#!/bin/bash
# 20161109
# GPL-3
# If 'infected_action' set to 'DELETE' or "REMOVE' then
# script will delete all files from:
# /bin/*, /sbin/*, /lib* and /usr/* except /usr/local/*
# which was not installed by emerge,
# or installed by emerge and modified by other program!
infected_action='DELETE'
infected_action='REMOVE'
#infected_action='SKIP'
# Gentoo pkg database
db='/mnt/gentoo/var/db/pkg/'
# Where root of checking system is mouted. You run this from LiveCD? Rhite?
root='/mnt/gentoo'
# Path to log file
log='/var/tmp/vlist'
# We delete old log!!!
rm -f "${log}"
logclean="YES"
logclean="NO"
# Removed virus files
infdir='/mnt/gentoo/var/viruses'
# Path to temp files
iffile='/var/tmp/iflist'
effile='/var/tmp/eflist'
isfile='/var/tmp/islist'
esfile='/var/tmp/eslist'
delete() {
if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
then
rm -f "${root}${fn}"
echo "Deleted!!!" >> "${log}"
((d+=1))
elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
then
rm -f "${root}${fn}"
echo "Deleted!!!" >> "${log}"
((d+=1))
else
echo "Skip!" >> "${log}"
fi
}
remove() {
if [[ `echo ${fn} |cut -b-5` == '/bin/' || `echo ${fn} |cut -b-6` == '/sbin/' || `echo ${fn} |cut -b-4` == '/lib' ]]
then
path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
mkdir -p "${infdir}${path}"
mv -f "${root}${fn}" "${infdir}${path}"
echo "Removed!!!" >> "${log}"
((d+=1))
elif [[ `echo ${fn} |cut -b-5` == '/usr/' && `echo ${fn} |cut -b-11` != '/usr/local/' ]]
then
path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
mkdir -p "${infdir}${path}"
mv -f "${root}${fn}" "${infdir}${path}"
echo "Removed!!!" >> "${log}"
((d+=1))
else
echo "Skip!" >> "${log}"
fi
}
recover_sym() {
path=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\1/m'`
name=`echo ${fn} |sed -r 's/^(\/.+)\/(.+)$/\2/m'`
mkdir -p "${root}${path}"
cd "${root}${path}"
ln -s "${md}" "${name}"
echo "${fn} Recover symlink! :-)" >> "${log}"
((r+=1))
}
# Check rhite for deleting bed system files.
if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
then
echo ""
echo " !!! Atention !!!"
echo " This script will delete or remove system files!"
echo ""
echo "Only 64 bit, no multilib, systems are supported."
echo ""
echo "If you don't wont delete any files, just log, type SKIP."
echo "If you wont remove ?infected? files, type REMOVE."
echo -n "If you wont delete ?infected? files type DELETE and press 'Enter': "
read check
if [ "${check}" == 'DELETE' ]
then
infected_action='DELETE'
elif [ "${check}" == 'REMOVE' ]
then
infected_action='REMOVE'
mkdir -p "${infdir}"
else
infected_action='SKIP'
fi
fi
echo ""
echo -n "Build list of installed system files and links. Please wait... "
rm -f "${iffile}_"
for f in `find "${db}" -name CONTENTS -type f`
do
# Regular files
grep "obj /" "${f}" |sed 's/obj \/lib\//obj \/lib64\//' \
|sed 's/obj \/usr\/lib\//obj \/usr\/lib64\//' \
|sed -r 's/^(obj) (.+) (.+) (.+)$/\1 \2 \3 \4/m' >> "${iffile}_"
# Symbolic links
grep -E '^sym /' "${f}" |sed -r 's/^(sym) (.+) -> (.+) (.+)$/\1 \2 \3 \4/m' >> "${isfile}_"
done
sort "${iffile}_" |uniq > "${iffile}"
rm "${iffile}_"
sort "${isfile}_" |uniq > "${isfile}"
rm "${isfile}_"
echo "OK!"
