Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # 20161109
- # GPL-3
- # If 'infected_action' set to 'DELETE' or "REMOVE' then
- # script will delete all files from:
- # /bin/*, /sbin/*, /lib* and /usr/* except /usr/local/*
- # which was not installed by emerge,
- # or installed by emerge and modified by other program!
- infected_action='DELETE'
- infected_action='REMOVE'
- #infected_action='SKIP'
- # Gentoo pkg database
- db='/mnt/gentoo/var/db/pkg/'
- # Where root of checking system is mouted. You run this from LiveCD? Rhite?
- root='/mnt/gentoo'
- # Path to log file
- log='/var/tmp/vlist'
- # We delete old log!!!
- rm -f "${log}"
- logclean="YES"
- logclean="NO"
- # Removed virus files
- infdir='/mnt/gentoo/var/viruses'
- # Path to temp files
- iffile='/var/tmp/iflist'
- effile='/var/tmp/eflist'
- isfile='/var/tmp/islist'
- esfile='/var/tmp/eslist'
- delete() {
- if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
- then
- rm -f "${root}${fn}"
- echo "Deleted!!!" >> "${log}"
- ((d+=1))
- elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
- then
- rm -f "${root}${fn}"
- echo "Deleted!!!" >> "${log}"
- ((d+=1))
- else
- echo "Skip!" >> "${log}"
- fi
- }
- remove() {
- if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
- then
- path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
- mkdir -p "${infdir}${path}"
- mv -f "${root}${fn}" "${infdir}${path}"
- echo "Removed!!!" >> "${log}"
- ((d+=1))
- elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
- then
- path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
- mkdir -p "${infdir}${path}"
- mv -f "${root}${fn}" "${infdir}${path}"
- echo "Removed!!!" >> "${log}"
- ((d+=1))
- else
- echo "Skip!" >> "${log}"
- fi
- }
- recover_sym() {
- path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
- name=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\2/m'`
- mkdir -p "${root}${path}"
- cd "${root}${path}"
- ln -s "${md}" "${name}"
- echo "${fn} Recover symlink! :-)" >> "${log}"
- ((r+=1))
- }
- # Check rhite for deleting bed system files.
- if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
- then
- echo ""
- echo " !!! Atention !!!"
- echo " This script will delete or remove system files!"
- echo ""
- echo "Only 64 bit, no multilib, systems are supported."
- echo ""
- echo "If you don't wont delete any files, just log, type SKIP."
- echo "If you wont remove ?infected? files, type REMOVE."
- echo -n "If you wont delete ?infected? files type DELETE and press 'Enter': "
- read check
- if [ "${check}" == 'DELETE' ]
- then
- infected_action='DELETE'
- elif [ "${check}" == 'REMOVE' ]
- then
- infected_action='REMOVE'
- mkdir -p "${infdir}"
- else
- infected_action='SKIP'
- fi
- fi
- echo ""
- echo -n "Build list of installed system files and links. Please wait... "
- rm -f "${iffile}_"
- for f in `find "${db}" -name CONTENTS -type f`
- do
- # Regular files
- grep "obj /" "${f}" |sed 's/obj \/lib\//obj \/lib64\//' \
- |sed 's/obj \/usr\/lib\//obj \/usr\/lib64\//' \
- |sed -r 's/^(obj) (.+) (.+) (.+)$/\1 \2 \3 \4/m' >> "${iffile}_"
- # Symbolic links
- grep -E '^sym /' "${f}" |sed -r 's/^(sym) (.+) -> (.+) (.+)$/\1 \2 \3 \4/m' >> "${isfile}_"
- done
- sort "${iffile}_" |uniq > "${iffile}"
- rm "${iffile}_"
- sort "${isfile}_" |uniq > "${isfile}"
- rm "${isfile}_"
- echo "OK!"
- echo ""
- echo -n "Build list of existing system files and links. Please wait... "
- # Regular files
- find "${root}" -type f \
- -and ! -wholename "${root}/home/*" \
- -and ! -wholename "${root}/lib64/modules/*" \
- -and ! -wholename "${root}/media/*" \
- -and ! -wholename "${root}/mnt/*" \
- -and ! -wholename "${root}/root/*" \
- -and ! -wholename "${root}/tmp/*" \
- -and ! -wholename "${root}/usr/portage/*" \
- -and ! -wholename "${root}/var/cache/*" \
- -and ! -wholename "${root}/var/db/*" \
- -and ! -wholename "${root}/var/lib/clamav/*" \
- -and ! -wholename "${root}/var/lib/gentoo/news/*" \
- -and ! -wholename "${root}/var/lib/layman/*" \
- -and ! -wholename "${root}/var/lib/motioneye/*" \
- -and ! -wholename "${root}/var/lib/portage/*" \
- -and ! -wholename "${root}/var/lib/rkhunter/tmp/*" \
- -and ! -wholename "${root}/var/log/*" \
- -and ! -wholename "${root}/var/spool/*" \
- -and ! -wholename "${root}/var/tmp/*" \
- -and ! -wholename "${root}/var/lib/tor/data/*" \
- -and ! -wholename "${root}/var/www/*" \
- |sort > "${effile}"
- # Symbolic links
- find "${root}" -type l \
- -and ! -wholename "${root}/home/*" \
- -and ! -wholename "${root}/lib64/modules/*" \
- -and ! -wholename "${root}/media/*" \
- -and ! -wholename "${root}/mnt/*" \
- -and ! -wholename "${root}/root/*" \
- -and ! -wholename "${root}/tmp/*" \
- -and ! -wholename "${root}/var/tmp/*" \
- -and ! -wholename "${root}/var/www/*" \
- |sort > "${esfile}"
- echo "OK!"
- echo ""
- echo "If you looking for progress run:"
- echo "tail -f ${log}"
- echo "or filter only infected files run:"
- echo "tail -f ${log} |grep -v 'OK! ;-)'"
- echo "Full scan can take many hoers."
- echo ""
- echo -n "Scanning all system symlinks. Please wait... "
- ((v=0)); ((n=0)); ((d=0)); ((r=0))
- f=`awk '{if (NR==1) print}' "${esfile}"`
- ((i=2))
- while [ "${f}" != '' ]
- do
- fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
- md=`grep "sym ${fn} " "${isfile}" |awk -F' ' '{print $3}'`
- if [ "${md}" == '' ]
- then
- if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
- then
- echo "${fn} Configuration link wasn't installed by emerge!" >> "${log}"
- ((n+=1))
- else
- echo -n "${fn} Alien??? Link wasn't installed by emerge! 8-| " >> "${log}"
- ((n+=1))
- if [ "${infected_action}" == 'DELETE' ]
- then
- delete
- elif [ "${infected_action}" == 'REMOVE' ]
- then
- remove
- else
- echo "Skip!" >> "${log}"
- fi
- fi
- else
- fm=`ls -l "${f}" |awk '{print $11}'`
- if [ "${md}" == "${fm}" ]
- then
- if [ "${logclean}" == "YES" ]
- then
- echo "${fn} OK! ;-)" >> "${log}"
- fi
- else
- if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
- then
- echo "${fn} Configuration link was installed by emerge and are modified!" >> "${log}"
- ((v+=1))
- else
- echo -n "${fn} Virus??? Link was installed by emerge and are modified! 8-( " >> "${log}"
- ((v+=1))
- if [ "${infected_action}" == 'DELETE' ]
- then
- delete
- recover_sym
- elif [ "${infected_action}" == 'REMOVE' ]
- then
- remove
- recover_sym
- else
- echo "Skip!" >> "${log}"
- fi
- fi
- fi
- fi
- f=`awk "{if (NR==$i) print}" "${esfile}"`
- ((i+=1))
- done
- echo "OK!"
- echo "Sumary:"
- echo " Total: ${v} system links was installed by emerge and modified by another program!!!"
- echo " Total: ${n} system links wasn't installed by emerge and was created by another program!!!"
- echo " Total: ${d} system links wasn't installed by emerge or was modified by another program are deleted or removed!!!"
