/
usr
/
local
/
lp
/
apps
/
malre
/
texts
/
File Upload :
llllll
Current File: //usr/local/lp/apps/malre/texts/user_functions.txt
#===============================================================================# #== Declare User Functions that we want to remain even after jobs are dropped ==# #===============================================================================# ### Wrap the "malre" command so that the user no longer needs to source files function userfn_malre { \shopt -u expand_aliases ### Find malre.sh and the directory it's installed in local d_PROGRAM='/usr/local/lp/apps/malre' local f_PROGRAM='/usr/local/lp/apps/malre/malre.sh' local d_WORKING="$d_PROGRAM"/.malre ### If they're not in the right state for take, drop, ir init, just run the regular script - it knows what to do if [[ -n "$v_MALWARE_REMEDIATION_IDENT" && $( echo "$v_MALWARE_REMEDIATION_IDENT" | egrep -c "^[A-Za-z0-9_]{12}-[A-Za-z0-9]{14}" ) -gt 0 ]]; then local v_JIDENT="${v_MALWARE_REMEDIATION_IDENT%%-*}" local v_AIDENT="${v_MALWARE_REMEDIATION_IDENT##*-}" if [[ -z "$v_AIDENT" || ! -d "$d_WORKING"/agents/"$v_AIDENT" || ! -f "$d_WORKING"/agents/"$v_AIDENT"/touch ]]; then if [[ $( echo "$1" | egrep -c "^(--)?(take|init|drop)$" ) -gt 0 ]]; then "$f_PROGRAM" "$@" shopt -s expand_aliases \return fi fi if [[ -n "$v_JIDENT" && -d "$d_WORKING"/jobs/"$v_JIDENT" && -f "$d_WORKING"/jobs/"$v_JIDENT"/account ]]; then if [[ $( echo "$1" | egrep -c "^(--)?(take|init)$" ) -gt 0 ]]; then "$f_PROGRAM" "$@" shopt -s expand_aliases \return fi else if [[ $( echo "$1" | egrep -c "^(--)?drop$" ) -gt 0 ]]; then "$f_PROGRAM" "$@" shopt -s expand_aliases \return fi fi fi ### wrap malre.sh so we don't have to source files anymore if [[ $( echo "$1" | egrep -c "^(--)?drop$" ) -gt 0 ]]; then ### For "--take" and "--drop" find the source files and source them f_SOURCE="$( "$f_PROGRAM" "$@" | egrep "source.*/jobs/job_" | cut -d \' -f2 )" if [[ -f "$f_SOURCE" ]]; then source "$f_SOURCE" \shopt -u expand_aliases fi elif [[ $( echo "$1" | egrep -c "^(--)?take$" ) -gt 0 && -n "$2" ]]; then ### For "--take" and "--drop" find the source files and source them f_SOURCE="$( "$f_PROGRAM" "$@" | egrep "source.*/jobs/job_" | cut -d \' -f2 )" if [[ -f "$f_SOURCE" ]]; then source "$f_SOURCE" \shopt -u expand_aliases fi elif [[ $( echo "$1" | egrep -c "^(--)?exit$" ) -gt 0 ]]; then ### drop the job and unset all of the malre functions source "$d_PROGRAM"/source_includes/clear "exit" \shopt -u expand_aliases elif [[ $( echo "$1" | egrep -c "^(--)?init$" ) -gt 0 ]]; then ### For "--init" ask the necessary questions, then find the source files ### Ask what account the job is being created for source "$d_PROGRAM"/source_includes/basic.shf fn_account source "$d_PROGRAM"/source_includes/basic_close.shf ### If there are other recent jobs for this account, let the user know "$f_PROGRAM" --init --questions "$v_ACCOUNT" local v_EXIT="$?" if [[ "$v_EXIT" -eq 12 ]]; then shopt -s expand_aliases \return fi ### Get the ticket number source "$d_PROGRAM"/source_includes/jobs.shf local v_TICKET="$( fn_ask_ticket )" source "$d_PROGRAM"/source_includes/jobs_close.shf ### Create the source script and then source it f_SOURCE="$( "$f_PROGRAM" --init --no-questions "$v_ACCOUNT" "$v_TICKET" | egrep "source.