[ SEA-GHOST MINI SHELL]
#!/usr/bin/env bash
#
##
# Linux Malware Detect v1.6.5
# (C) 2002-2023, R-fx Networks <proj@rfxn.com>
# (C) 2023, Ryan MacDonald <ryan@rfxn.com>
# This program may be freely redistributed under the terms of the GNU GPL v2
##
#
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
ver=1.6.5
inspath='/usr/local/maldetect'
intcnf="$inspath/internals/internals.conf"
if [ -f "/etc/sysconfig/maldet" ]; then
syscnf=/etc/sysconfig/maldet
elif [ -f "/etc/default/maldet" ]; then
syscnf=/etc/default/maldet
fi
header() {
echo "Linux Malware Detect v$ver"
echo " (C) 2002-2023, R-fx Networks <proj@rfxn.com>"
echo " (C) 2023, Ryan MacDonald <ryan@rfxn.com>"
echo "This program may be freely redistributed under the terms of the GNU GPL v2"
echo ""
}
if [ -f "$intcnf" ]; then
source $intcnf
else
header
echo "maldet($$): {glob} \$intcnf not found, aborting."
exit 1
fi
if [ -f "$cnf" ]; then
source $cnf
else
header
echo "maldet($$): {glob} \$cnf not found, aborting."
exit 1
fi
if [ -f "$intfunc" ]; then
source $intfunc
else
header
echo "maldet($$): {glob} \$intfunct not found, aborting."
exit 1
fi
if [ -f "$compatcnf" ]; then
source $compatcnf
fi
if [ -f "$syscnf" ]; then
source $syscnf
fi
# prerun operations
prerun
if [ -z "$1" ]; then
header
usage_short
else
while [ -n "$1" ]; do
case "$1" in
--mkpubpaths)
if [ "$scan_user_access" == "1" ]; then
chmod 711 $userbasedir
for user in `cat /etc/passwd | cut -d ':' -f1`; do
uid=`id --user $user`
if [ -z "$uid" ]; then
uid=9
fi
if [ -z "$scan_user_access_minuid" ]; then
scan_user_access_minuid=10
fi
if [ "$uid" -ge "$scan_user_access_minuid" ] && [ ! -d "$userbasedir/$user" ]; then
mkdir -p $userbasedir/$user/quar $userbasedir/$user/sess $userbasedir/$user/tmp
touch $userbasedir/$user/event_log
chown -R $user $userbasedir/$user
chmod 750 $userbasedir/$user $userbasedir/$user/quar $userbasedir/$user/sess $userbasedir/$user/tmp
chmod 640 $userbasedir/$user/event_log
eout "{glob} created public scanning paths for user $user"
fi
unset uid user
done
exit
else
header
echo "public scanning support not enabled in $cnf, aborting."
exit
fi
;;
-hscan|--hook-scan|--modsec)
hscan=1
;;
-U|--user)
shift
user="$1"
quardir=$userbasedir/$user/quar
sessdir=$userbasedir/$user/sess
tmpdir=$userbasedir/$user/tmp
maldet_log=$userbasedir/$user/event_log
;;
-co|--config-option)
shift
user=`whoami`
if [ ! "$user" == "root" ]; then
tmpdir=$userbasedir/$user/tmp
fi
tmpco=$tmpdir/config.cli
rm -f $tmpco
touch $tmpco
echo ,$1 | sed -e 's/-\(-config-option\|co\) //' -e 's/\(, *[a-zA-Z0-9_][a-zA-Z0-9_]*=\)/\n\1\n/g' | sed -e '1d' -e 's/^\([^,].*\|.*[^=]\)$/"\1"/' | sed -e '$!N;s/\n//' -e 's/^, *//' | grep -v "^ *compatcnf" > $tmpco
. $tmpco
rm -f $tmpco
if [ -f "$compatcnf" ]; then
source $compatcnf
fi
;;
-qd)
shift
if [ -d "$1" ]; then
eout "{scan} set quarantine path: $1" 1
quardir="$1"
fi
;;
-b|--background)
set_background=1
;;
-c|--checkout)
shift
header
checkout "$1"
;;
-x|--exclude-regex)
shift
if [ "$1" ]; then
exclude_regex="-not -regex \"$1\""
fi
;;
-i|--include-regex)
shift
if [ "$1" ]; then
