-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscan.sh
111 lines (99 loc) · 4.3 KB
/
scan.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/sh
# ==============================================================================
# NCSC-NL Router Malware Detection Script for ASUS routers
# ==============================================================================
VERSION=2
THISFILE=$0
LAUNCHER=$1
# Configuration
USB_MOUNT_POINT=$(mount | grep '/mnt' | grep '/dev' | grep -v 'type rootfs' | grep -v 'type squashfs' | grep -v 'type tmpfs' | grep -v 'type devpts' | grep -v 'type jffs2' | grep -v 'type sysfs' | grep -v 'type proc' | awk '{print $3}' | tail -n 1)
OUTPUT_FILE="$USB_MOUNT_POINT/malware_scan.txt" && >"$OUTPUT_FILE"
# Function to log output
wlog() {
echo "$1"
echo "$1" >> "$OUTPUT_FILE"
}
# Heuristics
processes="alogin|microso|\.nttpd|\.nttpd-z|\.sox|asi\.sh"
filenames="/jffs/\.bin/ntpclient|\.nttpd|\.nttpd-z|\.tst|\.tst\.out|\.nttpd\.pid|\.sox|microso|alogin|/jffs/checksumm"
search_paths="/tmp|/jffs"
nvram_entries="env_path=/jffs/\.bin|3deCSCIoaQ|NIwZI3pvmJ|as_e4DtOMgfOorTPVnvSXm1D|/bin/sh /jffs/etc/profile"
suspicious_strings="8ewMqdWf9K|3deCSCIoaQ|NIwZI3pvmJ|Klq1BtftKC|gSqf7pcEQQ|asi\.sh|31\.170\.22\.195|asi\.ok|asi\.ko|1-arm-le-t|1-mips-le-t|e4DtOMgfOorTPVnvSXm1D|downl_crt.sh|AoA6z1AP0V"
hversion=2
wlog "=== Router Malware Detectie Script ==="
wlog "Uw ASUSWRT-router is gecontroleerd op tekenen van malware door actieve processen, tijdelijke bestanden en instellingen te onderzoeken."
wlog "Opmerking: Alleen een beperkte set van bekende malwarefamilies wordt gedetecteerd, zoals beschreven in een blogpost door NCSC-NL. Zie: [Your Blog Post URL]"
wlog "Houd de firmware van uw router up-to-date en volg beveiligingsadviezen."
wlog ""
wlog "=== Router Malware Detection Script ==="
wlog "Your ASUSWRT-router was checked for signs of malware by examining running processes, temporary files, and settings."
wlog "Note: Only a limited set of known malware families are detected, as described in a blog post by NCSC-NL. See: [Your Blog Post URL]"
wlog "Keep your router's firmware updated and follow security best practices."
wlog ""
wlog "=== Device info ==="
wlog "Model: $(nvram get model) / $(nvram get productid)"
wlog "Buildinfo: $(nvram get buildinfo)"
wlog "$(nvram show | grep _version=)"
wlog "Kernel: $(uname -a)"
wlog "Uptime: $(uptime)"
wlog "USB mount point: $USB_MOUNT_POINT"
wlog ""
wlog "=== Start scan ==="
wlog "Script version: $VERSION"
wlog "Heuristics version: $hversion"
wlog "Local time: $(date)"
wlog "Launcher: $LAUNCHER"
wlog "Thisfile: $THISFILE"
wlog ""
PS_OUTPUT=$(ps)
wlog ""
wlog "=== Checking Active Processes ==="
echo "$PS_OUTPUT" | grep -E "$processes" | while read -r process; do
wlog "! Suspicious process found: $process"
done
wlog ""
wlog "=== Checking Directories for Suspicious Files ==="
echo "$search_paths" | tr '|' '\n' | while read -r dir; do
find "$dir" | grep -v "$USB_MOUNT_POINT" | grep -v "$THISFILE" | while read -r filename; do
if [ -f "$filename" ]; then
if echo "$filename" | grep -i -E "$filenames" > /dev/null; then
wlog "! Suspicious filename found in $dir: $filename"
fi
if grep -i -E "$suspicious_strings" "$filename" > /dev/null; then
wlog "! Suspicious string found in file $filename"
fi
fi
done
done
wlog ""
wlog "=== Checking NVRAM entries ==="
nvram show 2>/dev/null | grep -i -E "$nvram_entries" | while read -r keyval; do
wlog "! Suspicious NVRAM entry detected: $keyval"
done
sync
if grep "! Suspicious" $OUTPUT_FILE > /dev/null; then
wlog ""
wlog "=== OPGELET: Mogelijke Malware Gedetecteerd! ==="
wlog "! We raden aan om de hardware te vervangen of te updaten en te herstellen naar fabrieksinstellingen. U kunt dit log delen met [email protected] voor verdere hulp."
wlog ""
wlog "=== NOTICE: Possible Malware Detected! ==="
wlog "! We recommend to replace or update the device and perform a factory reset. You may share this log with [email protected] for further assistance."
wlog ""
else
wlog ""
wlog "Geen malware gedetecteerd. Uw router lijkt schoon te zijn."
wlog "No malware detected. Your router appears to be clean."
wlog ""
fi
wlog ""
wlog "=============================="
wlog " RAW OUTPUT "
wlog "=============================="
wlog ""
wlog "Process List:"
wlog "$PS_OUTPUT"
wlog ""
wlog "=== Scan Completed ==="
wlog ""
sync
umount "$USB_MOUNT_POINT"