Did you read the post on crowdstrike in detail? I suggest you do, your script will not work because
- rootkit re-adds itself to the /etc/rc.local
- it patches the filesystem functions to hide itself when you read the file, so I am not convined grep will pick it up anyway
- you do not unload the actual kernel module if it is running, nor destroy the rootkit kernel module
- did you test it by installing the rootkit in a vm, and confirm that your code will detect and remove it? if not, i do not think you should publish such code just to give people a false sense of security when they run it and says "rootkit not present"
- rootkit re-adds itself to the /etc/rc.local
- it patches the filesystem functions to hide itself when you read the file, so I am not convined grep will pick it up anyway
- you do not unload the actual kernel module if it is running, nor destroy the rootkit kernel module
- did you test it by installing the rootkit in a vm, and confirm that your code will detect and remove it? if not, i do not think you should publish such code just to give people a false sense of security when they run it and says "rootkit not present"
http://blog.crowdstrike.com/2012/11/http-iframe-injecting-li...