fastvpseestiou / antidoto Goto Github PK

View Code? Open in Web Editor NEW

108.0 21.0 25.0 121 KB

Linux antimalware and antirootkit tool

Home Page: https://github.com/FastVPSEestiOu/Antidoto

License: GNU General Public License v2.0

Perl 100.00%

antidoto's Introduction

Antidoto

Brand new Linux antimalware and antirootkit tool! We know new malware :)

What is Antidoto? It's diagnostic tool for heuristic analysys of Linux machines for detecting malware, viruses and botnets.

Author: Pavel Odintsov / pavel.odintsov [at] gmail.com License: GPLv2

Contributors:

Kovalkov Dmitrii
Andrey Tataranovich

How to run:

wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pl -OAntidoto.pl
wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pm -OAntidoto.pm
perl Antidoto.pl

If you work as non-root user, you should run it with sudo:

sudo perl Antidoto.pl

If you want to use only linux_network_activity_tracker, do the following:

wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/Antidoto.pm -OAntidoto.pm
wget --no-check-certificate https://raw.githubusercontent.com/FastVPSEestiOu/Antidoto/master/linux_network_activity_tracker.pl -Olinux_network_activity_tracker.pl
perl linux_network_activity_tracker.pl

Where Antidoto can work?

Can work either on OpenVZ VPS and Hardware Node
CentOS 5, CentOS 6
Debian 5, Debian 6, Debian 7
Ubuntu 10.xx, 12.xx, 13.xx, 14.xx
Almost any Linux distro because script written in cross platform language (Perl)

Why Antidoto is more effective than classic antivirus scanners for detecting new malware? Test results, sorry it's availible only in russian

What can Antidoto?

Notify about absent files with last login information (/var/log/btmp, /var/log/wtmp)
Notify about non blank crontab files for apache and www-data users (/var/spool/cron/crontabs, /var/spool/cron)
Notify about non blank files and folders with strange names (spaces, dots) in publiс writable folders (/tmp, /var/tmp)
Notify about processes launched from current directory (./programm_name) by non root user
Notify about proceses with absent executable file (which was removed after program launch)
Detect very popular malware using direct md5 executable file hashing in memory
Notify about danger udp and tcp ports listening by software (irc, proxy, botnet controllers)
Notify about tcp and udp connections to danger remote ports (irc, botnet controllers)
Notify about processes with architecture different from the server (for example: 32 bit software running on 64 bit host)
Notify about processes with statically linked executable files (with integrated libs)
Notify about processes that were launched with LD_PRELOAD environment variable set
Notify about processes with executable files with SUID, SGID bits
Notify about connections to remote servers with abnormal number of threads (5 or more per process)

Antidoto also has audit mode, which works like netstat + lsof + ss and ps, you can read more here.

If you know Perl and want to develop new features for Antidoto, please read developer manual

What are system requirements of Antidoto?

Perl interpreter with standard modules
Standard system tools: cat, file, md5sum
For working on OpenVZ HWN you need vzlist tool
For using optional ClamAV scanning mode you should install clamdscan

How to enable ClamAV checks:

yum install -y clamav clamd
freshclam
wget http://www.rfxn.com/downloads/rfxn.ndb -O/var/lib/clamav/rfxn.ndb
wget http://www.rfxn.com/downloads/rfxn.hdb -O/var/lib/clamav/rfxn.hdb

/etc/init.d/clamd restart
chkconfig clamd on

Do you have any analogues? Yes
What is the reason of creating new software instead improving existing? Justification
What malware types were analzed for creating Antodoto ruleset? List of analyzed malware

antidoto's People

Contributors

Stargazers

Watchers

antidoto's Issues

Disable notifications about processes with removed exe which exists in fs

sudo perl Antidoto.pl
We got warning about process: 'Execuable file for this process was removed, it's looks like malware'
pid: 25823 name: php-cgi ppid: 25815 uid: 1001 gid: 1001
exe path: /usr/bin/php5-cgi (deleted)
cwd: /home/user
cmdline: /usr/bin/php-cgi /home/test/script.php

ls -al /usr/bin/php5-cgi
-rwxr-xr-x 1 root root 7773256 Feb 17 14:23 /usr/bin/php5-cgi

Add realtime monitoring with sysdig

With this code you can add realtime checking of all opened/closed files.

sysdig -p "%12user.name %6proc.pid %12proc.name %3fd.num %fd.typechar %fd.name" evt.type=open

OpenVZ support

It doesnt work on openvz in container-

perl Antidoto.pl 
md5sum: /proc/4062/exe: Permission denied
Use of uninitialized value in concatenation (.) or string at Antidoto.pl line 443.
cat: /proc/4062/exe: Permission denied
Use of uninitialized value in concatenation (.) or string at Antidoto.pl line 934.
Use of uninitialized value in pattern match (m//) at Antidoto.pl line 666.

stat /proc/4062/exe
  File: `/proc/4062/exe'stat: cannot read symbolic link `/proc/4062/exe': Permission denied

