/
usr
/
local
/
lp
/
apps
/
security
/
File Upload :
llllll
Current File: //usr/local/lp/apps/security/infected.pl
#!/usr/bin/perl ######## Configuration ####### $nice = "/bin/nice"; $mailprog = "/usr/sbin/sendmail"; $recipients = 'security@sourcedns.com'; $todays_date = `date +"%A, %B %e, %Y %l:%M%P (%Z)"`; $date = `date +"%B %e"`; $host = `hostname`; chomp($todays_date, $date); chomp $mailprog; chomp $host; ####### Configuration ###### # Get nobody procs @nob_exec = `ps -f h -U nobody --cols=400`; # Nobody processes can be whitelisted in ignore.nobody.list $nobody_exclude_file="/usr/local/lp/apps/security/whitelists/ignore.nobody.list"; open(NOBEXCL, $nobody_exclude_file) || die("could not open nobody exclude file"); my @exclude_list = <NOBEXCL>; close(NOBEXCL); my $exclude_line = ''; foreach my $exc (@exclude_list) { $exclude_line .= $exc . '|'; } $exclude_line =~ s/\|$//; foreach my $nob_exec_line (@nob_exec) { if ($nob_exec_line !~ /($exclude_line)/) { push @good_nob_exec, $nob_exec_line; } } @nob_exec = @good_nob_exec; # Other checks. filenames in /tmp/ that need to be ignored can be added to ignore.tmp.list @tmp = `find /tmp/ -type f | grep -Ef /usr/local/lp/apps/security/blacklists/tmp.list`; @vtmp = `find /var/tmp/ -type f | grep -Ef /usr/local/lp/apps/security/blacklists/tmp.list`; @shm = `find /dev/shm -type f | grep -Ef /usr/local/lp/apps/security/blacklists/shm.list`; @mail = `find /var/mail/ -perm -o+x -type f`; @count = `find /var/cpanel/Counters -perm -o+x -type f`; @ddos = `ps faux | grep '/usr/bin/[h]ost'`; @root1 = `find /lib/ -type f -name "libkeyutils*" -size +30k`; @root2 = `find /lib64/ -type f -name "libkeyutils*" -size +30k`; @root3 = `grep ':0:' /etc/passwd | /bin/cut -d':' -f 1 | grep -vf /usr/local/lp/apps/security/whitelists/ignore.root.list`; @root4 = `/bin/rpm -qi openssh-server | grep -E 'Signature.*none'`; # Allow for custom unsigned ssh builds; if the customer has one, create the "custom_ssh" file below (it can be empty). if ( -e '/usr/local/lp/apps/security/whitelists/custom_ssh' ) { undef @root4; } if ( -e '/usr/sbin/lsof' ) { @darkmailer = `/usr/sbin/lsof -i :25 |grep -vf /usr/local/lp/apps/security/whitelists/ignore.smtp.list`; } my %hash; foreach my $line (@nob_exec) { #my $pid = (split(/ /,$line))[1]; short hand for: my @fields = split(/\s+/,$line); my $pid = $fields[1]; #Read the file into one big string open(IN, "/proc/$pid/environ"); my $envstring = ''; while ($input = <IN>) { $envstring .= $input; } close(IN); #split the string up into its ENV="value" strings. my @env = split(/\0/,$envstring); #lets stuff the lines into a hash foreach my $envline (@env) { my ($key, $value) = split(/=/,$envline); $hash{$pid}{$key} = $value; } } push @files, @tmp, @vtmp, @shm, @mail, @count, @root1, @root2; if (@files != "" || @nob_exec != "" || @darkmailer != "" || @root3 != "" || @root4 != "" || @ddos != "") { ####Send Me the report open (MAIL, "|$mailprog -t") or die("Can't access $mailprog!\n"); print MAIL "To: $recipients\n"; print MAIL "From: $host\n"; print MAIL "Subject: $host Infect Files\n\n"; print MAIL "--- REPORT SUMMARY ---\n"; print MAIL "Date: $todays_date\n"; print MAIL "--------------------------------------------\n"; print MAIL "\n\nNaughty Files\n"; print MAIL "-----------------\n"; print MAIL "@files"; print MAIL "\n\nDarkmailer Check (procs socketed to port 25)\n"; print MAIL "-----------------\n"; print MAIL "@darkmailer"; print MAIL "\n\nUser accounts with UID/GID 0 in /etc/passwd\n"; print MAIL "-----------------\n"; print MAIL "@root3"; print MAIL "\n\nRunning /usr/bin/host spoofed procs\n"; print MAIL "-----------------\n"; print MAIL "@ddos"; print MAIL "\n\nUnsigned openssh-server RPM?\n"; print MAIL "-----------------\n"; print MAIL "@root4"; print MAIL "\n\nRunning Nobody's\n"; print MAIL "----------------\n"; foreach my $nob (@nob_exec) { print MAIL $nob; } print MAIL "\n"; print MAIL "\n\nStringed Nobody Procs\n"; print MAIL "----------------\n"; foreach my $pid (keys %hash) { print MAIL "PID: $pid\n"; foreach my $envkey (keys %{$hash{$pid}}) { print MAIL " $envkey: " . $hash{$pid}{$envkey}, "\n"; } print MAIL "\n\n"; } close(MAIL); }
Copyright ©2k19 -
Hexid
|
Tex7ure