Advertisement
Guest User

system_check.sh

a guest
Dec 31st, 2016
162
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/bin/bash
  2. # 20161109
  3. # GPL-3
  4.  
  5.  
  6. # If 'infected_action' set to 'DELETE' or "REMOVE' then
  7. # script will delete all files from:
  8. # /bin/*, /sbin/*, /lib* and /usr/* except /usr/local/*
  9. # which was not installed by emerge,
  10. # or installed by emerge and modified by other program!
  11. infected_action='DELETE'
  12. infected_action='REMOVE'
  13. #infected_action='SKIP'
  14.  
  15. # Gentoo pkg database
  16. db='/mnt/gentoo/var/db/pkg/'
  17.  
  18. # Where root of checking system is mouted. You run this from LiveCD? Rhite?
  19. root='/mnt/gentoo'
  20.  
  21. # Path to log file
  22. log='/var/tmp/vlist'
  23. # We delete old log!!!
  24. rm -f "${log}"
  25. logclean="YES"
  26. logclean="NO"
  27.  
  28. # Removed virus files
  29. infdir='/mnt/gentoo/var/viruses'
  30.  
  31. # Path to temp files
  32. iffile='/var/tmp/iflist'
  33. effile='/var/tmp/eflist'
  34. isfile='/var/tmp/islist'
  35. esfile='/var/tmp/eslist'
  36.  
  37.  
  38. delete() {
  39.     if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
  40.       then
  41.         rm -f "${root}${fn}"
  42.         echo "Deleted!!!" >> "${log}"
  43.         ((d+=1))
  44.     elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
  45.       then
  46.         rm -f "${root}${fn}"
  47.         echo "Deleted!!!" >> "${log}"
  48.         ((d+=1))
  49.       else
  50.         echo "Skip!" >> "${log}"
  51.     fi
  52. }
  53.  
  54.  
  55. remove() {
  56.     if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
  57.       then
  58.         path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
  59.         mkdir -p "${infdir}${path}"
  60.         mv -f "${root}${fn}" "${infdir}${path}"
  61.         echo "Removed!!!" >> "${log}"
  62.         ((d+=1))
  63.     elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
  64.       then
  65.         path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
  66.         mkdir -p "${infdir}${path}"
  67.         mv -f "${root}${fn}" "${infdir}${path}"
  68.         echo "Removed!!!" >> "${log}"
  69.         ((d+=1))
  70.       else
  71.         echo "Skip!" >> "${log}"
  72.     fi
  73. }
  74.  
  75.  
  76. recover_sym() {
  77.     path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
  78.     name=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\2/m'`
  79.     mkdir -p "${root}${path}"
  80.     cd "${root}${path}"
  81.     ln -s "${md}" "${name}"
  82.     echo "${fn} Recover symlink! :-)" >> "${log}"
  83.     ((r+=1))
  84. }
  85.  
  86.  
  87. # Check rhite for deleting bed system files.
  88. if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
  89.   then
  90.     echo ""
  91.     echo "          !!! Atention !!!"
  92.     echo "  This script will delete or remove system files!"
  93.     echo ""
  94.     echo "Only 64 bit, no multilib, systems are supported."
  95.     echo ""
  96.     echo "If you don't wont delete any files, just log, type SKIP."
  97.     echo "If you wont remove ?infected? files, type REMOVE."
  98.     echo -n "If you wont delete ?infected? files type DELETE and press 'Enter': "
  99.     read check
  100.     if [ "${check}" == 'DELETE' ]
  101.       then
  102.         infected_action='DELETE'
  103.     elif [ "${check}" == 'REMOVE' ]
  104.       then
  105.         infected_action='REMOVE'
  106.         mkdir -p "${infdir}"
  107.       else
  108.         infected_action='SKIP'
  109.     fi
  110. fi
  111.  
  112.  
  113. echo ""
  114. echo -n "Build list of installed system files and links. Please wait... "
  115. rm -f "${iffile}_"
  116. for f in `find "${db}" -name CONTENTS -type f`
  117.   do
  118.  
  119.     # Regular files
  120.     grep "obj /" "${f}" |sed 's/obj \/lib\//obj \/lib64\//' \
  121.     |sed 's/obj \/usr\/lib\//obj \/usr\/lib64\//' \
  122.     |sed -r 's/^(obj) (.+) (.+) (.+)$/\1    \2  \3  \4/m' >> "${iffile}_"
  123.  
  124.     # Symbolic links
  125.     grep -E '^sym /' "${f}" |sed -r 's/^(sym) (.+) -> (.+) (.+)$/\1 \2  \3  \4/m' >> "${isfile}_"
  126.  
  127.   done
  128. sort "${iffile}_" |uniq > "${iffile}"
  129. rm "${iffile}_"
  130.  
  131. sort "${isfile}_" |uniq > "${isfile}"
  132. rm "${isfile}_"
  133.  
  134. echo "OK!"
  135. echo ""
  136.  
  137.  
  138. echo -n "Build list of existing system files and links. Please wait... "
  139.  
