|
Trojan scan
Latest Linux/BSD version (1.4rc3)
NB: this version will break since it the configuration file format has slightly changed!
Older versions
|
Trojan scan is a simple shell script that allows for simple but relatively
effective checking for trojans, rootkits and other malware that may be using
your server and network for unwanted (and possibly illegal) purposes. Since
this script is relatively simple don't expect it to catch them all, but it
helps to find these programs on e.g. shared servers. On those machines lots
of users install many kinds of applications. These applications may introduce
new vulnerabilities which would perhaps otherwise not be detected if not for
a very alert sysadmin.
It works by listing all process that use the Internet with the
lsof command (using -Pni flags).
This list is then transformed into signatures in the form of
<process_name>:<protocol>:<port_number_in>:<port_number_out>:<user>.
These signatures then are matched against the allowed process defined in the
configuration. If any signatures of running processes are found that do not
match the allowed signatures, an email report is sent including
ps,
ls, and optional lsof output
(see also: lsof).
The script is relatively easy in use:
-
Install into /usr/local/sbin/trojan-scan.sh
-
Use the following to generate a default configuration:
trojan-scan -C /etc/trojan-scan/trojan-scan.conf
-
Check, update and test configuration (test using -n flag):
configure program paths (for lsof, sed,
awk, etc),
configure email address (RECIPIENTS),
allowed processes (ALLOWED),
optionally lsof MD5 (LSOF_MD5, use complete
md5 command output, if
not present it will be added by the script) in trojan-scan.conf,
using (or md5sum instead of md5):
md5 /usr/sbin/lsof >> /etc/trojan-scan/trojan-scan.conf
-
Add to crontab using e.g:
*/5 * * * * /usr/local/sbin/trojan-scan.sh -F
This will run every 5 minutes, including full lsof listing in email
report. (NB: depending on the load of your server you may need to
increase this interval.)
Now that the script has support for inbound/outbound configuration, it may be
considered as too strict, since it requires you to either supply all programs
that use outbound connections such as e.g. DNS queries, request web pages or
email, or supply some rules that always allow some designated outbound
connections. For example to allow every user, every process to use DNS, use
the following rule:
ALLOWED="$ALLOWED !@any@!:UDP:!@any@!:53:!@any@!"
However, this defeats any malware using UDP port 53 to communicate.
Test with:
/usr/local/sbin/trojan-scan.sh -n
Other flags:
| -d | | debug mode |
| -F | | full output |
| -n | | do not send email |
| -v | | verbose mode |
| -x | | shell debug |
| -C file | | generate default configuration file (use - for stdout) |
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
|