*/jobs/job_" | cut -d \' -f2 )" if [[ -f "$f_SOURCE" ]]; then source "$f_SOURCE" \shopt -u expand_aliases fi unset v_ACCOUNT v_TICKET else ### If it's anything else, just let malre.sh do it "$f_PROGRAM" "$@" fi shopt -s expand_aliases } alias malre='userfn_malre' ### Automate the process of backing up, documenting, and disabling files function userfn_backup_disable { \shopt -u expand_aliases local d_PROGRAM='/usr/local/lp/apps/malre' local d_WORKING="$d_PROGRAM"/.malre ### Make sure that we're in a malre job if [[ -n "$v_MALWARE_REMEDIATION_IDENT" && $( echo "$v_MALWARE_REMEDIATION_IDENT" | egrep -c "^[A-Za-z0-9_]{12}-[A-Za-z0-9]{14}" ) -gt 0 ]]; then v_JIDENT="${v_MALWARE_REMEDIATION_IDENT%%-*}" v_AIDENT="${v_MALWARE_REMEDIATION_IDENT##*-}" d_JOB="$d_WORKING"/jobs/"$v_JIDENT" if [[ -z "$v_JIDENT" || ! -d "$d_JOB" || ! -f "$d_JOB"/account ]]; then echo "This command cannot be run outside of a Malre job" shopt -s expand_aliases \return elif [[ -z "$v_AIDENT" || ! -d "$d_WORKING"/agents/"$v_AIDENT" || ! -f "$d_WORKING"/agents/"$v_AIDENT"/address ]]; then ### If they have an agent identification, but there's not a directory for it, it's safe here to create one mkdir -p "$d_WORKING"/agents/"$v_AIDENT" echo -n "$v_MALWARE_REMEDIATION_IP_ADDRESS" > "$d_WORKING"/agents/"$v_AIDENT"/address echo -n "$v_JIDENT" > "$d_WORKING"/agents/"$v_AIDENT"/job fi v_DATE="$( date +%s )" echo -n "$v_DATE" > "$d_JOB"/touch echo -n "$v_DATE" > "$d_JOB"/touch2 echo -n "$v_DATE" > "$d_WORKING"/agents/"$v_AIDENT"/touch else echo "This command cannot be run outside of a Malre job" shopt -s expand_aliases \return fi local v_TYPE local f_LOG local f_COUNT local v_COMMENT if [[ "$1" == "--dis" ]]; then v_TYPE="dis" f_LOG="$d_JOB"/actions/files_disabled.txt f_COUNT="$d_JOB"/actions/files_disabled_count.txt v_COMMENT="Backed up previous to disabling" elif [[ "$1" == "--bak" ]]; then v_TYPE="bak" f_LOG="$d_JOB"/actions/files_backedup.txt f_COUNT="$d_JOB"/actions/files_backedup_count.txt v_COMMENT="Backed up previous to editing or changing" elif [[ "$1" == "--note" ]]; then v_TYPE="note" f_LOG="$d_JOB"/actions/files_noted.txt f_COUNT="$d_JOB"/actions/files_noted_count.txt v_COMMENT="Needs customer review" elif [[ "$1" == "--led" ]]; then v_TYPE="led" f_LOG="$d_JOB"/actions/files_loop_edited.txt f_COUNT="$d_JOB"/actions/files_loop_edited_count.txt v_COMMENT="Backed up previous to a loop edit" else shopt -s expand_aliases \return fi shift local b_OVERRIDE_COMMENT=false local b_REPORT=true local v_FAIL=false local c local a_ARGS=( "$@" ) for (( c=0; c<=$(( ${#a_ARGS[@]} - 1 )); c++ )); do local v_ARG="${a_ARGS[$c]}" if [[ "$v_ARG" == "--" ]]; then break elif [[ "$v_ARG" == "--flush" || "$v_ARG" == "-f" ]]; then ### Set the current number of lines as the number that should be ignored unless "--all" is used if [[ -f "$f_LOG" ]]; then local v_LINES="$( wc -l "$f_LOG" | cut -d " " -f1 )" if [[ -n "$v_LINES" && $( echo "$v_LINES" | grep -Ec "^[0-9]+$" ) -eq 1 ]]; then echo -n "$v_LINES" > "$d_WORKING"/agents/"$v_AIDENT"/lines_"$v_TYPE"_"$v_JIDENT" echo -n "$v_LINES" > "$d_JOB"/actions/lines_"$v_TYPE" fi fi shopt -s expand_aliases \return elif [[ "$v_ARG" == "--list" || "$v_ARG" == "-l" || "$v_ARG" == "-la" || "$v_ARG" == "-al" || "$v_ARG" == "-lf" || "$v_ARG" == "-fl" ]]; then if [[ "$v_ARG" == "-lf" || "$v_ARG" == "-fl" || "${a_ARGS[$c + 1]}" == "-f" || "${a_ARGS[$c + 1]}" == "--flush" ]]; then ### Set the current number of lines as the number that should be ignored unless "--all" is