  140. # Regular files
  141. find "${root}" -type f \
  142. -and ! -wholename "${root}/home/*" \
  143. -and ! -wholename "${root}/lib64/modules/*" \
  144. -and ! -wholename "${root}/media/*" \
  145. -and ! -wholename "${root}/mnt/*" \
  146. -and ! -wholename "${root}/root/*" \
  147. -and ! -wholename "${root}/tmp/*" \
  148. -and ! -wholename "${root}/usr/portage/*" \
  149. -and ! -wholename "${root}/var/cache/*" \
  150. -and ! -wholename "${root}/var/db/*" \
  151. -and ! -wholename "${root}/var/lib/clamav/*" \
  152. -and ! -wholename "${root}/var/lib/gentoo/news/*" \
  153. -and ! -wholename "${root}/var/lib/layman/*" \
  154. -and ! -wholename "${root}/var/lib/motioneye/*" \
  155. -and ! -wholename "${root}/var/lib/portage/*" \
  156. -and ! -wholename "${root}/var/lib/rkhunter/tmp/*" \
  157. -and ! -wholename "${root}/var/log/*" \
  158. -and ! -wholename "${root}/var/spool/*" \
  159. -and ! -wholename "${root}/var/tmp/*" \
  160. -and ! -wholename "${root}/var/lib/tor/data/*" \
  161. -and ! -wholename "${root}/var/www/*" \
  162. |sort > "${effile}"
  163.  
  164. # Symbolic links
  165. find "${root}" -type l \
  166. -and ! -wholename "${root}/home/*" \
  167. -and ! -wholename "${root}/lib64/modules/*" \
  168. -and ! -wholename "${root}/media/*" \
  169. -and ! -wholename "${root}/mnt/*" \
  170. -and ! -wholename "${root}/root/*" \
  171. -and ! -wholename "${root}/tmp/*" \
  172. -and ! -wholename "${root}/var/tmp/*" \
  173. -and ! -wholename "${root}/var/www/*" \
  174. |sort > "${esfile}"
  175.  
  176. echo "OK!"
  177. echo ""
  178.  
  179.  
  180. echo "If you looking for progress run:"
  181. echo "tail -f ${log}"
  182. echo "or filter only infected files run:"
  183. echo "tail -f ${log} |grep -v 'OK!  ;-)'"
  184. echo "Full scan can take many hoers."
  185. echo ""
  186.  
  187.  
  188. echo -n "Scanning all system symlinks. Please wait... "
  189. ((v=0)); ((n=0)); ((d=0)); ((r=0))
  190. f=`awk '{if (NR==1) print}' "${esfile}"`
  191. ((i=2))
  192. while [ "${f}" != '' ]
  193.   do
  194.     fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
  195.     md=`grep "sym   ${fn}   " "${isfile}" |awk -F'  ' '{print $3}'`
  196.     if [ "${md}" == '' ]
  197.       then
  198.         if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
  199.           then
  200.             echo "${fn} Configuration link wasn't installed by emerge!" >> "${log}"
  201.             ((n+=1))
  202.           else
  203.             echo -n "${fn}  Alien??? Link wasn't installed by emerge! 8-|  " >> "${log}"
  204.             ((n+=1))
  205.             if [ "${infected_action}" == 'DELETE' ]
  206.               then
  207.                 delete
  208.             elif [ "${infected_action}" == 'REMOVE' ]
  209.               then
  210.                 remove
  211.               else
  212.                 echo "Skip!" >> "${log}"
  213.             fi
  214.         fi
  215.       else
  216.         fm=`ls -l "${f}" |awk '{print $11}'`
  217.         if [ "${md}" == "${fm}" ]
  218.           then
  219.             if [ "${logclean}" == "YES" ]
  220.               then
  221.                 echo "${fn} OK!  ;-)" >> "${log}"
  222.             fi
  223.           else
  224.             if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
  225.               then
  226.                 echo "${fn} Configuration link was installed by emerge and are modified!" >> "${log}"
  227.                 ((v+=1))
  228.               else
  229.                 echo -n "${fn}  Virus??? Link was installed by emerge and are modified! 8-(  " >> "${log}"
  230.                 ((v+=1))
  231.                 if [ "${infected_action}" == 'DELETE' ]
  232.                   then
  233.                     delete
  234.                     recover_sym
  235.                 elif [ "${infected_action}" == 'REMOVE' ]
  236.                   then
  237.                     remove
  238.                     recover_sym
  239.                   else
  240.                     echo "Skip!" >> "${log}"
  241.                 fi
  242.             fi
  243.         fi
  244.     fi
  245.     f=`awk "{if (NR==$i) print}" "${esfile}"`
  246.     ((i+=1))
  247.   done
  248. echo "OK!"
  249.  
  250. echo "Sumary:"
  251. echo "  Total: ${v} system links was installed by emerge and modified by another program!!!"
  252. echo "  Total: ${n} system links wasn't installed by emerge and was created by another program!!!"
  253. echo "  Total: ${d} system links wasn't installed by emerge or was modified by another program are deleted or removed!!!"