echo ""
echo -n "Build list of existing system files and links. Please wait... "
# Regular files
find "${root}" -type f \
-and ! -wholename "${root}/home/*" \
-and ! -wholename "${root}/lib64/modules/*" \
-and ! -wholename "${root}/media/*" \
-and ! -wholename "${root}/mnt/*" \
-and ! -wholename "${root}/root/*" \
-and ! -wholename "${root}/tmp/*" \
-and ! -wholename "${root}/usr/portage/*" \
-and ! -wholename "${root}/var/cache/*" \
-and ! -wholename "${root}/var/db/*" \
-and ! -wholename "${root}/var/lib/clamav/*" \
-and ! -wholename "${root}/var/lib/gentoo/news/*" \
-and ! -wholename "${root}/var/lib/layman/*" \
-and ! -wholename "${root}/var/lib/motioneye/*" \
-and ! -wholename "${root}/var/lib/portage/*" \
-and ! -wholename "${root}/var/lib/rkhunter/tmp/*" \
-and ! -wholename "${root}/var/log/*" \
-and ! -wholename "${root}/var/spool/*" \
-and ! -wholename "${root}/var/tmp/*" \
-and ! -wholename "${root}/var/lib/tor/data/*" \
-and ! -wholename "${root}/var/www/*" \
|sort > "${effile}"
# Symbolic links
find "${root}" -type l \
-and ! -wholename "${root}/home/*" \
-and ! -wholename "${root}/lib64/modules/*" \
-and ! -wholename "${root}/media/*" \
-and ! -wholename "${root}/mnt/*" \
-and ! -wholename "${root}/root/*" \
-and ! -wholename "${root}/tmp/*" \
-and ! -wholename "${root}/var/tmp/*" \
-and ! -wholename "${root}/var/www/*" \
|sort > "${esfile}"
echo "OK!"
echo ""
echo "If you looking for progress run:"
echo "tail -f ${log}"
echo "or filter only infected files run:"
echo "tail -f ${log} |grep -v 'OK! ;-)'"
echo "Full scan can take many hoers."
echo ""
echo -n "Scanning all system symlinks. Please wait... "
((v=0)); ((n=0)); ((d=0)); ((r=0))
f=`awk '{if (NR==1) print}' "${esfile}"`
((i=2))
while [ "${f}" != '' ]
do
fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
md=`grep "sym ${fn} " "${isfile}" |awk -F' ' '{print $3}'`
if [ "${md}" == '' ]
then
if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
then
echo "${fn} Configuration link wasn't installed by emerge!" >> "${log}"
((n+=1))
else
echo -n "${fn} Alien??? Link wasn't installed by emerge! 8-| " >> "${log}"
((n+=1))
if [ "${infected_action}" == 'DELETE' ]
then
delete
elif [ "${infected_action}" == 'REMOVE' ]
then
remove
else
echo "Skip!" >> "${log}"
fi
fi
else
fm=`ls -l "${f}" |awk '{print $11}'`
if [ "${md}" == "${fm}" ]
then
if [ "${logclean}" == "YES" ]
then
echo "${fn} OK! ;-)" >> "${log}"
fi
else
if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
then
echo "${fn} Configuration link was installed by emerge and are modified!" >> "${log}"
((v+=1))
else
echo -n "${fn} Virus??? Link was installed by emerge and are modified! 8-( " >> "${log}"
((v+=1))
if [ "${infected_action}" == 'DELETE' ]
then
delete
recover_sym
elif [ "${infected_action}" == 'REMOVE' ]
then
remove
recover_sym
else
echo "Skip!" >> "${log}"
fi
fi
fi
fi
f=`awk "{if (NR==$i) print}" "${esfile}"`
((i+=1))
done
echo "OK!"
echo "Sumary:"
echo " Total: ${v} system links was installed by emerge and modified by another program!!!"
echo " Total: ${n} system links wasn't installed by emerge and was created by another program!!!"
echo " Total: ${d} system links wasn't installed by emerge or was modified by another program are deleted or removed!!!"
