This tool is designed to detect potential system compromises, particularly focusing on the perfctl malware family and similar threats. It performs various checks to identify suspicious files, processes, and system configurations that might indicate a compromise.
- Detects known malicious files and paths
- Identifies suspicious running processes
- Checks for suspicious cron jobs
- Analyzes systemd services
- Monitors Docker containers for crypto mining activity
- Checks for exposed Portainer agent
- Detects potential SSH backdoors
- Identifies LD_PRELOAD hijacking attempts
- Python 3.6+
- Root/sudo access (for some checks)
- Linux operating system
- Clone or download the script to your system
- Make the script executable:
chmod +x linux_compromise_detector.py
Run the script with root privileges for full functionality:
sudo python3 linux_compromise_detector.pyThe tool will generate a JSON report containing:
- Scan timestamp
- List of findings with severity levels
- Total number of findings
{
"scan_time": "2024-01-01T12:00:00.000000",
"findings": [
{
"type": "suspicious_file",
"severity": "HIGH",
"details": "Found suspicious file: /tmp/.xdiag/",
"timestamp": "2024-01-01T12:00:00.000000"
}
],
"total_findings": 1
}- HIGH: Immediate attention required, likely indicates compromise
- MEDIUM: Suspicious activity that requires investigation
- LOW: Potential issues or errors in detection
- Run this tool regularly as part of your security monitoring
- Keep the tool updated with new IOCs (Indicators of Compromise)
- Review all findings, especially those marked as HIGH severity
- Consider running in a cron job for automated monitoring
- Some checks require root privileges
- False positives may occur
- Tool effectiveness depends on known IOCs
- Some malware may actively hide from detection
Feel free to contribute by:
- Adding new detection methods
- Updating IOCs
- Improving detection accuracy
- Adding support for new malware families
MIT License