include_regex="-regex \"$1\""
fi
;;
--wget-proxy|--curl-proxy|--web-proxy)
shift
if [ "$1" ]; then
web_proxy="$1"
fi
;;
--alert-daily|--monitor-report)
genalert digest
;;
-m|--monitor)
header
shift
if [ "$OSTYPE" == "FreeBSD" ]; then
eout "{mon} not currently supported under FreeBSD" 1
elif [ "$1" == "reload" ] || [ "$1" == "RELOAD" ]; then
eout "{mon} queued monitor for configuration reload" 1
touch $inspath/reload_monitor
elif [ ! -f "$(which ed 2> /dev/null)" ]; then
eout "{mon} could not find monitor mode dependency 'ed' in PATH, please apt/yum/dnf install ed and try again." 1
else
svc=m
trap trap_exit 2
monitor_init "$1"
fi
;;
-k|--kill-monitor|-kill)
header
if [ "$OSTYPE" == "FreeBSD" ]; then
eout "{mon} not currently supported under FreeBSD" 1
else
monitorpid=`pgrep -f inotify.paths.[0-9]+`
if [ -z "$monitorpid" ]; then
eout "{mon} could not find running inotifywait process, are we already dead?" 1
else
eout "{mon} sent kill to monitor service (pid: $monitorpid)" 1
monitor_kill
fi
fi
;;
-f|--file-list)
shift
if [ -z "$hscan" ]; then
header
fi
svc=f
trap trap_exit 2
file_list="$1"
if [ ! -f "$file_list" ]; then
eout "{scan} file does not exist ($1)" 1
exit 1
elif [ ! -s "$file_list" ]; then
eout "{scan} file list is empty ($1)" 1
exit 1
fi
if [ "$set_background" == "1" ]; then
eout "{scan} launching scan of $spath to background, see $maldet_log for progress" 1
scan "$spath" "$file_list" >> /dev/null 2>&1 &
else
scan "$spath" "$file_list"
fi
;;
-a|--scan-all)
shift
if [ -z "$hscan" ]; then
header
fi
svc=a
trap trap_exit 2
spath="$1"
hrspath="$1"
if [ "$spath" == "" ]; then
spath=/home
hrspath="$spath"
fi
if [ "$set_background" == "1" ]; then
eout "{scan} launching scan of $spath to background, see $maldet_log for progress" 1
scan "$spath" all >> /dev/null 2>&1 &
else
scan "$spath" all
fi
;;
-r|--scan-recent)
header
svc=r
trap trap_exit 2
shift
spath="$1"
shift
days="$1"
if [ -z "$spath" ]; then
eout "{scan} no path defined" 1
exit
fi
if [ -z "$days" ]; then
days=7
fi
if [ "$set_background" == "1" ]; then
eout "{scan} launching scan of $spath changes in last ${days}d to background, see $maldet_log for progress" 1
scan "$spath" "$days" >> /dev/null 2>&1 &
else
scan "$spath" "$days"
fi
;;
-l|--log)
header
view
;;
-e|--report)
header
shift
view_report "$1" "$2"
;;
-E|--dump-report)
header
shift
dump_report "$1"
;;
-p|--purge)
header
purge
;;
-d|--update-ver|--update-version)
shift
if [ ! "$1" == "1" ]; then
header
fi
if [ "$1" == "--force" ]; then
lmdup_force=1
elif [ "$1" == "--beta" ]; then
lmdup_beta=1
fi
lmdup
;;
-u|--update|--update-sigs)
shift
if [ ! "$1" == "1" ]; then
header
fi
if [ "$1" == "--force" ]; then
sigup_force=1
fi
sigup
;;
-s|--restore)
header
shift
if [ -f "$sessdir/session.hits.$1" ]; then
restore_hitlist "$1"
else
restore "$1"
fi
;;
-q|--quarantine)
header
shift
quar_hitlist "$1"
;;
-n|--clean)
header
shift
clean_hitlist "$1"
;;
-h|--help)
header
usage_long | more
;;
*)
header
usage_short
esac
shift
done
fi
# import any remote configuration data
import_conf
# postrun operations
postrun
SEA-GHOST - SHELL CODING BY SEA-GHOST