2022-09-08 13:53:43 +00:00
|
|
|
-- Inspired by BPFdoor
|
|
|
|
-- https://www.sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/
|
2022-09-21 01:56:01 +00:00
|
|
|
SELECT file.path, file.type, file.mtime, file.uid, file.ctime, file.gid, hash.sha256, magic.data
|
2022-09-08 13:53:43 +00:00
|
|
|
FROM file
|
2022-09-21 01:56:01 +00:00
|
|
|
LEFT JOIN hash ON file.path = hash.path
|
|
|
|
LEFT JOIN magic ON file.path = magic.path
|
2022-09-08 13:53:43 +00:00
|
|
|
WHERE (
|
2022-09-21 01:56:01 +00:00
|
|
|
file.path LIKE "/dev/shm/%%"
|
|
|
|
OR file.path LIKE "/dev/shm/.%"
|
|
|
|
OR file.path LIKE "/dev/shm/.%/%"
|
|
|
|
OR file.path LIKE "/dev/%/.%"
|
|
|
|
OR file.path LIKE "/dev/.%"
|
|
|
|
OR file.path LIKE "/dev/.%/%"
|
|
|
|
OR file.path LIKE "/dev/mqueue/%%"
|
|
|
|
OR file.path LIKE "/dev/mqueue/.%/%"
|
|
|
|
OR file.path LIKE "/dev/mqueue/.%"
|
2022-09-08 13:53:43 +00:00
|
|
|
)
|
2022-09-21 01:56:01 +00:00
|
|
|
AND file.path NOT LIKE '/dev/shm/.com.google.%'
|
|
|
|
AND file.path NOT LIKE '/dev/shm/.org.chromium.%'
|
|
|
|
AND file.path NOT LIKE '/dev/shm/wayland.mozilla.%'
|
|
|
|
AND file.path NOT LIKE "/dev/shm/jack_db%"
|
2022-09-21 11:42:51 +00:00
|
|
|
AND file.path NOT LIKE "/dev/shm/flatpak-%"
|
2022-09-22 09:18:03 +00:00
|
|
|
AND file.path NOT LIKE "/dev/shm/libpod_rootless_lock_%"
|
2022-09-21 01:56:01 +00:00
|
|
|
AND file.path NOT LIKE "%/../%"
|
|
|
|
AND file.path NOT LIKE "%/./%"
|
2022-09-09 16:51:52 +00:00
|
|
|
AND filename NOT IN ('..')
|
2022-09-08 21:58:56 +00:00
|
|
|
AND filename NOT LIKE "pulse-shm-%"
|
|
|
|
AND filename NOT LIKE "u1000-Shm%"
|
2022-09-09 16:51:52 +00:00
|
|
|
AND filename NOT LIKE "u1000-Valve%"
|
2022-09-21 01:56:01 +00:00
|
|
|
AND file.path NOT IN ('/dev/.mdadm/')
|