Trojan Scan is a simple shell script that allows for simple but relatively effective checking for trojans, rootkits and other malware that may be using your server and network for unwanted (and possibly illegal) purposes. It is relatively simple and won't catch them all, but can help to find these programs on shared servers with many users. It works by listing all process that use the Internet with the lsof command (using -Pni flags). This list is then transformed into signatures, which are then are matched against the allowed process defined in the configuration. If any signatures of running processes are found that do not match the allowed signatures, an email report is sent including ps, ls, and optional lsof output for the unknown processes.
|Tags||Monitoring Networking Systems Administration Utilities|
|Operating Systems||POSIX GNU/Hurd Linux Mac OS X BSD|
|Implementation||Unix Shell bash|
Release Notes: This release added a workaround for changed command output from 'lsof', improved the README slightly, added 'who' output to the report, improved determining of MD5 for 'lsof', fixed an issue with generated configuration having ':X:', added a -f parameter for supplying the configuration file, and included some minor changes to make the script more robust. It has been fixed and tested on Mac OS X 10.8. All debug output is now directed to stderr.
Release Notes: This release adds IPv6 support.
Release Notes: This release renames all references as Trojan Scan. It adds a check for lsof output format on config generation. It improves generation of configuration by using detected program paths. It adds a warning message on failure to find the required command.
Release Notes: Support was added for tail -n. Verbose mode was fixed. lsof output was added for unknown processes only.
Release Notes: Support for Darwin was added. Support for the ICMPv6 protocol was added.