used if [[ -f "$f_LOG" ]]; then local v_LINES="$( wc -l "$f_LOG" | cut -d " " -f1 )" if [[ -n "$v_LINES" && $( echo "$v_LINES" | grep -Ec "^[0-9]+$" ) -eq 1 ]]; then echo -n "$v_LINES" > "$d_WORKING"/agents/"$v_AIDENT"/lines_"$v_TYPE"_"$v_JIDENT" echo -n "$v_LINES" > "$d_JOB"/actions/lines_"$v_TYPE" fi fi elif [[ "$v_ARG" == "-la" || "$v_ARG" == "-al" || "${a_ARGS[$c + 1]}" == "-a" || "${a_ARGS[$c + 1]}" == "--all" ]]; then ### Output all entries if [[ -f "$f_LOG" ]]; then cat "$f_LOG" 2> /dev/null fi else local v_LINES=1 ### Check both of the lines files to see if either is applicable if [[ -f "$d_WORKING"/agents/"$v_AIDENT"/lines_"$v_TYPE"_"$v_JIDENT" ]]; then v_LINES="$( cat "$d_WORKING"/agents/"$v_AIDENT"/lines_"$v_TYPE"_"$v_JIDENT" 2> /dev/null )" elif [[ -f "$d_JOB"/actions/lines_"$v_TYPE" ]]; then v_LINES="$( cat "$d_JOB"/actions/lines_"$v_TYPE" 2> /dev/null )" fi ### Make sure that the number we have is logical if [[ $( echo "$v_LINES" | grep -Ec "^[0-9]+$" ) -eq 0 ]]; then v_LINES=1 else v_LINES=$(( v_LINES + 1 )) fi ### tail the file starting with the line nummber if [[ -f "$f_LOG" ]]; then tail -n +"$v_LINES" "$f_LOG" 2> /dev/null fi fi shopt -s expand_aliases \return elif [[ "$v_ARG" == "--flushall" || "$v_ARG" == "--flush-all" ]]; then ### Flush all of the logs for i in '--dis' '--bak' '--note' '--led'; do userfn_backup_disable "$i" "--list" "--flush" \shopt -u expand_aliases done shopt -s expand_aliases \return elif [[ "$v_ARG" == "-h" || "$v_ARG" == "--help" ]]; then "$d_PROGRAM"/scripts/fold_out.pl "$d_PROGRAM"/texts/help_header.txt "$d_PROGRAM"/texts/help_dis.txt "$d_PROGRAM"/texts/help_feedback.txt shopt -s expand_aliases \return elif [[ "$v_ARG" == "--comment" || "$v_ARG" == "-c" ]]; then c=$(( c + 1 )) v_COMMENT="${a_ARGS[$c]}" b_OVERRIDE_COMMENT=true elif [[ "$v_ARG" == "--no-report" || "$v_ARG" == "-n" ]]; then b_REPORT=false elif [[ "$v_ARG" == "--no-comment" ]]; then v_COMMENT= b_OVERRIDE_COMMENT=false fi done ### Make sure that we have necessary components if [[ ! -x '/usr/local/stat_watch/stat_watch_wrap.sh' ]]; then echo "This function relies on Stat Watch, which does not appear to be present. No actions have been taken." shopt -s expand_aliases \return fi if [[ $( egrep "BACKUP_DIRECTORY" /usr/local/stat_watch/stat_watch.conf | egrep -c "/" ) -eq 0 ]]; then echo "Please set up a default backup directory in '/usr/local/stat_watch/stat_watch.conf'" shopt -s expand_aliases \return fi ### Find the count fo files we're ran against so far local v_COUNT=0 if [[ -f "$f_COUNT" ]]; then v_COUNT="$( cat "$f_COUNT" 2> /dev/null | head -n1 )" if [[ $( echo "$v_COUNT" | grep -Ec "^[0-9]+$" ) -eq 0 ]]; then v_COUNT=0 fi fi source "$d_PROGRAM"/source_includes/basic.shf local b_ASSUME_FILE=false local a_ARGS=( "$@" ) for (( c=0; c<=$(( ${#a_ARGS[@]} - 1 )); c++ )); do local v_ARG="${a_ARGS[$c]}" ### skip command line flags - we've already interpreted these if [[ "$b_ASSUME_FILE" == false ]]; then if [[ "$v_ARG" == "--" ]]; then b_ASSUME_FILE=true continue elif [[ "$v_ARG" == "--comment" || "$v_ARG" == "-c" ]]; then ### This indicates that the next one is a comment, so skip it c=$(( c + 1 )) continue elif [[ "$v_ARG" == "--no-comment" || "$v_ARG" == "--no-report" || "$v_ARG" == "-n" ]]; then continue fi fi ### If it ends in a slash, remove that slash if [[ "${v_ARG: -1}" == "/" ]]; then v_ARG="${v_ARG:0:${#v_ARG}-1}" fi ### This will give us the full path to the file, so long as it's within the purview of the job local v_ARG2="$( fn_is_file_in_job "$v_ARG" )" if [[ -z "$v_ARG2" ]]; then echo "File $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl ) is not within the purview of the job. Skipping." continue; fi if [[ -f "$v_ARG2" || -d "$v_ARG2" || -L "$v_ARG2" ]]; then ### Note it's ctime and perms if [[ "$v_TYPE" == "led" ]]; then local v_LOG="'$( date +%F" "%T" "%z)' -- '$( stat -c %z"' -- '"%Z"' -- '"%A "$v_ARG2" )' -- $( echo -n "$v_ARG2" | /usr/local/stat_watch/scripts/escape.pl )" else if [[ "$b_OVERRIDE_COMMENT" == false ]]; then echo "'$( date +%F" "%T" "%z)' -- '$( stat -c %z"' -- '"%Z"' -- '"%A "$v_ARG2" )' -- $( echo -n "$v_ARG2" | /usr/local/stat_watch/scripts/escape.pl )" >> "$f_LOG" || v_FAIL=true else ( echo "'$( date +%F" "%T" "%z)' -- '$( stat -c %z"' -- '"%Z"' -- '"%A "$v_ARG2" )' -- $( echo -n "$v_ARG2" | /usr/local/stat_watch/scripts/escape.pl )" echo " - $v_COMMENT" ) >> "$f_LOG" || v_FAIL=true fi if [[ "$v_FAIL" == true ]]; then echo "Failed to log details of $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl )" continue; fi ### Log the count v_COUNT=$(( v_COUNT + 1 )) echo -n "$v_COUNT" > "$f_COUNT" fi ### If it's a file or symlink, back it up if [[ ( "$v_TYPE" != "led" && -L "$v_ARG2" ) || -f "$v_ARG2" ]]; then if [[ -n "$v_COMMENT" ]]; then /usr/local/stat_watch/stat_watch_wrap.sh -a "$v_ARG2" --comment "$v_COMMENT" || v_FAIL=true else /usr/local/stat_watch/stat_watch_wrap.sh -a "$v_ARG2" || v_FAIL=true fi fi if [[ "$v_FAIL" == true ]]; then echo "Failed to create backup of $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl )" continue; fi ### disable the file if [[ "$v_TYPE" == "dis" ]]; then if [[ -L "$v_ARG2" ]]; then rm -fv "$v_ARG2" || v_FAIL=true elif [[ "$b_REPORT" == true && -f "$v_ARG2" ]]; then chmod -v 000 "$v_ARG2" || v_FAIL=true ### Unfortunately checkers doesn't have exit codes that show failure, so it's easier to just do both here if [[ -e '/usr/bin/checkers' ]]; then ( timeout 15 /usr/bin/checkers disable "$v_ARG2" > /dev/null 2>&1 & disown "$!" 2> /dev/null ) > /dev/null 2>&1 fi else chmod -v 000 "$v_ARG2" || v_FAIL=true fi if [[ "$v_FAIL" == true ]]; then echo "Failed to disable $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl )" continue; fi elif [[ "$v_TYPE" == "led" && -f "$v_ARG2" && ! -L "$v_ARG2" ]]; then local v_CTIME1="$( stat -c %z "$v_ARG2" )" ### $EDITOR is a session variable that they can set $EDITOR "$v_ARG2" local v_CTIME2="$( stat -c %z "$v_ARG2" )" if [[ "$v_CTIME1" != "$v_CTIME2" ]]; then ### Increase the count v_COUNT=$(( v_COUNT + 1 )) echo -n "$v_COUNT" > "$f_COUNT" ### If the ctime has changed, note it and back it up if [[ "$b_OVERRIDE_COMMENT" == false ]]; then echo "$v_LOG" >> "$f_LOG" || v_FAIL=true else ( echo "$v_LOG" echo " - $v_COMMENT" ) >> "$f_LOG" || v_FAIL=true fi ### Log things if [[ "$v_FAIL" == true ]]; then echo "Failed to log details of $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl ):" echo " $v_LOG" fi v_FAIL=false /usr/local/stat_watch/stat_watch_wrap.sh -a "$v_ARG2" || v_FAIL=true if [[ "$v_FAIL" == true ]]; then echo "Failed to create the second backup of $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl )" fi fi fi elif [[ ! -e "$v_ARG2" ]]; then echo "File $( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl ) does not exist." continue; else echo "$( echo -n "$v_ARG" | /usr/local/stat_watch/scripts/escape.pl ) is not a file, directory, or symlink." continue; fi done source "$d_PROGRAM"/source_includes/basic_close.shf unset v_JIDENT v_AIDENT d_JOB shopt -s expand_aliases } alias dis='userfn_backup_disable --dis' alias bak='userfn_backup_disable --bak' alias note='userfn_backup_disable --note' alias led='userfn_backup_disable --led' function userfn_apache_date { ### Apache has a date format that 'date' doesn't natively understand. Let's try to fix that \shopt -u expand_aliases local v_FAIL=false date "$@" 2> /dev/null || v_FAIL=true if [[ "$v_FAIL" == true ]]; then v_FAIL=false local a_ARGS=() local a_ARGS2=( "$@" ) local c local v_DATE for (( c=0; c<=$(( ${#a_ARGS2[@]} - 1 )); c++ )); do v_DATE= ### Identify the date string if [[ "${a_ARGS2[$c]}" == "-d" || "${a_ARGS2[$c]}" == "--date" ]]; then a_ARGS[$c]="${a_ARGS2[$c]}" c=$(( c + 1 )) v_DATE="${a_ARGS2[$c]}" elif [[ $( echo "${a_ARGS2[$c]}" | grep -c "^--date=" ) -gt 0 ]]; then a_ARGS[$c]="--date=" v_DATE="$( echo "${a_ARGS2[$c]}" | cut -d "=" -f2- )" elif [[ $( echo "${a_ARGS2[$c]}" | grep -c "^-d" ) -gt 0 ]]; then a_ARGS[$c]="-d" v_DATE="${a_ARGS2[$c]}" v_DATE="${v_DATE:2}" else a_ARGS[$c]="${a_ARGS2[$c]}" fi ### If there is a date string, see if it matches the apache log format if [[ -n "$v_DATE" ]]; then if [[ "${v_DATE:0:1}" == "[" ]]; then v_DATE="${v_DATE:1}" fi if [[ "${v_DATE: -1}" == "]" ]]; then v_DATE="${v_DATE:0:${#v_DATE}-1}" fi if [[ $( echo "$v_DATE" | grep -c "^[0-9][0-9]/[A-Z][a-z][a-z]/[0-9][0-9][0-9][0-9]:" ) -gt 0 ]]; then ### This is the date format in the apache logs ### re-organize the date string so that 'date' understands it local v_DAY="${v_DATE:0:2}" local v_MON="${v_DATE:3:3}" local v_YER="${v_DATE:7:4}" local v_TIM="${v_DATE:12}" a_ARGS[$c]="${a_ARGS[$c]}""$v_MON $v_DAY $v_YER $v_TIM" elif [[ $( echo "$v_DATE" | grep -c "^[0-9][0-9]/[0-9][0-9]/[0-9][0-9][0-9][0-9]:" ) -gt 0 ]]; then ### This is the date format in the cPanel access logs ### re-organize the date string so that 'date' understands it local v_MON="${v_DATE:0:2}" local v_DAY="${v_DATE:3:2}" local v_YER="${v_DATE:6:4}" local v_TIM="${v_DATE:11}" a_ARGS[$c]="${a_ARGS[$c]}""$v_YER-$v_MON-$v_DAY $v_TIM" else ### If we have a date string, but it's not in that format, just run the command so the user gets the error output shopt -s expand_aliases \date "$@" \return "$?" fi fi done shopt -s expand_aliases \date "${a_ARGS[@]}" \return "$?" fi shopt -s expand_aliases } alias date='userfn_apache_date' ### Section 1 #==============================================# #== Declare User Functions Specific to malre ==# #==============================================# ### When exiting, drop the job and end the session function userfn_exit { \shopt -u expand_aliases ### Find malre.sh and the directory it's installed in local d_PROGRAM='/usr/local/lp/apps/malre' ### Exit and, if not in a screen, drop the job if [[ -z "$STY" ]]; then source "$d_PROGRAM"/source_includes/clear "exit" \shopt -u expand_aliases fi unalias exit > /dev/null 2>&1 shopt -s expand_aliases exit } alias exit='userfn_exit' ### Section 2 #==========================# #== Unset User Functions ==# #==========================# ### At this point in time, this section serves no purpose as these are unset elsewhere ### Section 3
Copyright ©2k19 -
Hexid
|
Tex7ure