Bash Script for remove SHV5 rootkit Requirements : Debian apt-get with working sources root access CentOS : yum with wor...
Bash Script for remove SHV5 rootkit
Requirements :
Debian
apt-get with working sources
root access
CentOS :
yum with working rpm’s
root access
Download [at] http://blog.evilcoder.net/shv5-rootkit-remover/#sthash.0GdClqnw.dpuf Or Here
========================================================
#!/bin/bash
echo "SHV Rootkit checker by alex [at] evilcoder.net"
if [ $# -ne 1 ]
then
echo "This is a SHV5 rootkit remover"
echo "This script is released as it is and i can't be held responsable for any damages"
echo "This script has been tested on Debian , Ubuntu and CentOS servers "
echo "You must agree with that"
echo "Usage : $0 yes"
exit 1
fi
if [ "$1" != "yes" ];
then
echo "You should agree"
exit 1
elif [ "$1" == "yes" ];
then
echo "Thanks"
fi
#checking Linux type
OS=`cat /etc/issue|cut -d " " -f 1 | head -1`
if [ -d "/usr/lib/libsh" ];
then
echo "We have SHV rootkit"
else
echo "You don't have shv5 installed"
exit 1
fi
echo "System Check"
if [ "$OS" == "Debian" ];
then
echo "We have Debian"
echo "Removing immutable from infected files"
chattr -sia /bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/bin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
apt-get update >>/dev/null
apt-get -y install --reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
elif [ "$OS" == "Ubuntu" ];then
echo "We have Ubuntu"
echo "Removing immutable from Ubuntu known infected files"
chattr -sia /bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/bin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
apt-get update >>/dev/null
apt-get -y install --reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
elif [ "$OS" == "CentOS" ];then
echo "We got CentOS"
echo "Removing immutable flag from CentOS known infected files"
chattr -sia /usr/bin/dir
chattr -sia /usr/bin/find
chattr -sia /sbin/ifconfig
chattr -sia /bin/ls
chattr -sia /usr/sbin/lsof
chattr -sia /usr/bin/md5sum
chattr -sia /bin/netstat
chattr -sia /bin/ps
chattr -sia /usr/bin/pstree
chattr -sia /usr/bin/top
chattr -sia /lib/libsh.so
chattr -sia /usr/lib/libsh
chattr -sia /usr/lib/libsh/*
chattr -sia /etc/sh.conf
chattr -sia /sbin/ttymon
chattr -sia /sbin/ttyload
echo "Deleting rootkit folders"
rm -rf /lib/libsh.so
rm -rf /usr/lib/libsh/
rm -rf /etc/sh.conf
rm -rf /sbin/ttyload
rm -rf /sbin/ttymon
echo "Reinstall new files"
yum -y reinstall coreutils binutils net-tools psmisc lsof procps findutils >>/dev/null
echo "Killing Rootkit"
killall -9 ttymon
echo "You should reboot to finish cleaning"
fi
fi
========================================================
Source from this Link
COMMENTS