@@ -423,12 +423,18 @@ tb() {
423423}
424424
425425# SHRED without shred command
426- command -v shred > /dev/null || shred () {
426+ shred () {
427+ [ -x /usr/bin/shred ] && {
428+ /usr/bin/shred -u " $@ "
429+ return
430+ }
427431 [[ -z $1 || ! -f " $1 " && { echo >&2 " shred [FILE]" ; return 255; }
428432 dd status=none bs=1k count=" $( du -sk " ${1:? } " | cut -f1) " > " $1 "
429433 rm -f " ${1:? } "
430434}
431435
436+ command -v srm > /dev/null || srm () { shred " $@ " ; }
437+
432438command -v strings > /dev/null || strings () { perl -nle ' print $& while m/[[:print:]]{8,}/g' " $@ " ; }
433439
434440bounceinit () {
@@ -1291,6 +1297,21 @@ _warn_edr() {
12911297 unset -f _hs_chk_systemd _hs_chk_fn
12921298}
12931299
1300+ _warn_upx_exe () {
1301+ local str pid
1302+ for x in /proc/[123456789]* /exe; do
1303+ [ ! -e " $x " && continue
1304+ dd bs=1k count=1 if=" $x " 2> /dev/null | grep -Fqam1 ' UPX!' && {
1305+ pid=" ${x: 6} "
1306+ pid=" ${pid%%/* } "
1307+ str+=" PID: $pid " $' \t ' " $( stat -c ' %U' " /proc/${pid} /exe" ) " $' \t ' " $( strings /proc/${pid} /cmdline 2> /dev/null) " $' \n '
1308+ }
1309+ done
1310+ [ -z " $str " && return
1311+ echo -e " ${CR} UPX packed process found:${CF} "
1312+ echo -en " ${str} " $' \033 [0m'
1313+ }
1314+
12941315# Warn of script kiddies
12951316_warn_skids () {
12961317 local str s
@@ -1312,7 +1333,7 @@ _warn_skids() {
13121333 # grep -qFm1 '~/.tmp_u' ~/.bashrc 2>/dev/null && str+="Suspicious SSH authorized_key found: ~/.tmp.u"$'\n'
13131334 grep -qFm1 ' authorized_keys' ~ /.bashrc 2> /dev/null && echo -e " ${CR} Suspicious SSH authorized_key shenanigans found: ~/.bashrc${CN} "
13141335
1315- s=" $( grep -HoaFm1 XMRIG_VERSION /proc/* /exe 2> /dev/null | sed ' s|[^0-9]||g' ) "
1336+ s=" $( grep -HEoam1 ' ( XMRIG_VERSION|Id: UPX ) ' /proc/* /exe /dev/null 2> /dev/null | sed ' s|[^0-9]||g' ) "
13161337 [ -n " $s " && {
13171338 echo -e " ${CR} XMRig miner processes found:${CF} "
13181339 # ps --no-headers -eo pid,%cpu,%mem,command => NOT PORTABLE
@@ -1385,11 +1406,13 @@ _warn_lkm() {
13851406_warn_rk_exe () {
13861407 local str x out az t w
13871408
1388- str=" $( readlink -f /proc/* /exe 2> /dev/null | grep -E ' (\(deleted\)$|^/memfd:)' ) "
1409+ # readlink -f wont work as non-root on /proc/*/exe if the binary is deleted.
1410+ str=" $( stat --printf=' %N\n' * /exe 2> /dev/null | grep -E ' (\(deleted\)|^/memfd:)' 2> /dev/null) "
13891411 [ -z " $str " && return
13901412
13911413 for x in /proc/[123456789]* /exe; do
1392- str=" $( readlink -f " $x " | grep -E ' (\(deleted\)$|^/memfd:)' ) "
1414+ [ ! -e " $x " && continue
1415+ str=" $( stat --printf=' %N' " $x " 2> /dev/null | grep -E ' (\(deleted\)|^/memfd:)' ) "
13931416 [ -z " $str " && continue
13941417 x=" ${x: 6} "
13951418 x=" ${x%%/* } "
@@ -1407,13 +1430,13 @@ _warn_rk_exe() {
14071430 echo -en " ${CN} "
14081431}
14091432
1433+
14101434# Warn if there are other root kits found.
14111435_warn_rk () {
1412- command -v readlink > /dev/null && _warn_rk_exe
1436+ command -v stat > /dev/null && _warn_rk_exe
14131437 _warn_lkm
14141438}
14151439
1416-
14171440_hs_gen_home () {
14181441 local IFS
14191442 local str
@@ -1497,6 +1520,7 @@ lootlight() {
14971520 _warn_edr
14981521 _warn_rk
14991522 _warn_skids
1523+ _warn_upx_exe
15001524 }
15011525 declare -f _extended_history > /dev/null && [ -n " $PROMPT_COMMAND " && {
15021526 unset PROMPT_COMMAND
0 commit comments