-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcdorked.c
68 lines (60 loc) · 2.51 KB
/
cdorked.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
// This program dumps the content of a shared memory block
// used by Linux/Cdorked.A into a file named httpd_cdorked_config.bin
// when the machine is infected.
//
// Some of the data is encrypted. If your server is infected and you
// would like to help, please send the httpd_cdorked_config.bin
// and your httpd executable to our lab for analysis. Thanks!
//
// Build with gcc -o dump_cdorked_config dump_cdorked_config.c
//
// Marc-Etienne M.Léveillé <leveille@eset.com>
//
#include <stdio.h>
#include <sys/shm.h>
#define CDORKED_SHM_SIZE (6118512)
#define CDORKED_OUTFILE "httpd_cdorked_config.bin"
int main (int argc, char *argv[]) {
int maxkey, id, shmid, infected = 0;
struct shm_info shm_info;
struct shmid_ds shmds;
void * cdorked_data;
FILE * outfile;
maxkey = shmctl(0, SHM_INFO, (void *) &shm_info);
for(id = 0; id <= maxkey; id++) {
shmid = shmctl(id, SHM_STAT, &shmds);
if (shmid < 0)
continue;
if(shmds.shm_segsz == CDORKED_SHM_SIZE) {
// We have a matching Cdorked memory segment
infected++;
printf("A shared memory matching Cdorked signature was found.\n");
printf("You should check your HTTP server's executable file integrity.\n");
cdorked_data = shmat(shmid, NULL, 0666);
if(cdorked_data != NULL) {
outfile = fopen(CDORKED_OUTFILE, "wb");
if(outfile == NULL) {
printf("Could not open file %s for writing.", CDORKED_OUTFILE);
}
else {
fwrite(cdorked_data, CDORKED_SHM_SIZE, 1, outfile);
fclose(outfile);
printf("The Cdorked configuration was dumped in the %s file.\n\n", CDORKED_OUTFILE);
}
}
}
}
if(infected == 0) {
printf("cdorked: ");
/* printf("No shared memory matching Cdorked signature was found.\n");*/
/* printf("To further verify your server, run \"ipcs -m -p\" and look");*/
/* printf(" for a memory segments created by your http server.\n");*/
}
else {
printf("cdorked: possible infection, check httpd_cdorked_config.bin");
/* printf("If you would like to help us in our research on Cdorked, ");*/
/* printf("please send the httpd_cdorked_config.bin and your httpd executable file ");*/
/* printf("to our lab for analysis at leveille@eset.com. Thanks!\n");*/
}
return infected;
}