BPFHound is a lightweight Linux hunting script to detect signs of the stealthy BPFDoor backdoor.
It scans for suspicious processes using raw sockets, traces specific kernel stack patterns, and checks for known BPFDoor artifact files.
- Detects processes calling
packet_recvmsgin the kernel stack - Checks for BPFDoor-related artifacts such as:
/dev/shm/kdmtmpflush- Dropper-related PID files such as:
/var/run/haldrund.pid/var/run/hald-smartd.pid/var/run/system.pid/var/run/hp-health.pid/var/run/hald-addon.pid
- Identifies abnormal processes using raw sockets
- Performs MD5 hash comparisons of suspicious binaries to locate matching files across the system
- Automatically generates a timestamped report
git clone https://github.com/devjanger/BPFHound.git
cd BPFHound
chmod +x BPFHound.sh
sudo ./BPFHound.sh