echo " Total: ${r} system links wasn installed by emerge and modified by another program or don't exist are recovered!!!"
echo ""
echo -n "Scanning all system files. Please wait... "
((v=0)); ((n=0)); ((d=0));
f=`awk '{if (NR==1) print}' "${effile}"`
((i=2))
while [ "${f}" != '' ]
do
fn=`echo "${f}" |awk -F"${root}" '{print $2}'`
md=`grep "obj ${fn} " "${iffile}" |awk -F' ' '{print $3}'`
if [ "${md}" == '' ]
then
if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
then
echo "${fn} Configuration file wasn't installed by emerge!" >> "${log}"
((n+=1))
else
echo -n "${fn} Alien??? File wasn't installed by emerge! 8-| " >> "${log}"
((n+=1))
if [ "${infected_action}" == 'DELETE' ]
then
delete
elif [ "${infected_action}" == 'REMOVE' ]
then
remove
else
echo "Skip!" >> "${log}"
fi
fi
else
fm=`md5sum "${f}" |awk '{print $1}'`
if [ "${md}" == "${fm}" ]
then
if [ "${logclean}" == "YES" ]
then
echo "${fn} OK! ;-)" >> "${log}"
fi
else
if [[ `echo ${fn} |cut -b-5` == '/etc/' ]]
then
echo "${fn} Configuration file was installed by emerge and are modified!" >> "${log}"
((v+=1))
else
echo -n "${fn} Virus??? File was installed by emerge and are modified! 8-( " >> "${log}"
((v+=1))
if [ "${infected_action}" == 'DELETE' ]
then
delete
elif [ "${infected_action}" == 'REMOVE' ]
then
remove
else
echo "Skip!" >> "${log}"
fi
fi
fi
fi
f=`awk "{if (NR==$i) print}" "${effile}"`
((i+=1))
done
echo "OK!"
echo "Sumary:"
echo " Total: ${v} system files was installed by emerge and modified by another program!!!"
echo " Total: ${n} system files wasn't installed by emerge and was created by another program!!!"
echo " Total: ${d} system files wasn't installed by emerge or was modified by another program are deleted or removed!!!"
echo ""
echo -n "Looking for missing system lynks. Please wait... "
((v=0)); ((r=0))
fn=`awk -F' ' '{if (NR==1) {print $2}}' "${isfile}"`
((i=2))
while [ "${fn}" != '' ]
do
if [ ! -s "${root}${fn}" ]
then
echo "${fn} Link was installed by emerge and don't exist! 8-(" >> "${log}"
((v+=1))
if [[ "${infected_action}" == 'DELETE' || "${infected_action}" == 'REMOVE' ]]
then
md=`grep "sym ${fn} " "${isfile}" |awk -F' ' '{print $3}'`
recover_sym
fi
fi
fn=`awk "{if (NR==$i) print}" "${isfile}" |awk -F' ' '{print $2}'`
((i+=1))
done
echo "OK!"
echo "Sumary:"
echo " Total: ${v} system links was installed by emerge and don't exist!!!"
echo " Total: ${r} system links installed by emerge and don't exist, are recovered!!!"
echo ""
echo -n "Looking for missing system files. Please wait... "
((v=0))
fn=`awk -F' ' '{if (NR==1) {print $2}}' "${iffile}"`
((i=2))
while [ "${fn}" != '' ]
do
if [ ! -f "${root}${fn}" ]
then
echo "${fn} File was installed by emerge and don't exist! 8-(" >> "${log}"
((v+=1))
fi
fn=`awk "{if (NR==$i) print}" "${iffile}" |awk -F' ' '{print $2}'`
((i+=1))
done
echo "OK!"
echo "Sumary:"
echo " Total: ${v} system files was installed by emerge and don't exist!!!"
echo ""
echo " Please look in '${log}' for detail information."
echo " If you looking only for virus run:"
echo " grep -v 'OK! ;-)' ${log} |less"
exit 0