Trojan scan

Latest Linux/BSD version (1.5.0)
Older versions

Read about Trojan Scan in this book:


SourceForge.net Logo

Trojan scan is a simple shell script that allows for simple but relatively effective checking for trojans, rootkits and other malware that may be using your server and network for unwanted (and possibly illegal) purposes. Since this script is relatively simple don’t expect it to catch them all, but it helps to find these programs on e.g. shared servers. On those machines lots of users install many kinds of applications. These applications may introduce new vulnerabilities which would perhaps otherwise not be detected if not for a very alert sysadmin.

It works by listing all process that use the Internet with the lsof command (using -Pni flags). This list is then transformed into signatures in the form of <process_name>:<protocol>:<port_number_in>:<port_number_out>:<user>. These signatures then are matched against the allowed process defined in the configuration. If any signatures of running processes are found that do not match the allowed signatures, an email report is sent including ps, ls, and optional lsof output (see also: lsof).

The script is relatively easy in use:

  1. Install into /usr/local/sbin/trojan-scan.sh
  2. Use the following to generate a default configuration:
      trojan-scan -C /etc/trojan-scan/trojan-scan.conf
  3. Check, update and test configuration (test using -n flag):
    configure program paths (for lsof, sed, awk, etc), configure email address (RECIPIENTS), allowed processes (ALLOWED), optionally lsof MD5 (LSOF_MD5, use complete md5(sum) command output)
    in trojan-scan.conf, using e.g.:
        echo “LSOF_MD5=\”`md5 \`which /usr/sbin/lsof\“\”" \         >> /etc/trojan-scan/trojan-scan.conf
  4. Add to crontab using e.g:
      */5 * * * * /usr/local/sbin/trojan-scan.sh -F
    This will run every 5 minutes, including full lsof listing in email report. (NB: depending on the load of your server you may need to increase this interval.)

Now that the script has support for inbound/outbound configuration, it may be considered as too strict, since it requires you to either supply all programs that use outbound connections such as e.g. DNS queries, request web pages or email, or supply some rules that always allow some designated outbound connections. For example to allow every user, every process to use DNS, use the following rule:
  ALLOWED=”$ALLOWED !@any@!:UDP:!@any@!:53:!@any@!”
However, this defeats any malware using UDP port 53 to communicate.

Test with:
  /usr/local/sbin/trojan-scan.sh -n

Other flags:

-d debug mode
-F full output
-n do not send email
-v verbose mode
-x shell debug
-C file generate default configuration file (use - for stdout)


Copyright (c) 2005,2007,2011 Derks.IT / Jeroen Derks

Licensed under the Apache License, Version 2.0 (the “License”);
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

CLI Magic: Trojan Scan
Trojan Scan is crafted in the finest Unix tradition [...]
www.linux.com