📝Bash script to find backdoors in FortiNet based on public IoC and symlinks.
#!/bin/bash
logfile=”check.txt”
echo “[*] Backdoor Check Started: $(date)” > “$logfile”
pause() {
echo
read -p “[Press Enter to continue to next step…]”
echo
}
stage() {
echo “==> $1”
echo -e “\n==> $1” >> “$logfile”
}
# Stage 1: Check suspicious symlinks
stage “Stage 1: Checking suspicious symlinks…”
search_dirs=(“/data/” “/var/” “/etc/” “/root/” “/tmp/”)
for dir in “${search_dirs[@]}”; do
echo “[*] Scanning: $dir”
echo “[*] Scanning: $dir” >> “$logfile”
find “$dir” -type l -exec ls -l {} \; 2>/dev/null | while read -r line; do
target=$(echo “$line” | awk ‘{print $NF}’)
if [[ “$target” =~ \/dev\/pts\/[0-9]+ || “$target” =~ \/tmp\/.* || “$target” =~ \/proc\/.* ]]; then
echo “[!] Suspicious symlink: $line”
echo “[!] Suspicious symlink: $line” >> “$logfile”
fi
done
done
pause
# Stage 2: Check cron jobs
stage “Stage 2: Checking cron jobs for suspicious entries…”
grep -r “curl\|wget\|nc\|bash\|python” /etc/cron* 2>/dev/null | tee -a “$logfile”
pause
# Stage 3: Hidden files with execution permissions
stage “Stage 3: Checking for hidden executable files…”
find / -name “.*” -type f -executable 2>/dev/null | tee -a “$logfile”
pause
# Stage 4: Check authorized SSH keys and user shells
stage “Stage 4: Checking SSH authorized_keys and user shells…”
echo “[*] Users with shell access:” >> “$logfile”
cat /etc/passwd | grep ‘/bin/bash’ | tee -a “$logfile”
echo “[*] Root’s SSH authorized_keys (if exists):” >> “$logfile”
ls -la /root/.ssh/authorized_keys 2>>”$logfile” | tee -a “$logfile”
pause
# Final stage: List all users
stage “Final Stage: Listing all users with login shells…”
cat /etc/passwd | grep -E ‘/bin/bash|/bin/sh’ | tee -a “$logfile”
echo -e “\n[*] Backdoor Check Completed. Output saved in: $logfile”