  254. echo "  Total: ${r} system links wasn installed by emerge and modified by another program or don't exist are recovered!!!"
  255. echo ""
  256.  
  257.  
  258.  
  259. echo -n "Scanning all system files. Please wait... "
  260. ((v=0)); ((n=0)); ((d=0));
  261. f=`awk '{if (NR==1) print}' "${effile}"`
  262. ((i=2))
  263. while [ "${f}" != '' ]
  264.   do
  265.     fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
  266.     md=`grep "obj   ${fn}   " "${iffile}" |awk -F'  ' '{print $3}'`
  267.     if [ "${md}" == '' ]
  268.       then
  269.         if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
  270.           then
  271.             echo "${fn} Configuration file wasn't installed by emerge!" >> "${log}"
  272.             ((n+=1))
  273.           else
  274.             echo -n "${fn}  Alien??? File wasn't installed by emerge! 8-|  " >> "${log}"
  275.             ((n+=1))
  276.             if [ "${infected_action}" == 'DELETE' ]
  277.               then
  278.                 delete
  279.             elif [ "${infected_action}" == 'REMOVE' ]
  280.               then
  281.                 remove
  282.               else
  283.                 echo "Skip!" >> "${log}"
  284.             fi
  285.         fi
  286.       else
  287.         fm=`md5sum "${f}" |awk '{print $1}'`
  288.         if [ "${md}" == "${fm}" ]
  289.           then
  290.             if [ "${logclean}" == "YES" ]
  291.               then
  292.                 echo "${fn} OK!  ;-)" >> "${log}"
  293.             fi
  294.           else
  295.             if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
  296.               then
  297.                 echo "${fn} Configuration file was installed by emerge and are modified!" >> "${log}"
  298.                 ((v+=1))
  299.               else
  300.                 echo -n "${fn}  Virus??? File was installed by emerge and are modified! 8-(  " >> "${log}"
  301.                 ((v+=1))
  302.                 if [ "${infected_action}" == 'DELETE' ]
  303.                   then
  304.                     delete
  305.                 elif [ "${infected_action}" == 'REMOVE' ]
  306.                   then
  307.                     remove
  308.                   else
  309.                     echo "Skip!" >> "${log}"
  310.                 fi
  311.             fi
  312.         fi
  313.     fi
  314.     f=`awk "{if (NR==$i) print}" "${effile}"`
  315.     ((i+=1))
  316.   done
  317. echo "OK!"
  318.  
  319. echo "Sumary:"
  320. echo "  Total: ${v} system files was installed by emerge and modified by another program!!!"
  321. echo "  Total: ${n} system files wasn't installed by emerge and was created by another program!!!"
  322. echo "  Total: ${d} system files wasn't installed by emerge or was modified by another program are deleted or removed!!!"
  323. echo ""
  324.  
  325.  
  326. echo -n "Looking for missing system lynks. Please wait... "
  327. ((v=0)); ((r=0))
  328. fn=`awk -F' ' '{if (NR==1) {print $2}}' "${isfile}"`
  329. ((i=2))
  330. while [ "${fn}" != '' ]
  331.   do
  332.     if [ ! -s "${root}${fn}" ]
  333.       then
  334.         echo "${fn} Link was installed by emerge and don't exist! 8-(" >> "${log}"
  335.         ((v+=1))
  336.         if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
  337.           then
  338.             md=`grep "sym   ${fn}   " "${isfile}" |awk -F'  ' '{print $3}'`
  339.             recover_sym
  340.         fi
  341.     fi
  342.     fn=`awk "{if (NR==$i) print}" "${isfile}" |awk -F'  ' '{print $2}'`
  343.     ((i+=1))
  344.   done
  345. echo "OK!"
  346.  
  347. echo "Sumary:"
  348. echo "  Total: ${v} system links was installed by emerge and don't exist!!!"
  349. echo "  Total: ${r} system links installed by emerge and don't exist, are recovered!!!"
  350. echo ""
  351.  
  352.  
  353. echo -n "Looking for missing system files. Please wait... "
  354. ((v=0))
  355. fn=`awk -F' ' '{if (NR==1) {print $2}}' "${iffile}"`
  356. ((i=2))
  357. while [ "${fn}" != '' ]
  358.   do
  359.     if [ ! -f "${root}${fn}" ]
  360.       then
  361.         echo "${fn} File was installed by emerge and don't exist! 8-(" >> "${log}"
  362.         ((v+=1))
  363.     fi
  364.     fn=`awk "{if (NR==$i) print}" "${iffile}" |awk -F'  ' '{print $2}'`
  365.     ((i+=1))
  366.   done
  367. echo "OK!"
  368.  
  369. echo "Sumary:"
  370. echo "  Total: ${v} system files was installed by emerge and don't exist!!!"
  371. echo ""
  372.  
  373. echo "  Please look in  '${log}'  for detail information."
  374. echo "  If you looking only for virus run:"
  375. echo "  grep -v 'OK!  ;-)' ${log} |less"
  376.  
  377.  
  378. exit 0
Advertisement
RAW Paste Data Copied
Advertisement