#!/usr/bin/perl -wT # DDos Perl IrcBot Killer 2014 - F-hauri.CH - ddbk@F-hauri.CH # This script is based on "DDoS Perl IrcBot v1.0 / 2012 by DDoS Security Team". # # The goal of this script is to kill the Perl IcrBot. # It have to be run with at least same right level than bot himself. # ( work better when run under root privileges ) # This script is distributed under term of GPL-V2 license, ``has is'', without # any kind of warranty! # use strict; my %netSocks; sub listNetSocks { for my $proto (qw|tcp udp|) { open my $nh,"/proc/net/".$proto; $_=<$nh>; while (<$nh>) { my ($fo0,$sl,$loc,$rem,$st,$tx,$rx,$tr,$uid,$to,$in,$foo)= split(/\s+/); my ($rip,$rport)=split(":",$rem); my ($lip,$lport)=split(":",$loc); my (@rip4,@lip4); $rip=~s/(..)/push @rip4,hex($1)/eg; $lip=~s/(..)/push @lip4,hex($1)/eg; $netSocks{$in}=sprintf( "%s:%d:%s:%s:%d", $proto, hex($rport), join(".",reverse @rip4), join(".",reverse @lip4),hex($lport)); # printf STDERR "%15d %16s %8d %16s %8d\n", $in, # join(".",reverse @lip4), hex($lport), # join(".",reverse @rip4), hex($rport); }; close $nh; }; } sub getids { open my $fh,$_[0] or die; my %out; while (<$fh>) { $out{$2}=$1 if /^([^:]*):[^:]*:(\d+):/; } close $fh; return %out; } my %umap=getids("/etc/passwd"); my %gmap=getids("/etc/group"); sub checkPid { my $pid=$1 if $_[0]=~/^(\d+)$/ && $1 > 1; return unless $pid; my $exe=readlink("/proc/".$pid."/exe"); printf STDERR "Can't check: %s %s\n",$_,$exe="" unless $exe; return unless $exe =~ m+/p(erl|ython|hp)+; open my $fh,"/proc/".$pid."/cmdline"; (my $cmdline=<$fh>) =~ y|\0| |; close $fh; return unless $cmdline =~ m+^(/usr)?(/local)?(/s?bin)?[\[/]?(http|ssh|apache|syslog|cron|klog|kblockd|khelper|kmpathd|ksoftirqd|acpi|sync|-)+; # m+^(/usr)?(/local)?(/s?bin)?[\[/]?([a-z0-9-]\+)+; return if (split" ",$cmdline)[0] eq $exe; my $ppid; open $fh,"/proc/".$pid."/status"; while (<$fh>) { $ppid=$1 if /^PPid:\s*(\d+)\s*$/; }; close $fh; return unless $ppid == 1; printf("Suspicious process\t'%d',\n\thas parent pid:\t'%d',\n". "\trun\t\t'%s',\n\tclaim to be\t'%s'\n", $pid,$ppid,$exe,$cmdline); opendir $fh,"/proc/".$pid."/fd"; my @soklst; map { push @soklst,$netSocks{$1} if readlink("/proc/".$pid."/fd/".$_) =~ /socket:\[(\d+)\]/ && defined $netSocks{$1}; } grep { /\d/ } readdir $fh; my $user=(stat $fh)[4]; $user=$umap{$user} if $umap{$user}; my $grup=(stat $fh)[5]; $grup=$gmap{$grup} if $gmap{$grup}; printf("\tbehind to\t'%s:%s'\n",$user,$grup); closedir $fh; map { printf "\tand has port\t%s '%d'\n\topen to\t\t'%s'\n\tfrom\t\t'%s:%d'\n", split(":"); } @soklst if @soklst; printf "Send SIGKILL to %d (Y/n)? Y\033[1D",$pid; kill 9, $pid unless <> =~ /^n/i; }; listNetSocks(); opendir my $dh,"/proc"; map { checkPid($_); } grep { /^\d+$/ } readdir $dh;