Republished: Basic Malware Detector For Linux

(updated )

This was originally published on benscomputer.no-ip.org in Jun 2009

OK, if this of use to anyone then fantastic!!!!

It's a simple script that will generate MD5/SHA1/SHA256 sums of all files within your PATH. This is based on the PATH variable on my machine at time of writing, in fact it also checks the sums of my backups (you'll probably want to remove the /mnt/exthd line).



Its simple to use, all you need to do is burn the generated disc image to a CD for use when you check your system. It is based on the idea that you trust the security of your system at the time of generation, and there are a few caveats:


  1. Must be run as root (you can run as a normal user, but will get a lot of Permission Denieds)
  2. Won't notice if new executables appear (to be changed at a later date, maybe!)
  3. You must burn the disc image (if you leave it on the system, and it's compromised, the attacker could regenerate your image)


Preparation

There are a couple of steps before you can get the script working. You'll need nothing more than a text editor!

  1. You need to specify the checksum program to use (default is sha256sum)
  2. You may want to change the directories that are checksummed

Usage

Calling just the script, or using --help will display usage options. Despite what is shown, all that is currently supported is

sha_archive.sh --full
sha_archive.sh --help

using the first will generate a checksum of every file stored within the directories specified within the script, which will then be stored in an ISO image along with the verification script. This should be burnt to a CD immediately.

Upon mounting the CD (to run your check), cd into the mounted directory and run

./Verify_sigs.sh

which will then check all files stored within it's database. It will provide you with a prompt before it goes away, read it carefully and then press enter.
Should any discrepancies be found, they will be piped through less, but the file will remain in /tmp

Bugs

Probably quite a few


Releases

V0.1
MD5 Sum

713f63b9323cfa7453d5aeb279de9b83 sha_archive.sh

Share this post on Twitter Share this post on Reddit Share this post on LinkedIN Share this post via Whatsapp Share this post via Telegram Share this post via QQ Share this post via Email