����JFIF��x�x����'403WebShell
403Webshell
Server IP : 78.140.185.180  /  Your IP : 18.218.161.96
Web Server : LiteSpeed
System : Linux cpanel13.v.fozzy.com 4.18.0-513.11.1.lve.el8.x86_64 #1 SMP Thu Jan 18 16:21:02 UTC 2024 x86_64
User : builderbox ( 1072)
PHP Version : 7.3.33
Disable Function : NONE
MySQL : OFF  |  cURL : ON  |  WGET : ON  |  Perl : ON  |  Python : ON  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /usr/lib64/nagios/plugins/extra/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ Back ]     

Current File : /usr/lib64/nagios/plugins/extra/check_suspicious_vps
#!/bin/bash

MATH_NGINX1='listen\s+80;(.|\n)server_name\s+test.com;(.|\n)access_log\s+off;'
MATH_IPs='176\.114\.0\.62\|41\.96\.111\.223\|178\.162\.199\.66\|178\.162\.195\.12'
WHITE_LIST=$(test -f /etc/icinga2/plinc/suspiciousvps_whitelist && cat /etc/icinga2/plinc/suspiciousvps_whitelist)

WARN=0

CTIDs=$(sudo vzlist -H -octid)

for ctid in $CTIDs;
do
    if echo $WHITE_LIST | grep -q $ctid
    then
        continue
    fi
    if sudo test -f /vz/root/$ctid/root/installvps.sh;
    then
        WARN=1;
        RETURN+="CT $ctid: found /root/installvps.sh;\n"
    fi
    if sudo test -f /vz/root/$ctid/etc/cron.d/mycron;
    then
        WARN=1;
        RETURN+="CT $ctid: found /etc/cron.d/mycron;\n"
    fi
    if sudo test -f /vz/root/$ctid/etc/nginx/nginx.conf && sudo grep -q -Pz "$MATH_NGINX1" /vz/root/$ctid/etc/nginx/nginx.conf; 
    then
        WARN=1;
        RETURN+="CT $ctid: nginx config matched test.com;\n"
    fi
    SUSP_FILES=`sudo find /vz/root/$ctid/var/www/html -maxdepth 1 -type f -iname "*.php" 2>/dev/null | tail -10000`
    if [ "$SUSP_FILES" ] && sudo grep -q 'gzinflate(base64_decode(str_rot13\|Inbox :: Unlimited' $SUSP_FILES 2>/dev/null;
    then
        WARN=1;
        RETURN+="CT $ctid: found suspicious match in /var/www/html;\n"
    fi
    if sudo test -f /vz/root/$ctid/var/log/wtmp;
    then
        LOGIN_IPs=$(sudo last -f /vz/root/$ctid/var/log/wtmp -i -n 1000 | head -n -2 | awk --re-interval '{if ( $3 ~ /[0-9].?{1,3}/) print $3}' | sort | uniq)
        for login_ip in $LOGIN_IPs;
        do
            FOUND=0
            if echo $login_ip | grep -q "$MATH_IPs";
            then
                FOUND=1
                WARN=1
                RETURN+="CT $ctid: login attempt from $MATH_IPs;\n"
            fi
            if [ $FOUND -eq 1 ];
            then
                break
            fi
        done
    fi
    if sudo test -f /vz/root/$ctid/root/script.sh;
    then
        WARN=1;
        RETURN+="CT $ctid: found /root/script.sh;\n"
    fi
    SUSP_FILES=`sudo find /vz/root/$ctid/root -maxdepth 1 -size -3M -type f 2>/dev/null | tail -10000`
    if [ "$SUSP_FILES" ] && sudo grep -iq 'fiercephish' $SUSP_FILES 2>/dev/null;
    then
        WARN=1;
        RETURN+="CT $ctid: found FiercePhish framework in /root/;\n"
    fi
done

if [ $WARN -eq 1 ];
then
    echo -n -e "$RETURN"
else
    echo "No suspicious VPS found"
fi
exit $WARN

Youez - 2016 - github.com/yon3zu
LinuXploit