We’ve been reading a lot about a Linux exploit targeting webservers and since we manage quite a lot of webservers, we’re keeping a close eye on it. We recently already deployed a check for rogue Apache modules (since we mainly use Apache), but now we’ve also created a check from the code provided by ESET on their security blog describing the Linux/CDorked.A exploit. All it does is check shared memory for a segment of a specific size, but it’s still better than nothing.
As usual, the Icinga check can be found in our GitHub repository and if you’re on Debian, you can find the nagios-plugins-kumina package in our repository. This check needs to be run on the local machine, so you need to setup nrpe or ssh access from Icinga for that.
Let us know if this helps you or if we should improve on it! All kudos to ESET, since they provided the actual script (and research!) for this check.