system_check.sh

1. #!/bin/bash
2. # 20161109
3. # GPL-3
4.  
5.  
6. # If 'infected_action' set to 'DELETE' or "REMOVE' then
7. # script will delete all files from:
8. # /bin/*, /sbin/*, /lib* and /usr/* except /usr/local/*
9. # which was not installed by emerge,
10. # or installed by emerge and modified by other program!
11. infected_action='DELETE'
12. infected_action='REMOVE'
13. #infected_action='SKIP'
14.  
15. # Gentoo pkg database
16. db='/mnt/gentoo/var/db/pkg/'
17.  
18. # Where root of checking system is mouted. You run this from LiveCD? Rhite?
19. root='/mnt/gentoo'
20.  
21. # Path to log file
22. log='/var/tmp/vlist'
23. # We delete old log!!!
24. rm -f "${log}"
25. logclean="YES"
26. logclean="NO"
27.  
28. # Removed virus files
29. infdir='/mnt/gentoo/var/viruses'
30.  
31. # Path to temp files
32. iffile='/var/tmp/iflist'
33. effile='/var/tmp/eflist'
34. isfile='/var/tmp/islist'
35. esfile='/var/tmp/eslist'
36.  
37.  
38. delete() {
39.     if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
40.       then
41.         rm -f "${root}${fn}"
42.         echo "Deleted!!!" >> "${log}"
43.         ((d+=1))
44.     elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
45.       then
46.         rm -f "${root}${fn}"
47.         echo "Deleted!!!" >> "${log}"
48.         ((d+=1))
49.       else
50.         echo "Skip!" >> "${log}"
51.     fi
52. }
53.  
54.  
55. remove() {
56.     if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
57.       then
58.         path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
59.         mkdir -p "${infdir}${path}"
60.         mv -f "${root}${fn}" "${infdir}${path}"
61.         echo "Removed!!!" >> "${log}"
62.         ((d+=1))
63.     elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
64.       then
65.         path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
66.         mkdir -p "${infdir}${path}"
67.         mv -f "${root}${fn}" "${infdir}${path}"
68.         echo "Removed!!!" >> "${log}"
69.         ((d+=1))
70.       else
71.         echo "Skip!" >> "${log}"
72.     fi
73. }
74.  
75.  
76. recover_sym() {
77.     path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
78.     name=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\2/m'`
79.     mkdir -p "${root}${path}"
80.     cd "${root}${path}"
81.     ln -s "${md}" "${name}"
82.     echo "${fn} Recover symlink! :-)" >> "${log}"
83.     ((r+=1))
84. }
85.  
86.  
87. # Check rhite for deleting bed system files.
88. if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
89.   then
90.     echo ""
91.     echo "          !!! Atention !!!"
92.     echo "  This script will delete or remove system files!"
93.     echo ""
94.     echo "Only 64 bit, no multilib, systems are supported."
95.     echo ""
96.     echo "If you don't wont delete any files, just log, type SKIP."
97.     echo "If you wont remove ?infected? files, type REMOVE."
98.     echo -n "If you wont delete ?infected? files type DELETE and press 'Enter': "
99.     read check
100.     if [ "${check}" == 'DELETE' ]
101.       then
102.         infected_action='DELETE'
103.     elif [ "${check}" == 'REMOVE' ]
104.       then
105.         infected_action='REMOVE'
106.         mkdir -p "${infdir}"
107.       else
108.         infected_action='SKIP'
109.     fi
110. fi
111.  
112.  
113. echo ""
114. echo -n "Build list of installed system files and links. Please wait... "
115. rm -f "${iffile}_"
116. for f in `find "${db}" -name CONTENTS -type f`
117.   do
118.  
119.     # Regular files
120.     grep "obj /" "${f}" |sed 's/obj \/lib\//obj \/lib64\//' \
121.     |sed 's/obj \/usr\/lib\//obj \/usr\/lib64\//' \
122.     |sed -r 's/^(obj) (.+) (.+) (.+)$/\1    \2  \3  \4/m' >> "${iffile}_"
123.  
124.     # Symbolic links
125.     grep -E '^sym /' "${f}" |sed -r 's/^(sym) (.+) -> (.+) (.+)$/\1 \2  \3  \4/m' >> "${isfile}_"
126.  
127.   done
128. sort "${iffile}_" |uniq > "${iffile}"
129. rm "${iffile}_"
130.  
131. sort "${isfile}_" |uniq > "${isfile}"
132. rm "${isfile}_"
133.  
134. echo "OK!"
135. echo ""
136.  
137.  
138. echo -n "Build list of existing system files and links. Please wait... "
139.  
