mario23 Posted July 9, 2006 Report Posted July 9, 2006 #!/usr/bin/perluse Getopt::Std;use Fcntl;use Time::HiRes qw(usleep);$r00t=0;$SUCCESS=0;$clean=0;$pause=50000;$scaner="pidcheck";$method='kill -9';$sf0="/tmp/r35u1t0";$sf="/tmp/r35u1t";$sf2="/tmp/r35u1t2";$sys="/var/log/messages";$start = time();@jail=();@jail2=();@only=();@only_proc=();getopts("m:bahr");sub usage{  print"Usage: $0 -m [MAX number PID]n";  print"Now type: $0 -hnn";}sub help{  print qq![~] First - you must create CLEAN, UNPRIVILEGED user pidcheck,   home - /dev/null, shell - /bin/sh, with locked password[~] For interactive check type $0 -m [number PID to scan]   default method kill() - command "kill -9"   #  $0 -m 5000   and you check all PID to 5000[~] If you don't wanna think abouth max PID - use   auto calculation max PID with option -a (without -m of course)[~] You can use method setpriority() system call, is   command "renice -20", option -r   # $0 -m 5000 -r[~] Background check (output in /var/log/messages)   use option -b   # $0 -a -b &   If nothing found, then in log:   [+] r57-pid-check.pl: Hidden PIDs not found.   [+] Time check: some time   Else all info write to system log.   [~] Testing on:   Linux 2.4.x (rootkits: adore-0.42, adore-ng-1.41)   Linux 2.6.x  - quite possible work   FreeBSD 5.x  - quite possible work   OpenBSD 3.x  - quite possible work   nn!}sub head{  print qq! ------------[ r57-pid-check ]------------| Find hidden PID, even rootkit installed.|| Use system calls: kill(), setpriority().|| Gr33tz: blf, 1dt.w0lf, edisan, foster,  || Pengo, Dr_UF0_51.            || ©oded x97Rang, RST/GHC 2006      || http://rst.void.ru            || http://ghc.ru              | -----------------------------------------n!}sub get_os{  if(!$opt_ {print"[+] OS: $^On";}    if($^O eq "freebsd" || $^O eq "openbsd")     {       $mode = ">";     }       elsif($^O eq "linux")        {          $mode="&>";        }          else           {             print"[-] Test only FreeBSD, OpenBSD and Linuxn";             exit;           }}sub get_uid{  if($< != $r00t)  {    print"[-] For use this you need UID=0n";    exit;  }     system("id pidcheck $mode /dev/null");       if($? != $SUCCESS)        {          print"[-] You must add to system user pidcheck, type $0 -h for helpn";          exit;        }}sub do_it{if($opt_m =~ m/d+/ && $opt_m > 20 || $opt_a){ if($opt_m && $opt_a) { print"You can't use -a with -m, type $0 -hn"; exit;}  if ($opt_a) {chomp($opt_m=`ps ax | awk '{print $1}' | sort -n | tail -1`); }  if($opt_a && !$opt_ {print"[~] Use auto calculation max PIDn";}   if(!$opt_ { print"[~] Begin scan PIDs to $opt_mn";}   if(!$opt_b && !$opt_r) { print"[~] Try use kill()n";}    if(!$opt_b && $opt_r) { print"[~] Try use setpriority()n"; $method='renice -20';}    if($opt_b && $opt_r) { $method='renice -20';}     for($n=20;$n!=$opt_m;$n++)     {       if(!$opt_ {status();}       system("ps aux | awk '{print $1," ",$2}' | grep -w $n | grep $scaner > $sf0");        if(-s $sf0){ next;}          system("su $scaner -c '$method $n' 2> $sf");          usleep $pause;          sysopen(TF, $sf, O_RDONLY) or die "Couldn't open $sf for reading: $!n";           while ($line=<TF>)             {              if($line =~ m/permitted/)                {                 system("ps ax -o pid | grep -w $n > $sf2");                   if(-z $sf2)                    {                      $clean=1;                      push(@jail,$n);                    }                }             }          close(TF);     }} else { &usage; exit;}}sub in_proc{    {     if(!$opt_{ print"n[~] Check vfs /procn";}       for($n=1;$n!=$opt_m;$n++)        {          if(!