����JFIF��x�x����'
| Server IP : 78.140.185.180  /  Your IP : 216.73.216.169 Web Server : LiteSpeed System : Linux cpanel13.v.fozzy.com 4.18.0-513.11.1.lve.el8.x86_64 #1 SMP Thu Jan 18 16:21:02 UTC 2024 x86_64 User : builderbox ( 1072) PHP Version : 7.3.33 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON | Sudo : OFF | Pkexec : OFF Directory : /proc/1630575/task/1630575/root/proc/1630575/root/lib64/nagios/plugins/extra/ | 
| Upload File : | 
#!/bin/bash
MATH_NGINX1='listen\s+80;(.|\n)server_name\s+test.com;(.|\n)access_log\s+off;'
MATH_IPs='176\.114\.0\.62\|41\.96\.111\.223\|178\.162\.199\.66\|178\.162\.195\.12'
WHITE_LIST=$(test -f /etc/icinga2/plinc/suspiciousvps_whitelist && cat /etc/icinga2/plinc/suspiciousvps_whitelist)
WARN=0
CTIDs=$(sudo vzlist -H -octid)
for ctid in $CTIDs;
do
    if echo $WHITE_LIST | grep -q $ctid
    then
        continue
    fi
    if sudo test -f /vz/root/$ctid/root/installvps.sh;
    then
        WARN=1;
        RETURN+="CT $ctid: found /root/installvps.sh;\n"
    fi
    if sudo test -f /vz/root/$ctid/etc/cron.d/mycron;
    then
        WARN=1;
        RETURN+="CT $ctid: found /etc/cron.d/mycron;\n"
    fi
    if sudo test -f /vz/root/$ctid/etc/nginx/nginx.conf && sudo grep -q -Pz "$MATH_NGINX1" /vz/root/$ctid/etc/nginx/nginx.conf; 
    then
        WARN=1;
        RETURN+="CT $ctid: nginx config matched test.com;\n"
    fi
    SUSP_FILES=`sudo find /vz/root/$ctid/var/www/html -maxdepth 1 -type f -iname "*.php" 2>/dev/null | tail -10000`
    if [ "$SUSP_FILES" ] && sudo grep -q 'gzinflate(base64_decode(str_rot13\|Inbox :: Unlimited' $SUSP_FILES 2>/dev/null;
    then
        WARN=1;
        RETURN+="CT $ctid: found suspicious match in /var/www/html;\n"
    fi
    if sudo test -f /vz/root/$ctid/var/log/wtmp;
    then
        LOGIN_IPs=$(sudo last -f /vz/root/$ctid/var/log/wtmp -i -n 1000 | head -n -2 | awk --re-interval '{if ( $3 ~ /[0-9].?{1,3}/) print $3}' | sort | uniq)
        for login_ip in $LOGIN_IPs;
        do
            FOUND=0
            if echo $login_ip | grep -q "$MATH_IPs";
            then
                FOUND=1
                WARN=1
                RETURN+="CT $ctid: login attempt from $MATH_IPs;\n"
            fi
            if [ $FOUND -eq 1 ];
            then
                break
            fi
        done
    fi
    if sudo test -f /vz/root/$ctid/root/script.sh;
    then
        WARN=1;
        RETURN+="CT $ctid: found /root/script.sh;\n"
    fi
    SUSP_FILES=`sudo find /vz/root/$ctid/root -maxdepth 1 -size -3M -type f 2>/dev/null | tail -10000`
    if [ "$SUSP_FILES" ] && sudo grep -iq 'fiercephish' $SUSP_FILES 2>/dev/null;
    then
        WARN=1;
        RETURN+="CT $ctid: found FiercePhish framework in /root/;\n"
    fi
done
if [ $WARN -eq 1 ];
then
    echo -n -e "$RETURN"
else
    echo "No suspicious VPS found"
fi
exit $WARN