forked from cloudsec/brootkit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
uninstall.sh
executable file
·147 lines (123 loc) · 3.02 KB
/
uninstall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
#!/bin/bash
BR_ROOTKIT_PATH="/usr/include/..."
declare br_os_type=0
declare br_privilege=1
function br_check_privilege()
{
[ $UID -eq 0 -o $EUID -eq 0 ] && br_privilege=0 || br_privilege=1
}
function br_set_rootkit_path()
{
if [ $br_privilege -eq 1 ]; then
BR_ROOTKIT_PATH="/home/$USER/..."
else
echo "uninstall brootkit using root privilege."
fi
}
function br_check_os_type()
{
local line
line=`head -n 1 /etc/issue`
if echo $line|grep "[Cc]ent[Oo][Ss]" >/dev/null; then
br_os_type=1
elif echo $line|grep "[Rr]ed.Hat.Enterprise" >/dev/null; then
br_os_type=2
elif echo $line|grep "[Uu]buntu" >/dev/null; then
br_os_type=3
elif echo $line|grep "[Dd]ebian" >/dev/null; then
br_os_type=4
elif echo $line|grep "[Ff]edora" >/dev/null; then
br_os_type=5
else
echo -e "target os type: $line is not supported."
exit 0
fi
}
function uninstall_backdoor()
{
local pid
for pid in `ps aux|grep bash|grep bashbd | awk '{print $2}'`
do
kill -9 $pid >/dev/null 2>&1
done
}
function uninstall_centos_home()
{
local idx
for idx in 0 1 2 3 4 5 6
do
rm -f /etc/rc.d/rc$idx.d/S10brdaemon
done
rm -fr /etc/profile.d/emacs.sh
rm -fr /etc/rc.d/init.d/brdaemon
rm -fr $BR_ROOTKIT_PATH
}
function uninstall_fedora_home()
{
local idx
for idx in 0 1 2 3 4 5 6
do
rm -f /etc/rc.d/rc$idx.d/S10brdaemon
done
rm -fr /etc/profile.d/emacs.sh
rm -fr /etc/rc.d/init.d/brdaemon
rm -fr $BR_ROOTKIT_PATH
}
function uninstall_ubuntu_home()
{
local idx
for idx in 0 1 2 3 4 5 6
do
rm -f /etc/rc$idx.d/S10brdaemon
done
rm -f /etc/rcS.d/S10brdaemon
rm -fr /etc/profile.d/emacs.sh
rm -fr /etc/init.d/brdaemon
rm -fr $BR_ROOTKIT_PATH
}
function uninstall_debian_home()
{
update-rc.d -f brdaemon remove
rm -fr /etc/profile.d/emacs.sh
rm -fr /etc/init.d/brdaemon
rm -fr $BR_ROOTKIT_PATH
}
function uninstall_rootkit()
{
declare -a rootkit_hook=(
"declare" "command" "builtin" "set"
"fake_unset" "ls" "/bin/ls" "ps"
"/bin/ps" "reset_ps" "netstat" "reset_netstat"
"/bin/netstat" "type" "typeset" "abcdmagic"
"reset_command" "su" "max_file_length"
"dir" "/usr/bin/dir"
)
for hook_cmd in ${rootkit_hook[*]}
do
unset -f $hook_cmd
done
}
function main()
{
br_check_os_type
br_check_privilege
br_set_rootkit_path
uninstall_backdoor
if [ $br_privilege -eq 0 ]; then
uninstall_rootkit
case $br_os_type in
1|2)
uninstall_centos_home ;;
3)
uninstall_ubuntu_home ;;
4)
uninstall_debian_home ;;
5)
uninstall_fedora_home ;;
esac
else
rm -fr $BR_ROOTKIT_PATH
fi
exec /bin/bash
}
main