#!/bin/sh
#---------------------------------------------
# Linux Incident Response Script
# This trashed code was released by ayazero
# 2005/07/14 v1.0 {public version}
# Contact: ay4z3ro@hotmail.com
# http://overflow.nease.net
# http://www.ph4nt0m.org
# Modified by lalphbet
# newjintao@yahoo.com.cn
# http://www.sysinfo.cn
#---------------------------------------------
# Fix it yourself if any problem !
cFR="\033[40;31m"
cNO="\033[00m"
cFG="\033[01;32m"
resultDir="/var/ayazero"
errFile="/var/ayazero/stderr"
outFile="/var/ayazero/stdout"
mkdir $resultDir
rm -rf `eval echo $resultDir/*`
date +%Y-%m-%d/%H:%M >> /var/ayazero/ir
echo -e "$cFR Info:$cNO Detection Started...,Be sure to run this as root"
echo -e "$cFG Info:$cNO detecting os version info..."
echo " ------------------" >> /var/ayazero/ir
echo "| OS Version info |" >> /var/ayazero/ir
echo " ------------------" >> /var/ayazero/ir
uname -a >> /var/ayazero/ir
cat /etc/issue >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting Current login and CPU load..."
echo " -----------------------------" >> /var/ayazero/ir
echo "| Current login and CPU load |" >> /var/ayazero/ir
echo " -----------------------------" >> /var/ayazero/ir
w >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting recent logins..."
echo " ----------------" >> /var/ayazero/ir
echo "| Recent logins |" >> /var/ayazero/ir
echo " ----------------" >> /var/ayazero/ir
last >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting process info..."
echo " ----------------" >> /var/ayazero/ir
echo "| Process info |" >> /var/ayazero/ir
echo " ----------------" >> /var/ayazero/ir
ps aux >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
strings -f /proc/[0-9]*/cmdline >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
ls -al /proc/[0-9]*/exe >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting autostart programs and modules..."
echo " --------------------------" >> /var/ayazero/ir
echo "| modules.conf & rc.local |" >> /var/ayazero/ir
echo " --------------------------" >> /var/ayazero/ir
echo "/etc/modules.conf:" >> /var/ayazero/ir
cat /etc/modules.conf >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo "/etc/rc.local:" >> /var/ayazero/ir
cat /etc/rc.local >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting login backdoor..."
echo " ------------------------" >> /var/ayazero/ir
echo "| Detect login backdoor |" >> /var/ayazero/ir
echo " ------------------------" >> /var/ayazero/ir
strings /bin/login >> /var/ayazero/login_fingerprint 2>>$errFile
strings `which sshd` >> /var/ayazero/sshd_fingerprint 2>>$errFile
echo -e "$cFG Info:$cNO detecting network info..."
echo " ---------------" >> /var/ayazero/ir
echo "| Network info |" >> /var/ayazero/ir
echo " ---------------" >> /var/ayazero/ir
ifconfig -a >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
netstat -anp >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
lsof >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting cpu load..."
echo " ----------" >> /var/ayazero/ir
echo "| CPU Load |" >> /var/ayazero/ir
echo " ----------" >> /var/ayazero/ir
top -b n1>> /var/ayazero/ir
sleep 2
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting Kernel modules list..."
echo " ---------------------" >> /var/ayazero/ir
echo "| Kenrel Modules List |" >> /var/ayazero/ir
echo " ---------------------" >> /var/ayazero/ir
lsmod >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
lsmod | grep -v Module | awk ';{ print $1 }'; | xargs modinfo >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting account info..."
echo " ---------------" >> /var/ayazero/ir
echo "| Account info |" >> /var/ayazero/ir
echo " ---------------" >> /var/ayazero/ir
cat /etc/passwd >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
cat /etc/shadow >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting trusted relationship"
echo " -----------------------" >> /var/ayazero/ir
echo "| Trusted relationship |" >> /var/ayazero/ir
echo " -----------------------" >> /var/ayazero/ir
cat /etc/hosts >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
if [ -f /etc/hosts.equiv ];
then
cat /etc/hosts.equiv >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
else
echo "no /etc/hosts.equiv" >> /var/ayazero/ir
fi
if [ -f ~/.rhosts ];
then
cat ~/.rhosts >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
else
echo -e "Error:\tno rhosts file" >> /var/ayazero/ir
fi
echo -e "$cFG Info:$cNO detecting autostart services..."