  Size: 0           Blocks: 0          IO Block: 1024   symbolic link
Device: 18h/24d Inode: 11586       Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2014-05-03 04:57:31.224999962 -0400
Modify: 2014-05-03 04:57:31.221999962 -0400
Change: 2014-05-03 04:57:31.221999962 -0400

gnome-pty-helper

We got warning about process: 'we found SUID (0) or SGID bit (1) enabled, it's very dangerous'
pid: 26619 name: gnome-pty-helpe ppid: 26612 uid: 1000 gid: -1 
exe path: /usr/lib64/vte-2.91/gnome-pty-helper
cwd: /
cmdline: gnome-pty-helper

Syntax error $blacklist_listen_ports

root@monavista-server ~ # perl Antidoto.pl
Global symbol "$blacklist_listen_ports" requires explicit package name at Antidoto.pl line 985.
Global symbol "$blacklist_listen_ports" requires explicit package name at Antidoto.pl line 998.
Global symbol "$blacklist_listen_ports" requires explicit package name at Antidoto.pl line 1275.
Global symbol "$blacklist_listen_ports" requires explicit package name at Antidoto.pl line 1276.
Execution of Antidoto.pl aborted due to compilation errors.
root@monavista-server ~ # cat /etc/issue
Debian GNU/Linux 6.0 \n \l

Add company promo

Subject

wget command in README.md

Whithout keys it have error -

wget https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl
--2014-05-03 04:51:20--  https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl
Resolving raw.githubusercontent.com... 185.31.17.133
Connecting to raw.githubusercontent.com|185.31.17.133|:443... connected.
ERROR: certificate common name `www.github.com' doesn't match requested host name `raw.githubusercontent.com'.
To connect to raw.githubusercontent.com insecurely, use `--no-check-certificate'.

Please udate it to -

wget --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl

Antidoto can't detect httpssld

ps aux|grep httpssld
admin 19011 0.0 0.0 28992 3628 ? S Jun19 0:01 /usr/share/apache/bin/httpssld
admin 19755 0.0 0.0 28992 3632 ? S Jun10 0:00 /usr/share/apache/bin/httpssld
root 23565 0.0 0.0 6260 732 pts/0 S+ 13:19 0:00 grep httpssld
admin 27103 0.0 0.0 28996 3644 ? S Jun24 0:24 /usr/share/apache/bin/httpssld

perl Antidoto.pl
We found not blank directory .linx (crn) with space in name in folder: /tmp
We found not blank directory .ICE-unix (kernelupgrade 64.tar.gz) with space in name in folder: /tmp
We found not blank directory .linux (crn) with space in name in folder: /tmp
We found not blank directory .flipa (crn) with space in name in folder: /tmp

ls -la /usr/share/apache/bin/httpssld
ls: cannot access /usr/share/apache/bin/httpssld: No such file or directory

ls -la /proc/19011/|grep exe
lrwxrwxrwx 1 admin admin 0 Jul 1 13:17 exe -> /usr/bin/perl

cat /proc/19011/status
Name: /usr/share/apac
State: S (sleeping)
Tgid: 19011
Pid: 19011
PPid: 1
TracerPid: 0
Uid: 1001 1001 1001 1001
Gid: 1001 1001 1001 1001
Utrace: 0
FDSize: 64
Groups: 1001
envID: 60589
VPid: 19011
StopState: 0
VmPeak: 29032 kB
VmSize: 28992 kB
VmLck: 0 kB
VmHWM: 3628 kB
VmRSS: 3628 kB
VmData: 2252 kB
VmStk: 88 kB
VmExe: 8 kB
VmLib: 4004 kB
VmPTE: 76 kB
VmPTD: 28 kB
VmSwap: 0 kB
Threads: 1
SigQ: 0/3094125
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000001080
SigCgt: 0000000180000000
SigSvd: 0000000000000000
CapInh: 00000000fdccefff
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000fdccefff
Cpus_allowed: 00ff,ffffffff
Cpus_allowed_list: 0-39
Mems_allowed: 00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003
Mems_allowed_list: 0-1
voluntary_ctxt_switches: 23876
nonvoluntary_ctxt_switches: 154
TaskUB: 60589
MMUB: 60589

tcp 0 0 5.45.122.35:44164 5.45.179.159:8080 ESTABLISHED 19011/httpssld

tcp 0 1 5.45.122.35:46477 5.45.179.159:8080 SYN_SENT 19755/httpssld
tcp 0 1 5.45.122.35:45176 5.45.179.159:8080 SYN_SENT 27103/httpssld

fastvpseestiou / antidoto Goto Github PK

antidoto's Introduction

Antidoto

antidoto's People

Contributors

Stargazers

Watchers

Forkers

antidoto's Issues

Disable notifications about processes with removed exe which exists in fs

Add realtime monitoring with sysdig

OpenVZ support

gnome-pty-helper

Syntax error $blacklist_listen_ports

Add company promo

wget command in README.md

Antidoto can't detect httpssld

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent