /var/run for suspicious zero-byte mutex/lock files
[2026-03-27 13:26:28] [SUCCESS] [1/12] No known suspicious mutex/lock files found
[2026-03-27 13:26:28] [INFO] [2/12] Checking /etc/sysconfig for suspicious auto-start entries
[2026-03-27 13:26:28] [WARN] [2/12] /etc/sysconfig not present; skipping
[2026-03-27 13:26:28] [INFO] [3/12] Inspecting BPF filters via ss -0pb
Netid Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
p_raw 0      0               LLDP:eth0             *     users:(("systemd-network",pid=2492445,fd=18))
	bpf filter (12):  0x20 0 0 0, 0x15 1 0 25215488, 0x06 0 0 0, 0x28 0 0 4, 0x15 3 0 0, 0x15 2 0 3, 0x15 1 0 14, 0x06 0 0 0, 0x28 0 0 12, 0x15 1 0 35020, 0x06 0 0 0, 0x06 0 0 4294967295,
[2026-03-27 13:26:28] [SUCCESS] [3/12] No obvious BPFDoor-like BPF filters found
[2026-03-27 13:26:28] [INFO] [4/12] Checking RAW and packet socket usage (SOCK_RAW / SOCK_DGRAM)
[2026-03-27 13:26:28] [ALERT] Suspicious Socket detected: PID 2492445 (/usr/lib/systemd/systemd-networkd) -> /usr/lib/systemd/systemd-networkd
[2026-03-27 13:26:28] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/C.utf8/LC_CTYPE (PID: 2492445)
------- HEXDUMP CONTEXT -------
40200000422000004420000046200000482000004a2000004c2000004e20000050200000
7a3100007c3100007e31000080310000823100008431000086310000883100008a310000
44200000000000004720000000000000482000000000000049200000000000004a200000
-------------------------------
[2026-03-27 13:26:33] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/locale/locale-archive (PID: 2492445)
------- HEXDUMP CONTEXT -------
40200000422000004420000046200000482000004a2000004c2000004e20000050200000
7a3100007c3100007e31000080310000823100008431000086310000883100008a310000
44200000000000004720000000000000482000000000000049200000000000004a200000
-------------------------------
[2026-03-27 13:27:06] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/systemd/systemd-networkd (PID: 2492445)
------- HEXDUMP CONTEXT -------
00000004885ff746e4889f34885f60f84820000004989fe4989d44889ce4889df488d55c
8897dc8488975c0488b7d184885db0f84820000004885ff0f8499000000488d356a310b0
5280000004c8955e84531d24885f60f84820000004d85c90f84990000004885c00f84b00
-------------------------------
[2026-03-27 13:27:24] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 (PID: 2492445)
------- HEXDUMP CONTEXT -------
10f854af8ffffe998feffff4939cc0f84820000000fb69154030000f6c2087576498b442
4000048894588e9eef7ffff4939cc0f84820000000fb69154030000f6c2087576498b442
b0f8481000000488975b04183fd020f848200000089da83e2018955c483f802740a89d98
-------------------------------
[2026-03-27 13:27:27] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0 (PID: 2492445)
------- HEXDUMP CONTEXT -------
492000000488b88900000004885c90f8482000000488b46284883c04048c1e806741d31d
a4801c34889dee893f5ffff4885c00f8482000000418b56e8458b46d0498b7ec881e2ff0
5c00f848f000000488b78084885ff0f8482000000488d3535710100e8862fffff4c8b558
-------------------------------
[2026-03-27 13:27:30] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libc.so.6 (PID: 2492445)
------- HEXDUMP CONTEXT -------
0f0811600000000000002000000000000f270000012001100c08c1400000000008600000
0000000000000547300002200110050b51100000000002000000000000000a3740000220
1000000000000a56f00001200110050b51100000000002000000000000000e27b0000120
-------------------------------
[2026-03-27 13:27:53] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0 (PID: 2492445)
------- HEXDUMP CONTEXT -------
800000085c00f84b200000083f8010f8482000000f6c3107437488d3d1d440000e808f8f
-------------------------------
[2026-03-27 13:27:54] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0 (PID: 2492445)
------- HEXDUMP CONTEXT -------
f11957dfeffff89c283e861410f1186051100000fb60401488d0d671f0200889572fefff
-------------------------------
[2026-03-27 13:27:56] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3 (PID: 2492445)
------- HEXDUMP CONTEXT -------
488b402085c074638d50ff89c05d81fa0f270000ba00000000480f43c2c3660f1f440000
3d488b402089c285c0745283e8015d3d0f270000b8000000000f43d089d0c30f1f800000
741f488b402089c285c0741e83e8013d0f270000410f43d4895324eba90f1f400031d2eb
-------------------------------
[2026-03-27 13:28:12] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0 (PID: 2492445)
------- HEXDUMP CONTEXT -------
415c5dc30f1f4000488b7708498bbc2448200000ffd04883f8ff74344c8b63484885c074
c24c29e24885d27e7a488b7308498bbe482000004c01e641ffd54883f8ff75d3488b4320
a6682000000f11432031d231f6498bbe4820000041ffd54585ff752f31c04883c4085b41
-------------------------------
[2026-03-27 13:28:13] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libkmod.so.2.4.1 (PID: 2492445)
------- HEXDUMP CONTEXT -------
9f20f828f01000083e3104b8d341e0f8482000000488d7e084531e40f1f00440fb60e49c
-------------------------------
[2026-03-27 13:28:15] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5 (PID: 2492445)
------- HEXDUMP CONTEXT -------
9498957204183fd030f86be110000e9b51100000f1f80000000004d8bb7b0020000418b9
08430b4c0a0c07084c0b00002800000048200000f465feff2103000000410e108602430d
-------------------------------
[2026-03-27 13:28:17] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libm.so.6 (PID: 2492445)
------- HEXDUMP CONTEXT -------
3e00383f8010f84cb00000083f8020f848200000085c0743eff75d8ff75d0ff75c8ff75c
94dc8e8d767ffff4939dc488b4dc80f8482000000660f540522e1050066490f6eccf20f1
2f20f58cbf20f59c2f20f58c885d20f848200000066480f6ec0f20f59c8f20f58c1c30f1
-------------------------------
[2026-03-27 13:28:28] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0 (PID: 2492445)
------- HEXDUMP CONTEXT -------
5b8488b45c04c8b384d89fe4d85ff0f8482000000498b1e4885db747a41f6460c08743b4
000031c0e8bf07fdff4189c585c00f8955110000e83f00fdff8b004189c241f7da85c00f
-------------------------------
[2026-03-27 13:28:32] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2 (PID: 2492445)
------- HEXDUMP CONTEXT -------
0000f2ec37c1c412182e514be465b10a9352000000000000000000000000000000000000
000000448c408000000400300000022951100000000c17f00000080000100000000c17f0
-------------------------------
[2026-03-27 13:28:39] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libselinux.so.1 (PID: 2492445)
------- HEXDUMP CONTEXT -------
000000000000000000000000000000005110000012000f00f07801000000000036000000
00f1f0085c90f848b00000083f92d0f848200000083f92e400f94c783f95f410f94c0440
04c89e7e8fe41ffff4989c54885c00f84820000004c89e14c89e231f64889c7e84244fff
-------------------------------
[2026-03-27 13:28:41] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5 (PID: 2492445)
------- HEXDUMP CONTEXT -------
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
9f3488b7dc04839fb730a8b3b393a0f84820000004c39f373080fb73b66393a7465488b7
8470b002c000000a4270000d8c8f8fff511000000450e108602460d06428f034a8e048d0
-------------------------------
[2026-03-27 13:28:50] [CRITICAL] Little-Endian Magic Bytes found in mapped file: /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-255.so (PID: 2492445)
------- HEXDUMP CONTEXT -------
f11000000000000211100002311000025110000000000000000000000000000261100002
211000000000000e411000000000000e51100000000000000000000e6110000e81100000
000000000000000000000000000000004820000012000000000000000000000000000000
-------------------------------
[2026-03-27 13:29:32] [INFO] [5/12] Checking for suspicious environment variables
[2026-03-27 13:29:33] [SUCCESS] [5/12] No processes with the full suspicious env var set found
[2026-03-27 13:29:33] [INFO] [6/12] Checking TCP ports 42391-43390 and 8000
[2026-03-27 13:29:33] [SUCCESS] [6/12] No connections on known suspicious BPFDoor ports
[2026-03-27 13:29:33] [INFO] [7/12] Checking for masqueraded processes (Verifying true execution paths)
[2026-03-27 13:29:37] [CRITICAL] [7/12] Process Masquerading Detected! PID=49 claims to be '[watchdogd]' but is actually executing '/proc/49/exe'
[2026-03-27 13:29:40] [CRITICAL] [7/12] Process Masquerading Detected! PID=884 claims to be '/sbin/agetty -o -p -- \u --noclear - linux' but is actually executing '/usr/sbin/agetty (deleted)'
[2026-03-27 13:29:44] [CRITICAL] [7/12] Process Masquerading Detected! PID=2492454 claims to be '/usr/lib/systemd/systemd-journald' but is actually executing '/usr/lib/systemd/systemd-journald'