- echo " Total: ${r} system links wasn installed by emerge and modified by another program or don't exist are recovered!!!"
- echo ""
- echo -n "Scanning all system files. Please wait... "
- ((v=0)); ((n=0)); ((d=0));
- f=`awk '{if (NR==1) print}' "${effile}"`
- ((i=2))
- while [ "${f}" != '' ]
- do
- fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
- md=`grep "obj ${fn} " "${iffile}" |awk -F' ' '{print $3}'`
- if [ "${md}" == '' ]
- then
- if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
- then
- echo "${fn} Configuration file wasn't installed by emerge!" >> "${log}"
- ((n+=1))
- else
- echo -n "${fn} Alien??? File wasn't installed by emerge! 8-| " >> "${log}"
- ((n+=1))
- if [ "${infected_action}" == 'DELETE' ]
- then
- delete
- elif [ "${infected_action}" == 'REMOVE' ]
- then
- remove
- else
- echo "Skip!" >> "${log}"
- fi
- fi
- else
- fm=`md5sum "${f}" |awk '{print $1}'`
- if [ "${md}" == "${fm}" ]
- then
- if [ "${logclean}" == "YES" ]
- then
- echo "${fn} OK! ;-)" >> "${log}"
- fi
- else
- if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
- then
- echo "${fn} Configuration file was installed by emerge and are modified!" >> "${log}"
- ((v+=1))
- else
- echo -n "${fn} Virus??? File was installed by emerge and are modified! 8-( " >> "${log}"
- ((v+=1))
- if [ "${infected_action}" == 'DELETE' ]
- then
- delete
- elif [ "${infected_action}" == 'REMOVE' ]
- then
- remove
- else
- echo "Skip!" >> "${log}"
- fi
- fi
- fi
- fi
- f=`awk "{if (NR==$i) print}" "${effile}"`
- ((i+=1))
- done
- echo "OK!"
- echo "Sumary:"
- echo " Total: ${v} system files was installed by emerge and modified by another program!!!"
- echo " Total: ${n} system files wasn't installed by emerge and was created by another program!!!"
- echo " Total: ${d} system files wasn't installed by emerge or was modified by another program are deleted or removed!!!"
- echo ""
- echo -n "Looking for missing system lynks. Please wait... "
- ((v=0)); ((r=0))
- fn=`awk -F' ' '{if (NR==1) {print $2}}' "${isfile}"`
- ((i=2))
- while [ "${fn}" != '' ]
- do
- if [ ! -s "${root}${fn}" ]
- then
- echo "${fn} Link was installed by emerge and don't exist! 8-(" >> "${log}"
- ((v+=1))
- if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
- then
- md=`grep "sym ${fn} " "${isfile}" |awk -F' ' '{print $3}'`
- recover_sym
- fi
- fi
- fn=`awk "{if (NR==$i) print}" "${isfile}" |awk -F' ' '{print $2}'`
- ((i+=1))
- done
- echo "OK!"
- echo "Sumary:"
- echo " Total: ${v} system links was installed by emerge and don't exist!!!"
- echo " Total: ${r} system links installed by emerge and don't exist, are recovered!!!"
- echo ""
- echo -n "Looking for missing system files. Please wait... "
- ((v=0))
- fn=`awk -F' ' '{if (NR==1) {print $2}}' "${iffile}"`
- ((i=2))
- while [ "${fn}" != '' ]
- do
- if [ ! -f "${root}${fn}" ]
- then
- echo "${fn} File was installed by emerge and don't exist! 8-(" >> "${log}"
- ((v+=1))
- fi
- fn=`awk "{if (NR==$i) print}" "${iffile}" |awk -F' ' '{print $2}'`
- ((i+=1))
- done
- echo "OK!"
- echo "Sumary:"
- echo " Total: ${v} system files was installed by emerge and don't exist!!!"
- echo ""
- echo " Please look in '${log}' for detail information."
- echo " If you looking only for virus run:"
- echo " grep -v 'OK! ;-)' ${log} |less"
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement