Add Me!Close Menu Navigation

My technical corner about Linux, Perl, programming, computer networks and network security

Add Me!Open Categories Menu

Basics of writing bash scripts, a simple antivirus on a linux router

If you are a network admin then malware can be your main . Typical user in your network uses Windows and he has this problem now or he will have in the future. You musn’t learn your users how to use computers, but you can better supervise them. ;-)

In this article, I will show you how to write a really simple automatic antivirus based on a simple bash script. To do this, you have to be a network administrator, and your main router must be a linux router as well (other types I haven’t tested yet)

 

You need the following things:

  • A linux based router (I have an ordinary desktop).
  • iptraf program to log network traffic which flows throught the server
  • Simple httpd server if you want to redirect infected users to the information

 

IPtraf has the following logs (they are taken from a random place from the file log):

Thu Dec  1 13:01:16 2011; UDP; eth1; 40 bytes; from AToulouse-552-1-144-112.w83-203.abo.wanadoo.:51811 to host1:61074
Thu Dec  1 13:01:17 2011; UDP; eth1; 199 bytes; from host3:61074 to ALille-651-1-88-144.w2-5.abo.wanadoo.fr:58248
Wed Sep 19 09:40:49 2012; TCP; eth1; 48 bytes; from host1:lockstep to server:smtp; first packet (SYN)
Wed Sep 19 09:40:49 2012; TCP; eth1; 48 bytes; from server:smtp to host1:lockstep; first packet (SYN)
Wed Sep 19 09:40:50 2012; TCP; eth1; 46 bytes; from host1:lockstep to server:smtp; FIN sent; 397 packets, 591062 bytes, avg flow rate 4728.00 kbits/s

Tue Sep 18 13:12:59 2012; TCP; eth1; 52 bytes; from host1:29070 to 212.77.101.100:http; first packet (SYN) 
Tue Sep 18 13:12:59 2012; TCP; eth1; 40 bytes; from somehost.pl:http to host1:ttntspauto; first packet 
Tue Sep 18 13:12:59 2012; TCP; eth1; 44 bytes; from somehost.pl:http to host1:nppmp; first packet (SYN) 
Tue Sep 18 13:12:59 2012; TCP; eth1; 48 bytes; from 212.77.101.100:http to host1:29070; first packet (SYN) 
Tue Sep 18 13:12:59 2012; TCP; eth1; 52 bytes; from 94.127.76.80:http to dwor:49663; first packet (SYN)
Tue Sep 18 13:12:59 2012; TCP; eth1; 52 bytes; from host1:29071 to 80.237.152.62:http; first packet (SYN) 
Tue Sep 18 13:12:59 2012; TCP; eth1; 40 bytes; from wp.hit.gemius.pl:http to host1:29070; FIN sent; 3 packets, 821 bytes, avg flow rate 6.00 kbits/s 
Tue Sep 18 13:12:59 2012; TCP; eth1; 40 bytes; from wp.hit.gemius.pl:http to host1:29070; FIN sent; 4 packets, 861 bytes, avg flow rate 6.00 kbits/s 
Tue Sep 18 13:12:59 2012; TCP; eth1; 46 bytes; from host1:29070 to wp.hit.gemius.pl:http; FIN acknowleged
Tue Sep 18 13:12:59 2012; TCP; eth1; 46 bytes; from host1:29070 to wp.hit.gemius.pl:http; FIN sent; 6 packets, 1180 bytes, avg flow rate 9.00 kbits/s

 

IPtraf writes ports (protocols), a source host, destination host and timestamp. This information is very useful for me as I can simply create my antivirus, but I should define some actions which are classified as actions which are caused by a malware.

 

How I detect whether malware may cause traffic:

  • Too many connections over SMTP protocol per host in the same second should be classified as a malware
  • Too many connections over STMP prococol per host to many different destinations in a short time are caused by a malware probably
  • Any connections to the ircd service (port 6667) are caused by a malware unless you users use IRC really

 

Because IPtraf provides logs with this information, my script will be simple. I try to check smtp connections by using the below command:

grep host_from_our_lan iptraf.log | grep smtp | awk {'print $5 $3 $4'}| tr -d ';|\:' | uniq -c | sort -u | pcregrep -o '[0-9][0-9][0-9]*\s+'

And I get something like this:

20 
21 
23 
24 
24 
25 
25 
25 
27

The first column displays the numer how many times the specified (found by grep) log occured. The second column presents a timestamp in the form “YYYYDDHHMMSS” so it’s indicates connections in the 1 second. I will explain this glue step by step:

  • grep host_from_our_lan iptraf.log – get SMTP logs from the iptraf.log file (the place where iptraf writes logs) are generated by host_from_our_lan
  • grep smtp  – get SMTP logs from the specified log
  • awk {‘print $5 $3 $4’} – awk with default separator (space) marks that $3 is day numer in month, $4 is a timestamp HH:MM:SS and $5 is year
  • tr -d ‘;|\:’ – next the tr command removes the ‘: or ;’ chars from logs because they aren’t necessary
  • uniq -c – count how many times each line repeats
  • sort -u – sort based on the first column (most common lines are last)
  • pcregrep -o ‘[0-9][0-9][0-9]*\s+ – prints only number of occurences

 

This is the trick: if a number of connections over smtp protocol FROM host_from_our_lan exceeds some LIMIT, then it may be classified as a malware. 20 connections per second over smtp can be caused by typical e-mail clients (with multiple accounts configured in), but if there are 50 connections per second or more – it’s probably a malware. A malware doesn’t aware of any limits – only goal of these programs is much, much advertisement in a short time. Now we can write a simple loop and our bash antivirus will be done.

### Our LAN hosts
HOSTS=( 10.0.0.2 10.0.0.3 10.0.0.4 10.0.0.5 10.0.0.5 10.0.0.6 10.0.0.7 10.0.0.8 10.0.0.9 10.0.0.10 )

### Limit for malware detection
LIMIT_STMP="50"

### Checking the all hosts
for i in ${HOSTS[@]};
do
 for i in `grep $i iptraf.log | grep smtp | awk {'print $5 $3 $4'}| tr -d ';|\:' | uniq -c | sort -u | pcregrep -o '[0-9][0-9][0-9]*\s+'`;
 do
  if [ "$i" -gt "$LIMIT_SMTP" ];
  then
   echo "Virus detected."
   iptables -P OUTPUT -s $i -j DROP
  fi
 done
done

 

You can specify the next condition grep ircd for ircd checking and it’s all. It’s very usefull. If you want redirect infected users to page with information you can use the below rule:

### We assume that our router with information served by httpd server listens on 10.0.0.1
ROUTER="10.0.0.1"
iptables -t nat -A PREROUTING -s $i -j DNAT --to-destination $ROUTER

Leave a Reply

You must be logged in to post a comment.