#!/bin/bash LIONFINDVERSION="0.1" #Banner. echo '====' Lionfind '====' echo Version $LIONFINDVERSION echo A script to report on the existence of the Lion worm. echo Future versions will optionally echo archive and/or remove the it from the current system. echo Copyright 2001 William Stearns \, echo Released under the GNU General Public License \(GPL\). echo Updated versions may be found at the echo Institute for Security Technology Studies echo \(http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm\), echo and SANS \(http://www.sans.org/y2k/lion.htm\). #FIXME - restoreme. #echo Usage help may be obtained with \"$0 -h\". OFFENDINGFILES="" OFFENDINGDIRS="" SUSPICIOUSFILES=" /bin/in.telnetd /bin/mjy /usr/man/man1/man1/lib/.lib/mjy /usr/man/man1/man1/lib/.lib/in.telnetd /usr/man/man1/man1/lib/.lib/.x /dev/.lib/lib/scan/1i0n.sh /dev/.lib/lib/scan/hack.sh /dev/.lib/lib/scan/bind /dev/.lib/lib/scan/randb /dev/.lib/lib/scan/scan.sh /dev/.lib/lib/scan/pscan /dev/.lib/lib/scan/star.sh /dev/.lib/lib/scan/bindx.sh /dev/.lib/lib/scan/bindname.log /dev/.lib/lib/1i0n.sh /dev/.lib/lib/lib/netstat /dev/.lib/lib/lib/dev/.1addr /dev/.lib/lib/lib/dev/.1logz /dev/.lib/lib/lib/dev/.1proc /dev/.lib/lib/lib/dev/.1file /dev/.lib/lib/lib/t0rns /dev/.lib/lib/lib/du /dev/.lib/lib/lib/ls /dev/.lib/lib/lib/t0rnsb /dev/.lib/lib/lib/ps /dev/.lib/lib/lib/t0rnp /dev/.lib/lib/lib/find /dev/.lib/lib/lib/ifconfig /dev/.lib/lib/lib/pg /dev/.lib/lib/lib/ssh.tgz /dev/.lib/lib/lib/top /dev/.lib/lib/lib/sz /dev/.lib/lib/lib/login /dev/.lib/lib/lib/in.fingerd /dev/.lib/lib/lib/1i0n.sh /dev/.lib/lib/lib/pstree /dev/.lib/lib/lib/in.telnetd /dev/.lib/lib/lib/mjy /dev/.lib/lib/lib/sush /dev/.lib/lib/lib/tfn /dev/.lib/lib/lib/name /dev/.lib/lib/lib/getip.sh /usr/info/.torn/sh* /usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1proc /usr/src/.puta/.1logz " #FIXME - /usr/sbin/nscd may be legal. SUSPICIOUSDIRS=" /dev/.lib/ /dev/.lib/lib/ /dev/.lib/lib/lib/ /dev/.lib/lib/lib/dev/ /dev/.lib/lib/scan/ /usr/src/.puta/ /usr/man/man1/man1/ /usr/man/man1/man1/lib/ /usr/man/man1/man1/lib/.lib/ /usr/man/man1/man1/lib/.lib/.backup/ /usr/src/.puta/ /usr/info/.t0rn/ " echo Locate Lion related files and directories... for ONEFILE in $SUSPICIOUSFILES ; do if [ -e $ONEFILE ]; then OFFENDINGFILES="$OFFENDINGFILES $ONEFILE" fi done for ONEDIR in $SUSPICIOUSDIRS ; do if [ -d $ONEDIR ]; then OFFENDINGDIRS="$OFFENDINGDIRS $ONEDIR" fi done #Report on what was found. if [ -n "$OFFENDINGFILES$OFFENDINGDIRS" ]; then echo The following suspicious files or directories were found: echo $OFFENDINGFILES $OFFENDINGDIRS else #No suspicious files or dirs found - good! echo None of the following suspicious files or directories were found: echo $SUSPICIOUSFILES $SUSPICIOUSDIRS echo To the best of my knowledge, the Lion worm is NOT on this filesystem. fi #Suspicious files or dirs found?