echo " ---------------------" >> /var/ayazero/ir
echo "| Autostart services |" >> /var/ayazero/ir
echo " ---------------------" >> /var/ayazero/ir
runlevelTemp=`cat /etc/inittab | grep initdefault | grep id | cut -d: -f2`
#or runlevelTemp=`who -r | awk ';{print $2}';`
#or runlevelTemp=`runlevel | awk ';{print $2}';`
ls -al `eval echo /etc/rc.d/rc$runlevelTemp.d/` >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting /tmp directory..."
echo " ----------------" >> /var/ayazero/ir
echo "| /tmp directory |" >> /var/ayazero/ir
echo " ----------------" >> /var/ayazero/ir
ls -al /tmp >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO dumping .bash_history..."
cat ~/.bash_history >> /var/ayazero/bash_history.txt
echo -e "$cFG Info:$cNO detecting schedualr..."
echo " -----------" >> /var/ayazero/ir
echo "| schedular |" >> /var/ayazero/ir
echo " -----------" >> /var/ayazero/ir
atq >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
crontab -l >> /var/ayazero/ir 2>>$errFile
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO detecting ip forward..."
echo " -------------------" >> /var/ayazero/ir
echo "| IP forward option |" >> /var/ayazero/ir
echo " -------------------" >> /var/ayazero/ir
echo "/proc/sys/net/ipv4/ip_forward" >> /var/ayazero/ir
cat /proc/sys/net/ipv4/ip_forward >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
#--------------------------------------------------------------
# if Internet is available and gcc is prepared,
# you could cancel the commentary to start the following section
#---------------------------------------------------------------
#mkdir /var/ayazero/tmp
#cd /var/ayazero/tmp
#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
#tar -zxvf chkrootkit.tar.gz
#rm -rf ./chkrootkit.tar.gz
#cd chkrootkit* && make all
#echo " -------------------" >> /var/ayazero/ir
#echo "| Chkrootkit result |" >> /var/ayazero/ir
#echo " -------------------" >> /var/ayazero/ir
#./chkrootkit >> /var/ayazero/ir
#echo -e "\n\n\n" >> /var/ayazero/ir
#cd ../ && rm -rf ./tmp
echo -e "$cFG Info:$cNO Searching for ... and suid files, how long it takes depends on the amount of disk files"
echo " ---------------" >> /var/ayazero/ir
echo "| ... file list |" >> /var/ayazero/ir
echo " ---------------" >> /var/ayazero/ir
find / -name "\.\.\." -print >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo " ----------------" >> /var/ayazero/ir
echo "| Suid file list |" >> /var/ayazero/ir
echo " ----------------" >> /var/ayazero/ir
find / -perm -4000 -print | xargs ls -al >> /var/ayazero/ir
echo -e "\n\n\n" >> /var/ayazero/ir
echo -e "$cFG Info:$cNO Dumping logs, you could do this work manually except for the large ones"
cp /var/log/messages* /var/ayazero/
cp /var/log/secure* /var/ayazero/
cp /var/run/utmp /var/ayazero/utmp
cp /var/log/wtmp /var/ayazero/wtmp
echo -e "$cFG Info:$cNO Dumping 3 timestamps for echo file under /"
cd /
echo -e "$cFG Info:$cNO Please wait,it will take several minutes..."
ls -alRu >> /var/ayazero/access 2>>$errFile
ls -lRc >> /var/ayazero/modification 2>>$errFile
ls -lR >> /var/ayazero/creation 2>>$errFile
echo -e "$cFG Info:$cNO Compressing..."
cd /var/ayazero/
tar -cvf ir.tar ./ayazero 2>>$errFile
gzip ir.tar 2>>$errFile
date +%Y-%m-%d/%H:%M >> /var/ayazero/ir
echo -e "$cFR Finished $cNO: check everything in /var/ayazero/ir.tar.gz!"
echo -e "$cFR Don';t forget to exec ++ rm -rf /var/ayazero ++ before you leave!$cNO"
#rm -f $0
#-------------------------------------------------------------------------------
# kernel rootkit detection : try module_hunter or kstat at your own risk
#-------------------------------------------------------------------------------- |