140. # Regular files
141. find "${root}" -type f \
142. -and ! -wholename "${root}/home/*" \
143. -and ! -wholename "${root}/lib64/modules/*" \
144. -and ! -wholename "${root}/media/*" \
145. -and ! -wholename "${root}/mnt/*" \
146. -and ! -wholename "${root}/root/*" \
147. -and ! -wholename "${root}/tmp/*" \
148. -and ! -wholename "${root}/usr/portage/*" \
149. -and ! -wholename "${root}/var/cache/*" \
150. -and ! -wholename "${root}/var/db/*" \
151. -and ! -wholename "${root}/var/lib/clamav/*" \
152. -and ! -wholename "${root}/var/lib/gentoo/news/*" \
153. -and ! -wholename "${root}/var/lib/layman/*" \
154. -and ! -wholename "${root}/var/lib/motioneye/*" \
155. -and ! -wholename "${root}/var/lib/portage/*" \
156. -and ! -wholename "${root}/var/lib/rkhunter/tmp/*" \
157. -and ! -wholename "${root}/var/log/*" \
158. -and ! -wholename "${root}/var/spool/*" \
159. -and ! -wholename "${root}/var/tmp/*" \
160. -and ! -wholename "${root}/var/lib/tor/data/*" \
161. -and ! -wholename "${root}/var/www/*" \
162. |sort > "${effile}"
163.  
164. # Symbolic links
165. find "${root}" -type l \
166. -and ! -wholename "${root}/home/*" \
167. -and ! -wholename "${root}/lib64/modules/*" \
168. -and ! -wholename "${root}/media/*" \
169. -and ! -wholename "${root}/mnt/*" \
170. -and ! -wholename "${root}/root/*" \
171. -and ! -wholename "${root}/tmp/*" \
172. -and ! -wholename "${root}/var/tmp/*" \
173. -and ! -wholename "${root}/var/www/*" \
174. |sort > "${esfile}"
175.  
176. echo "OK!"
177. echo ""
178.  
179.  
180. echo "If you looking for progress run:"
181. echo "tail -f ${log}"
182. echo "or filter only infected files run:"
183. echo "tail -f ${log} |grep -v 'OK!  ;-)'"
184. echo "Full scan can take many hoers."
185. echo ""
186.  
187.  
188. echo -n "Scanning all system symlinks. Please wait... "
189. ((v=0)); ((n=0)); ((d=0)); ((r=0))
190. f=`awk '{if (NR==1) print}' "${esfile}"`
191. ((i=2))
192. while [ "${f}" != '' ]
193.   do
194.     fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
195.     md=`grep "sym   ${fn}   " "${isfile}" |awk -F'  ' '{print $3}'`
196.     if [ "${md}" == '' ]
197.       then
198.         if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
199.           then
200.             echo "${fn} Configuration link wasn't installed by emerge!" >> "${log}"
201.             ((n+=1))
202.           else
203.             echo -n "${fn}  Alien??? Link wasn't installed by emerge! 8-|  " >> "${log}"
204.             ((n+=1))
205.             if [ "${infected_action}" == 'DELETE' ]
206.               then
207.                 delete
208.             elif [ "${infected_action}" == 'REMOVE' ]
209.               then
210.                 remove
211.               else
212.                 echo "Skip!" >> "${log}"
213.             fi
214.         fi
215.       else
216.         fm=`ls -l "${f}" |awk '{print $11}'`
217.         if [ "${md}" == "${fm}" ]
218.           then
219.             if [ "${logclean}" == "YES" ]
220.               then
221.                 echo "${fn} OK!  ;-)" >> "${log}"
222.             fi
223.           else
224.             if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
225.               then
226.                 echo "${fn} Configuration link was installed by emerge and are modified!" >> "${log}"
227.                 ((v+=1))
228.               else
229.                 echo -n "${fn}  Virus??? Link was installed by emerge and are modified! 8-(  " >> "${log}"
230.                 ((v+=1))
231.                 if [ "${infected_action}" == 'DELETE' ]
232.                   then
233.                     delete
234.                     recover_sym
235.                 elif [ "${infected_action}" == 'REMOVE' ]
236.                   then
237.                     remove
238.                     recover_sym
239.                   else
240.                     echo "Skip!" >> "${log}"
241.                 fi
242.             fi
243.         fi
244.     fi
245.     f=`awk "{if (NR==$i) print}" "${esfile}"`
246.     ((i+=1))
247.   done
248. echo "OK!"
249.  
250. echo "Sumary:"
251. echo "  Total: ${v} system links was installed by emerge and modified by another program!!!"
252. echo "  Total: ${n} system links wasn't installed by emerge and was created by another program!!!"
253. echo "  Total: ${d} system links wasn't installed by emerge or was modified by another program are deleted or removed!!!"
