����JFIF��x�x����'403WebShell
403Webshell
Server IP : 78.140.185.180  /  Your IP : 18.218.161.96
Web Server : LiteSpeed
System : Linux cpanel13.v.fozzy.com 4.18.0-513.11.1.lve.el8.x86_64 #1 SMP Thu Jan 18 16:21:02 UTC 2024 x86_64
User : builderbox ( 1072)
PHP Version : 7.3.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /usr/lib64/nagios/plugins/extra/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /usr/lib64/nagios/plugins/extra/check_suspicious_vms
#!/bin/bash

# VERSION 002
exit=0

LOCK='/var/run/lock/check_suspicious_vms'
MDIR='/mnt/kvm_check_suspicious'
WHITELIST='/etc/icinga2/plinc/suspicious_vms_wl'
hostname=$(hostname)

## get data for API
while IFS='=' read -r key value; do
    case "$key" in
        pass) password=$value ;;
        host) host=$value     ;;
        user) user=$value     ;;
    esac
done < '/root/.solusvm_custom_api'

exec {lock_fd}>$LOCK || exit 2
if ! flock -x -w 3000 -n $lock_fd; then
  echo "Another instance of `basename $0` is probably running."
  exit 3
fi

mountpoint -q $MDIR && umount $MDIR
[ -d "$MDIR" ] || mkdir $MDIR

while read -r vm ip creationdate lvm;
do
  [ -z "$vm" ] && continue
  [ -f "$WHITELIST" ] && /bin/egrep -q "^$vm$" $WHITELIST && continue

  # get date of build to skip old vms
  current_date=$(date +%s)
  let "date_diff = $current_date - $creationdate"

  /bin/guestmount -a /dev/vg2/${lvm} -i --ro $MDIR 2>/dev/null || continue;

  ## check phishing patterns
  # 1. haproxy
  if test -f "${MDIR}/etc/haproxy/haproxy.cfg";
  then
      exit=2
      echo "$vm/$ip has a file /etc/haproxy/haproxy.cfg";
  fi

  ## check CP patterns
  # do not scan CP patterns when VM was built more than 5 days ago
  if [ "$date_diff" -ge "432000" ];
  then
    /bin/umount $MDIR
    continue
  fi

  # exclude words of a single root
  # WARNING: do not use quotes with * in this var
  excludes="-name bin-tmp -prune -o -name *[Ee]xtension* -prune -o -name .vscode-server -prune -o -name bitrix -prune -o -name twentynineteen -prune"

  SCAN_DIRS="${MDIR}/home"
  if [[ -d "${MDIR}/var/www" ]];
  then
    SCAN_DIRS="$SCAN_DIRS ${MDIR}/var/www"
  fi

  CP_DIRS=$(timeout 120 find $SCAN_DIRS -maxdepth 6 -type d $excludes -o -type d -name '*teen*' -print -o -type d -name '*tens*' -print -o -type d -name '*teens*' -print)
  if [[ ! -z "$CP_DIRS" ]]; then
    echo -e "Found CP pattern (DIRS) in $vm/$ip: \n$CP_DIRS"
    exit=2
  fi

  CP_IMAGES=$(timeout 60 find $SCAN_DIRS -maxdepth 6 -type d $excludes -o -name 'kshared' -print -o -name '*jumploads' -print)
  if [[ ! -z "$CP_IMAGES" ]]; then
    echo -e "Found CP pattern (IMAGES DIRS) in $vm/$ip: \n$CP_IMAGES"
    exit=2
  fi
  CP_WORDS=''
  while read -r dir;
  do
    [[ -z "$dir" ]] && continue
    [[ -d "$dir" ]] || continue

    found_files=$(timeout 30 find $dir -maxdepth 3 -type f -size -3M -exec egrep '(cute|webcam) teens' {} \;)
    if [[ ! -z "$found_files" ]]; then
      CP_WORDS="$CP_WORDS\n$found_files"
    fi
  done <<< "$(echo $CP_DIRS)"

  if [[ ! -z "$CP_WORDS" ]]; then
    echo "Found CP pattern (WORDS) in $vm/$ip: \n$CP_WORDS"
    exit=2
  fi


  for i in 1 2 3;
  do
    /bin/umount $MDIR
    [[ $? -eq "0" ]] && break
    sleep $i
  done
done <<< "$(curl -s -X GET https://${user}:${password}@${host}:5697/vms-list/${hostname}/suspicious |jq -r '.[]|.[] | "\(.vm) \(.ip) \(.creationdate) \(.lvm)"')"
/bin/rmdir $MDIR

unlink $LOCK
[ $exit == "0" ] && echo 'OK'
exit $exit

Youez - 2016 - github.com/yon3zu
LinuXploit