A basic check for the `libkeyutils` sshd rootkit.

rootkit_check.sh

#!/bin/bash

me=$0
die() {
    echo $*
    usage
    exit 1
}

usage() {
    echo "$me [options]"
    echo "Options:"
    echo "    fix    attempts to quarantine the rootkit, if found"
    echo "    scan   also scans for library files not known to rpm"
}

fix=0
scan=0
while (( $# )); do
    case $1 in
        "fix")
            fix=1
        ;;
        "scan")
            scan=1
        ;;
        *)
            die "Unknown flag '$1'"
        ;;
    esac
    shift
done

if grep -q "CentOS" /etc/redhat-release; then :; else
    die "This script is only safe to run on CentOS boxen."
fi

centos_ver=$(sed 's/CentOS release //' /etc/redhat-release)
case $centos_ver in
    5.*)
        rootkit_name="libkeyutils-1.2.so.2"
    ;;
    6.*)
        rootkit_name="libkeyutils.so.1.9"
    ;;
    *)
        die "Unknown CentOS version ${centos_ver}"
    ;;
esac

arch=$(uname -m)
if [ $arch == "x86_64" ]; then
    lib_path="/lib64"
else
    lib_path="/lib"
fi
quarantine_path="/root/.quarantine/$(date +'%Y%m%d')"
rootkit="${lib_path}/${rootkit_name}"

if [ -f ${rootkit} ]; then
    echo "${rootkit_name} found: ${rootkit}"

    if [ "$fix" == "1" ]; then
    
        echo "Quarantining rootkit ${rootkit}"
        mkdir -p $quarantine_path
        chattr -iu ${rootkit}
        chmod 400 ${rootkit}
        mv ${rootkit} ${quarantine_path}/${rootkit_name}
        chmod 000 ${quarantine_path}/${rootkit_name}
        
        echo "Running ldconfig"
        ldconfig
    
        echo "Restarting sshd"
        service sshd restart
    fi
else
    echo "${rootkit} not found."
fi
if [ "$scan" == "1" ]; then
    echo "Scanning for libraries not known to rpm"
    find ${lib_path} -type f -print0 | xargs -0 rpm -qf | grep -F "is not owned"
fi