254. echo "  Total: ${r} system links wasn installed by emerge and modified by another program or don't exist are recovered!!!"
255. echo ""
256.  
257.  
258.  
259. echo -n "Scanning all system files. Please wait... "
260. ((v=0)); ((n=0)); ((d=0));
261. f=`awk '{if (NR==1) print}' "${effile}"`
262. ((i=2))
263. while [ "${f}" != '' ]
264.   do
265.     fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
266.     md=`grep "obj   ${fn}   " "${iffile}" |awk -F'  ' '{print $3}'`
267.     if [ "${md}" == '' ]
268.       then
269.         if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
270.           then
271.             echo "${fn} Configuration file wasn't installed by emerge!" >> "${log}"
272.             ((n+=1))
273.           else
274.             echo -n "${fn}  Alien??? File wasn't installed by emerge! 8-|  " >> "${log}"
275.             ((n+=1))
276.             if [ "${infected_action}" == 'DELETE' ]
277.               then
278.                 delete
279.             elif [ "${infected_action}" == 'REMOVE' ]
280.               then
281.                 remove
282.               else
283.                 echo "Skip!" >> "${log}"
284.             fi
285.         fi
286.       else
287.         fm=`md5sum "${f}" |awk '{print $1}'`
288.         if [ "${md}" == "${fm}" ]
289.           then
290.             if [ "${logclean}" == "YES" ]
291.               then
292.                 echo "${fn} OK!  ;-)" >> "${log}"
293.             fi
294.           else
295.             if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
296.               then
297.                 echo "${fn} Configuration file was installed by emerge and are modified!" >> "${log}"
298.                 ((v+=1))
299.               else
300.                 echo -n "${fn}  Virus??? File was installed by emerge and are modified! 8-(  " >> "${log}"
301.                 ((v+=1))
302.                 if [ "${infected_action}" == 'DELETE' ]
303.                   then
304.                     delete
305.                 elif [ "${infected_action}" == 'REMOVE' ]
306.                   then
307.                     remove
308.                   else
309.                     echo "Skip!" >> "${log}"
310.                 fi
311.             fi
312.         fi
313.     fi
314.     f=`awk "{if (NR==$i) print}" "${effile}"`
315.     ((i+=1))
316.   done
317. echo "OK!"
318.  
319. echo "Sumary:"
320. echo "  Total: ${v} system files was installed by emerge and modified by another program!!!"
321. echo "  Total: ${n} system files wasn't installed by emerge and was created by another program!!!"
322. echo "  Total: ${d} system files wasn't installed by emerge or was modified by another program are deleted or removed!!!"
323. echo ""
324.  
325.  
326. echo -n "Looking for missing system lynks. Please wait... "
327. ((v=0)); ((r=0))
328. fn=`awk -F' ' '{if (NR==1) {print $2}}' "${isfile}"`
329. ((i=2))
330. while [ "${fn}" != '' ]
331.   do
332.     if [ ! -s "${root}${fn}" ]
333.       then
334.         echo "${fn} Link was installed by emerge and don't exist! 8-(" >> "${log}"
335.         ((v+=1))
336.         if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
337.           then
338.             md=`grep "sym   ${fn}   " "${isfile}" |awk -F'  ' '{print $3}'`
339.             recover_sym
340.         fi
341.     fi
342.     fn=`awk "{if (NR==$i) print}" "${isfile}" |awk -F'  ' '{print $2}'`
343.     ((i+=1))
344.   done
345. echo "OK!"
346.  
347. echo "Sumary:"
348. echo "  Total: ${v} system links was installed by emerge and don't exist!!!"
349. echo "  Total: ${r} system links installed by emerge and don't exist, are recovered!!!"
350. echo ""
351.  
352.  
353. echo -n "Looking for missing system files. Please wait... "
354. ((v=0))
355. fn=`awk -F' ' '{if (NR==1) {print $2}}' "${iffile}"`
356. ((i=2))
357. while [ "${fn}" != '' ]
358.   do
359.     if [ ! -f "${root}${fn}" ]
360.       then
361.         echo "${fn} File was installed by emerge and don't exist! 8-(" >> "${log}"
362.         ((v+=1))
363.     fi
364.     fn=`awk "{if (NR==$i) print}" "${iffile}" |awk -F'  ' '{print $2}'`
365.     ((i+=1))
366.   done
367. echo "OK!"
368.  
369. echo "Sumary:"
370. echo "  Total: ${v} system files was installed by emerge and don't exist!!!"
371. echo ""
372.  
373. echo "  Please look in  '${log}'  for detail information."
374. echo "  If you looking only for virus run:"
375. echo "  grep -v 'OK!  ;-)' ${log} |less"
376.  
377.  
378. exit 0