$opt_ {status();}          system"test -d /proc/$n";           if($? == $SUCCESS)             {              system("ls -F /proc/ | grep '$n/' > $sf2");                if(-z $sf2)                 {                   $clean=1;                   push(@jail2,$n);                 }             }        }    }}sub last_chance{  if($clean != $SUCCESS)    {     for($i=0;$i<=$#jail;$i++)       {        system("ps aux | awk '{print $1," ",$2}' | grep -w $jail[$i] | grep $scaner > $sf0");          if(-s $sf0){ next;}           system("su $scaner -c '$method $jail[$i]' 2> $sf");           sleep(1);           sysopen(TF, $sf, O_RDONLY) or die "Couldn't open $sf for reading: $!n";             while ($line=<TF>)              {                if($line =~ m/permitted/)                 {                   system("ps ax -o pid | grep -w $jail[$i] > $sf2");                   if(-z $sf2)                    {                      push(@only,$jail[$i]);                    }                 }              }           close(TF);       }        if($jail2[0])          {           for($j=0;$j<=$#jail2;$j++)             {              system"test -d /proc/$jail2[$j]";              sleep(1);                if($? == $SUCCESS)                 {                   system("ls -F /proc/ | grep '$jail2[$j]/' > $sf2");                    if(-z $sf2)                      {                       push(@only_proc,$jail2[$j]);                      }                 }             }          }    }}sub show_res{  if($only[0])    {     for($k=0;$k<=$#only;$k++)       {        if($opt_          {           $a=time();           $b=localtime($a);           sysopen(LOG, $sys, O_WRONLY|O_APPEND) or die "Couldn't open $sys for writing: $!n";           print LOG "################ WARNING ################n";           print LOG "[!] r57-pid-check.pln";           print LOG "[!] Time check: $bn";           print LOG "[!] Found invisible PID - $only[$k]n";           close(LOG);          }        else          {           print "n[!] Found invisible PID: $only[$k]n";          }       }    }  if($only_proc[0])    {     for($l=0;$l!=@only_proc;$l++)       {        $x=$only_proc[$l];        if($opt_          {           $a=time();           $b=localtime($a);           $who=`cat /proc/$x/cmdline`;           $where=`ls -l /proc/$x/cwd`;           sysopen(LOG, $sys, O_WRONLY|O_APPEND) or die "Couldn't open $sys for writing: $!n";           print LOG "################ WARNING ################n";           print LOG "[!] r57-pid-check.pln";           print LOG "[!] Time check: $bn";           print LOG "[!] Found hide PID in /proc - $xn";           print LOG "[!] Running program: $whon";           print LOG "[!] Current working directory of the process: $wheren";           close(LOG);          }        else          {           print "n[!] Found hide PID in /proc: $xn";           print "[!] Current working directory of the process:n";           system("ls -l /proc/$x/cwd");           print "n[!] Command line is:";           system("cat /proc/$x/cmdline");           print "n[!] More info about runnig program:n";           system("cat /proc/$x/status");          }       }    }}sub is_clean{  unlink($sf0);  unlink($sf);  unlink($sf2);  if(!$only[0] && !$only_proc[0] && !$opt_    {     print"n[+] r57-pid-check.pl: Hidden PIDs not found.n";    }     if(!$only[0] && !$only_proc[0] && $opt_       {        $a=time();        $b=localtime($a);        sysopen(LOG, $sys, O_WRONLY|O_APPEND) or die "Couldn't open $sys for writing: $!n";        print LOG "[+] r57-pid-check.pl: Hidden PIDs not found.n";        print LOG "[+] Time check: $bn";        close(LOG);       }}sub over{  $end = time();  $allt = $end-$start;  $nt = $allt/3600;  printf("n[~] Time of work: %.3f hn",$nt);  print"[~] Done.n";}sub status{  $status = $n % 5;  if($status==0){ print "bb/";  }  if($status==1){ print "bb-";  }  if($status==2){ print "bb";  }  if($status==3){ print "bb|";  }}if($opt_h)     {  &head;  &help;  exit;     }    elsif(!$opt_m && !$opt_a)       {    &head;    &usage;    exit;       }       else          {             if(!$opt_{ &head;}             &get_os;     &get_uid;             &do_it;             if($^O eq "linux") { &in_proc;}             &last_chance;             &show_res;             &is_clean;     if(!$opt_{ &over;}          } Quote
