check_ebury.sh

1. #!/bin/bash
2. #=======================================================================
3. # Filename      : check_ebury.sh
4. # Author        : Benedikt Frenzel
5. # Licence       :
6. # Input values  : none
7. # Purpose       : This script will check if your system is may be
8. #                 infected by the ebruy rootkit for more information
9. #                 check: https://www.cert-bund.de/ebury-faq
10. # Disclaimer    : I can and will NOT  guarantee that this script will
11. #                 find the ebruy rootkit. This script will not remove
12. #                 the rootkit.
13. #                 The output format is check_mk local check compliante.
14. #=======================================================================
15.  
16. # ----------------------------------------------------------------------
17. # Independent variables
18. # ----------------------------------------------------------------------
19.  
20. # ----------------------------------------------------------------------
21. # Dependent variables
22. # Nothing to change below this line.
23. # ----------------------------------------------------------------------
24.  
25. CHECKCOMAND="ipcs -m"
26. CHECKPERMS="666"
27. CHECKMEM="3283128"
28.  
29. myPERMSRESULT=$(ipcs -m | grep ${CHECKPERMS} | wc -l)
30. if [ ${myPERMSRESULT} -gt 0 ]; then
31.     myMEMRESULT=$(ipcs -m | grep ${CHECKMEM} | wc -l)
32.     if [ ${myMEMRESULT} -gt 0 ]; then
33.         exitSTATUS=2
34.         exitSTRING="check_ebury CRITICAL - This system may be infected"
35.     else
36.         exitSTATUS=0
37.         exitSTRING="check_ebury OK- This system is clean"
38.     fi
39. else
40.         exitSTATUS=0
41.         exitSTRING="check_ebury OK- This system is clean"
42. fi
43. echo "${exitSTATUS} ${exitSTRING}"
44. exit ${exitSTATUS}