[2026-03-27 13:29:49] [INFO] [8/12] Checking for processes executing deleted binaries (Fileless execution)
[2026-03-27 13:29:49] [WARN] PID: 781, ProcessName: networkd-dispat, Exec: /usr/bin/python3.12 (deleted) (Deleted Binary)
[2026-03-27 13:29:49] [WARN] PID: 791, ProcessName: systemd-logind, Exec: /usr/lib/systemd/systemd-logind (deleted) (Deleted Binary)
[2026-03-27 13:29:49] [CRITICAL] PID: 884 masquerading as 'agetty' running from a deleted file: /usr/sbin/agetty (deleted)
[2026-03-27 13:29:49] [WARN] PID: 908, ProcessName: unattended-upgr, Exec: /usr/bin/python3.12 (deleted) (Deleted Binary)
[2026-03-27 13:29:49] [INFO] [9/12] Checking kernel stacks for raw socket blocking (packet_recvmsg/wait_for_more_packets)
[2026-03-27 13:29:49] [SUCCESS] [9/12] No processes blocking on suspicious packet socket kernel functions
[2026-03-27 13:29:49] [INFO] [11/12] Checking for active connections to known BPFDoor C2 domains
[2026-03-27 13:29:50] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpussl.instanthq.com (204.16.169.54)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:50] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpd.casacam.net (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:50] [CRITICAL] Active Reverse Shell to BPFDoor C2: ntpupdate.ygto.com (127.0.0.1)
Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
[2026-03-27 13:29:50] [INFO] [12/12] Checking specific processes for hardcoded BPFDoor file signatures
[2026-03-27 13:29:50] [SUCCESS] [12/12] No hardcoded process signatures detected
[2026-03-27 13:29:50] [INFO] [10/12] Deep scanning candidate binaries (hash, strings, UPX packing)
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/C.utf8/LC_CTYPE
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/locale/locale-archive
[2026-03-27 13:29:50] [ALERT] String match '1234' found in /usr/lib/locale/locale-archive
[2026-03-27 13:29:50] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/locale/locale-archive
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-journald
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/systemd/systemd-networkd
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:50] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:50] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libblkid.so.1.1.0
[2026-03-27 13:29:50] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libc.so.6
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
[2026-03-27 13:29:51] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
[2026-03-27 13:29:51] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.4.3
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-27 13:29:51] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-27 13:29:51] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.34.0
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libkmod.so.2.4.1
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/liblzma.so.5.4.5
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libm.so.6
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libmount.so.1.1.0
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-27 13:29:51] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-27 13:29:51] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.11.2
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-27 13:29:51] [ALERT] String match '1234' found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-27 13:29:51] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/lib/x86_64-linux-gnu/libselinux.so.1
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/libzstd.so.1.5.5
[2026-03-27 13:29:51] [INFO] >>> Analyzing candidate binary: /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-255.so
[2026-03-27 13:29:52] [INFO] >>> Analyzing candidate binary: /usr/sbin/agetty
[2026-03-27 13:29:52] [ALERT] String match '1234' found in /usr/sbin/agetty
[2026-03-27 13:29:52] [CRITICAL] BPFDoor-like string pattern(s) found in /usr/sbin/agetty
[2026-03-27 13:29:52] [INFO] [-] Basic persistence triage (cron, systemd, rc scripts)
[2026-03-27 13:29:52] [ALERT] Suspicious pattern in systemd units under /usr/lib/systemd/system