Skip to content

Instantly share code, notes, and snippets.

@amigcamel

amigcamel/kill_xorddos.py

Last active December 26, 2016 16:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save amigcamel/f05d745bf8413ab15defd65a4e2db046 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save amigcamel/f05d745bf8413ab15defd65a4e2db046 to your computer and use it in GitHub Desktop.
Download ZIP
Python script for killing XorDDos trojan
Raw
kill_xorddos.py
import os
import os.path
import shutil
ans = raw_input('[p]rint/[d]elete ?')
if ans == 'p':
debug = False
elif ans == 'd':
debug = True
else:
raise Exception('Invalid input, aborted!')
log_file = open(os.path.join(os.path.expanduser('~'), 'xorddos.log'), 'w')
print('searching for cron')
log_file.write('-------------------- cron --------------------\n')
cron_hourly = '/etc/cron.hourly'
crons = os.listdir(cron_hourly)
for cron in crons:
cron_path = os.path.join(cron_hourly, cron)
with open(cron_path) as f:
data = f.read()
if 'cp /lib/libgcc' in data or 'cp /lib/udev' in data or 'X11R6' in data or 'do ifconfig' in data:
print('suspicious cron found: %s' % cron_path)
log_file.write(cron_path + '\n')
if debug:
os.remove(cron_path)
tar_dirs = []
etc = '/etc'
for file_ in os.listdir(etc):
path_ = os.path.join(etc, file_)
if os.path.isdir(path_) and path_.startswith('rc.'):
tar_dirs.append(path_)
tar_dirs += [
'/etc/init.d',
'/usr/bin',
'/bin',
]
log_file.write('-------------------- file --------------------\n')
for tar_dir in tar_dirs:
filenames = os.listdir(tar_dir)
for filename in filenames:
file_path = os.path.join(tar_dir, filename)
with open(file_path) as f:
if 'chkconfig: 12345 90 90' in f.read():
print('suspicious bin found: %s' % file_path)
log_file.write(file_path + '\n')
if debug:
os.remove(file_path)
f.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment