PK œqhYî¶J‚ßF ßF ) nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/
Dir : /proc/self/root/bin/ |
Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
Dir : //proc/self/root/bin/imh-procwatch |
#!/opt/imh-python/bin/python3 """Check of the current running processes on the server for malware""" import os import platform import re import shlex import sys import time import pwd import configparser import subprocess import argparse import signal from dataclasses import dataclass import socket from pathlib import Path # import io from typing import Union import yaml import rads import rads.color as c import psutil from clamlib import ScanResult, Scanner, ask_prompt, jail_files if rads.IMH_ROLE == 'shared': QUARANTINE = '/opt/sharedrads/quarantine' else: QUARANTINE = '/opt/dedrads/quarantine' sys.stdout.reconfigure(errors="surrogateescape", line_buffering=True) sys.stderr.reconfigure(errors="surrogateescape", line_buffering=True) PROC_RE = re.compile(r'php\d?(?:-fpm|-cgi)?|perl$') INI_FILE = '/opt/imh-scan/procwatch/settings.ini' Q_DIR = Path('/opt/imh-scan/procwatch/q') SCANLOG_DIR = Path('/opt/imh-scan/procwatch/scanlog') IGNORE_DIR = Path('/opt/imh-scan/ignore') @dataclass class ProcData: pid: int username: str cwd: str cmdline: str uid: int class Config(configparser.ConfigParser): def __init__(self): super().__init__() if not self.read(INI_FILE): sys.exit(f"Could not read {INI_FILE}") @property def rolloff(self) -> int: return self.getint('tolerance', 'rolloff') @property def cooldown(self) -> int: return self.getint('tolerance', 'cooldown') @property def ignore_duration(self) -> int: return self.getint('tolerance', 'ignore_duration') @property def admin_email(self) -> str: return self.get('notify', 'admin_email') class ProcWatch: def __init__(self, args, conf: Config): self.conf = conf self._verbose: bool = args.verbose self.ignore: Union[int, None] = args.ignore self.quarantine: bool = args.quarantine self.user: Union[str, None] = args.user self.ignore_run: bool = args.ignore_run self.hostname = socket.gethostname() self.time = int(time.time()) self.lock_socket = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM) self.scanner = Scanner( disable_default=True, disable_freshclam=True, verbose=False, heuristic=True, exclude=[], extra_heuri=False, install=False, update=False, phishing=False, disable_media=False, disable_excludes=False, disable_maldetect=False, disable_new_yara=False, ) def verbose(self, *args, **kwargs): """extra stdout for the -v flag""" if self._verbose: print(*args, **kwargs) @staticmethod def _scannable_proc(proc: psutil.Process) -> bool: if proc.info['uids'].effective == 0: return False return PROC_RE.match(proc.info['name']) def audit_procs(self): """looks at existing procs, gets their open files, and scans them""" self.verbose('running audit') procs = filter( self._scannable_proc, psutil.process_iter(['pid', 'uids', 'name', 'username', 'cwd']), ) procs = list(procs) # generator -> list path_to_procs: dict[Path, list[ProcData]] = {} self.verbose('procs found:', procs) for proc in procs: try: cmdline = proc.cmdline() if cmdline[0].startswith('php-fpm: pool'): continue except Exception: continue p_data = ProcData( pid=proc.info['pid'], username=proc.info['username'], cwd=proc.info['cwd'], cmdline=shlex.join(cmdline), uid=proc.info['uids'].effective, ) if self.should_ignore(proc.info['username']): self.verbose("ignoring", proc.info['username']) continue try: # guessing file path based on cmdline path_guess = Path(p_data.cwd, cmdline[-1].lstrip('/')) self.verbose(f'path guess: {path_guess}\n cwd: {p_data.cwd}') if path_guess.is_file() and self.check_file( path_guess, p_data.uid ): if path_to_procs.get(path_guess): path_to_procs[path_guess].append(p_data) else: path_to_procs[path_guess] = [p_data] # proc_list[path_guess] = p_data except Exception as exc: self.verbose(f'failed to guess path of original file:\n{exc}') try: for open_file in proc.open_files(): file_path = Path(open_file[0]) if self.check_file(file_path, p_data['uid']): if not path_to_procs.get(file_path): path_to_procs[file_path] = [p_data] else: path_to_procs[file_path].append(p_data) except Exception as exc: self.verbose(type(exc).__name__, exc, sep=': ') scan_paths = list(map(str, path_to_procs)) self.verbose('scan paths:', *scan_paths, sep='\n') if not scan_paths: return result = self.run_scan(paths=scan_paths) if not result: return # run_scan already printed the error self.verbose('results:', *result.all_found, sep='\n') if not result: self.verbose('no malware procs detected') return user_list: dict[str, list[ProcData]] = {} pid_list: list[int] = [] for file_path in result.all_found.keys(): for proc in path_to_procs[file_path]: pid = proc.pid if pid in pid_list: continue if self.quarantine: self.verbose(f'killing {pid}') os.kill(pid, signal.SIGKILL) if not user_list.get(proc.username): user_list[proc.username] = [proc] else: user_list[proc.username].append(proc) pid_list.append(pid) for user, p_datas in user_list.items(): self.queue_scan(user, p_datas) def check_file(self, file_path: Path, uid: int): """checks if a file should be scanned by audit_procs""" self.verbose('checking', file_path) if not file_path.is_file(): return False try: stat = file_path.stat() except OSError as exc: self.verbose(type(exc).__name__, exc, sep=': ') return False if stat.st_uid != uid: self.verbose('proc owner doesnt own the file:', file_path) return False if stat.st_uid == 0: self.verbose('skipping root file:', file_path) return False if stat.st_size > 25 * 2**20: # file is > 25 MiB return False return True def run_scan( self, paths: Union[list[str], None] = None, user: Union[str, None] = None, ) -> Union[ScanResult, None]: """runs a scan on targeted files found during audit queues a full user scan if something is detected""" if not paths and not user: self.verbose('error: no scan targets') sys.exit(1) scan_paths = paths or [] if user: try: homedir = rads.get_homedir(user) except Exception as exc: print(f"{user}: {exc}", file=sys.stderr) return None scan_paths.append(homedir) self.scanner.cpu_wait() self.verbose('about to scan') result: ScanResult = self.scanner.scan( scan_paths=scan_paths, log_tuples=[] ) if user: self.ignore_user(user, self.conf.cooldown) self.verbose(result.summary) return result def queue_scan(self, user: str, p_datas: list[ProcData]): """queues a scan after finding a malicious file during audit""" queue_user = Q_DIR / user if queue_user.exists(): # scan already queued self.verbose('scan already queued for', user) return # dump to queue full user scan self.yaml_dump(list(map(vars, p_datas)), queue_user) def full_quarantine(self, user: str): """full user quarantine using seanc rad""" try: subprocess.call([QUARANTINE, '-f', user], timeout=600) except FileNotFoundError: print('Error:', QUARANTINE, 'command not found', file=sys.stderr) return False except subprocess.TimeoutExpired: print('Error: Quarantining', user, 'timed out.', file=sys.stderr) return False return True def should_ignore(self, user: str): """function for checking if users are on the manual ignore list if the current time passes the mtime of the file, stop ignoring""" ignore_file = IGNORE_DIR / user try: mtime = ignore_file.stat().st_mtime except FileNotFoundError: return False if mtime > self.time: self.verbose(f'ignoring {user}, {ignore_file} detected ') return True return False def iter_queue(self): """parent function to handle checking history then execute actions mostly just runs the user scanning function""" for entry in Q_DIR.iterdir(): user = entry.name try: pwd.getpwnam(user) except KeyError: # user doesnt exist self.verbose(f"user {user} doesn't exist") entry.unlink() continue actions = self.check_history(user) if not actions: self.verbose('doing nothing') continue yield user, actions def check_history(self, user: str) -> list[str]: """checks history file for previous offenses mostly unused logic as all offenses are manually reviewed unless auto quarantine mode is enabled""" try: homedir = Path(pwd.getpwnam(user).pw_dir) except KeyError: print('Error: user', user, 'does not exist', file=sys.stderr) return [] if not homedir.exists(): print('Error:', homedir, 'does not exist', file=sys.stderr) return [] path = homedir / '.imh/.audit_history' path.parent.mkdir(mode=0o700, parents=True, exist_ok=True) if not path.exists(): self.verbose('first offense, new history file') self.yaml_dump([self.time], path, 0o600) return ['notify_admin'] try: history_data = self.yaml_load(path) except Exception as exc: print(f'resetting {path} due to error: {exc}') history_data = None else: if not isinstance(history_data, list): print('history_data not a list, resetting') history_data = None for entry in history_data: if not isinstance(entry, int): print('history_data entry not an integer, resetting') history_data = None break if history_data is None: self.yaml_dump([self.time], path, 0o600) history_data = [self.time] return ['notify_admin'] historic_ct = 0 repeat_ct = 0 day_ct = 0 history_data: list[int] for stamp in history_data: time_diff = self.time - stamp if time_diff < 0: self.verbose('error: negative time diff') # rolloff time # 6 months if time_diff > self.conf.rolloff: self.verbose('old offender') historic_ct += 1 # 24 hours elif time_diff > 86400: self.verbose('offense about 24 hours ago') day_ct += 1 # 3 hours elif time_diff > 10800: self.verbose('offense about 3 hours ago') repeat_ct += 1 # cooldown elif time_diff < self.conf.cooldown: self.verbose('user on cooldown') return [] if repeat_ct: # repeat within 3 hours self.verbose('offense repeat within 3 hours, frequent_offense') elif day_ct: # repeat within 24 hours self.verbose('offense repeat within 24 hours, daily_offense') elif not historic_ct: # normal first offence self.verbose('first_offense normal') elif historic_ct <= 3: # occasional offender self.verbose('historic offender within 182 days') elif historic_ct > 3 and not repeat_ct: # chronic offender self.verbose('first_offense historic') history_data.append(self.time) self.yaml_dump(history_data, path) return ['notify_admin'] def handle_user(self, user: str, actions: list[str]): """executes the user scan handles auto quarantine""" # The only behavior implemented is to scan the user and notify. # This assert forces a crash if someone later edits check_history and # doesn't adjust here too. assert actions[0] == 'notify_admin' queue_file = Q_DIR / user self.verbose(f'initiating scan on {user}') result = self.run_scan(user=user) if not result or not result.all_found: self.verbose('nothing detected') queue_file.unlink(missing_ok=True) return data = vars(result) data['p_datas'] = self.yaml_load(queue_file) p_datas = [ProcData(**x) for x in data['p_datas']] self.yaml_dump(data, SCANLOG_DIR / user) self.send_notice(user, result, p_datas, SCANLOG_DIR / user) queue_file.unlink(missing_ok=True) def yaml_load(self, file_name): """basic yaml loading function, uses SafeLoader""" try: with open(file_name, encoding='utf-8') as file: return yaml.load(file, Loader=yaml.SafeLoader) except Exception as exc: print(f'error failed to load yaml file: {file_name}\n{exc}') sys.exit(1) def yaml_dump( self, data: Union[dict, list], path: Path, mode: Union[int, None] = None ): """basic yaml dump function""" try: with open(path, 'w', encoding='utf-8') as file: yaml.dump(data, file) except Exception as exc: sys.exit(f'error failed to dump yaml file: {path}\n{exc}') if mode is not None: path.chmod(mode) def send_notice( self, user: str, result: ScanResult, p_datas: list[ProcData], log_path: Path, ): """sends email notices on positive user scans""" proc_info = 'Original procwatch detected process info:\n' try: for p_data in p_datas: if psutil.pid_exists(p_data.pid): proc_status = '(currently running!!!)' else: proc_status = '(not currently running)' proc_info += ( f'\npid: {p_data.pid} {proc_status}\n' f'cwd: {p_data.cwd}\n' f'cmdline: {p_data.cmdline}\n' ) except Exception as exc: self.verbose(f'error getting process data:\n{exc}') detections = '' for path, sig in result.all_found.items(): detections += f'{path}: {sig}\n' host = platform.node().split('.')[0] message = f""" imh-procwatch has detected a running malicious processes for {user}. A full user scan has been completed. The command to view, quarantine, and kill processes is below: [root@{host} ~]# imh-procwatch -u {user} {proc_info} Hostname: {self.hostname} Log path: {log_path} Detections: {detections} {result.summary} """ self.verbose(f'trying to send email to {self.conf.admin_email}') try: rads.send_email( to_addr=self.conf.admin_email, subject=f'imh-procwatch scan results for {user}', body=message, ssl=True, server=('localhost', 465), errs=True, ) except Exception as exc: self.verbose(type(exc).__name__, exc, sep=': ') def ignore_user(self, user: str, duration: int): """Marks a user to be ignored for x days. Theres an automatic 24 hour cooldown for all users, so it should only be used for longer ignore periods""" ignore_mtime = self.time + duration ignore_file = IGNORE_DIR / user ignore_file.touch(mode=0o644, exist_ok=True) os.utime(ignore_file, (ignore_mtime, ignore_mtime)) self.verbose(f'setting procwatch to ignore {user} for {self.ignore}s') def get_lock(self): """domain socket locking to avoid stacking procs""" try: self.lock_socket.bind('\0imh-procwatch') return True except OSError: return False @staticmethod def is_owner(user, file_path): try: owner = Path(file_path).owner() except Exception: print(c.yellow('WARN: skipping missing file:'), file_path) return False if owner != user: print( c.yellow('WARN: file not owned by the user, skipping it:'), file_path, ) return False return True def q_prompt(self): """function for automating the detection review process imh-procwatch -u {user}""" assert isinstance(self.user, str) scanlog = SCANLOG_DIR / self.user if not scanlog.exists(): sys.exit(f'error: no scanlog found for user at {scanlog}') loaded = self.yaml_load(scanlog) result = ScanResult( command=loaded['command'], hits_found={Path(k): v for k, v in loaded['hits_found'].items()}, heur_found={Path(k): v for k, v in loaded['heur_found'].items()}, summary=loaded['summary'], ) for path, sig in result.hits_found.copy().items(): if self.is_owner(self.user, path): print(path, c.red(sig), sep=':') else: result.hits_found.pop(path) for path, sig in result.heur_found.copy().items(): if self.is_owner(self.user, path): print(path, c.yellow(sig), sep=':') else: result.heur_found.pop(path) if result.all_found: user_input = ask_prompt( 'Would you like to quarantine the detected files? (y|n|a|f)', c.yellow('y = excludes heuristics'), c.green('n = no quarantine'), c.red('a = quarantines all detections'), c.red('f = runs full user quarantine using rad'), chars=('y', 'n', 'a', 'f'), ) if user_input == 'a': jail_files(list(result.all_found)) elif user_input == 'y': jail_files(list(result.hits_found)) elif user_input == 'f': self.full_quarantine(self.user) else: print('skipping quarante due to user input') else: print('WARN: no files to quarantine') p_datas = [ProcData(**x) for x in loaded['p_datas']] for p_data in p_datas: if not psutil.pid_exists(p_data.pid): print(f'pid no longer running: {p_data.pid}') continue proc_obj = psutil.Process(p_data.pid) cmdline = proc_obj.cmdline() user_input = ask_prompt( c.red("WARNING: process is still running"), f"pid: {p_data.pid}", f"cmdline: {cmdline}", c.bold('Would you like to kill the detected process? (y|n|a)'), c.yellow('y = only kills the pid (SIGTERM)'), c.green('n = no kill'), c.red('a = runs "pkill -9 -u {self.user}"'), chars=('y', 'n', 'a'), ) if user_input == 'a': cmd = ['pkill', '-9', '-u', self.user] cmd_str = ' '.join(cmd) print(f'running cmd: {cmd_str}') subprocess.check_output(cmd) time.sleep(1) elif user_input == 'y': print(f"killing pid: {p_data.pid}") try: proc_obj.kill() except Exception as exc: print(f'error killing process:\n{exc}') elif user_input == 'n': print('not killing process') self.reset_cpanel(self.user) cron_path = Path('/var/spool/cron', self.user) if not cron_path.is_file(): print(f'No cron file at {cron_path}') return print(c.green('Showing contents of'), f"{c.red(cron_path)}:") with open(cron_path, encoding='utf-8') as file: for line in file: if line.strip(): # skip printing blank lines print(line, end='') def reset_cpanel(self, user, prompt=True): shared_path = '/opt/sharedrads/reset_cpanel' ded_path = '/opt/dedrads/reset_cpanel' if Path(shared_path).is_file(): reset_path = shared_path elif Path(ded_path).is_file(): reset_path = ded_path else: self.verbose('reset_cpanel not found') return if not prompt: return user_input = ask_prompt( 'Would you like to reset the cpanel user password? (y|n)', c.yellow('y = runs reset'), c.green('n = doesnt reset'), chars=('y', 'n'), ) if user_input == 'n': print('ok: skipping cpanel password reset') return assert user_input == 'y' cmd = [reset_path, user, '-m', 'Active malware detected'] print(f'running: {" ".join(cmd)}') try: out = subprocess.check_output(cmd) print(out) except Exception as exc: print(f'error: failed cpanel_reset:\n{exc}') def check_cpu(): """Exit if load is higher than cpu count""" cpu_limit = os.cpu_count() loadavg = os.getloadavg()[0] if loadavg >= cpu_limit: sys.exit( f'error: load exceeds cpu count, aborting. {loadavg} > {cpu_limit}' ) def get_args(conf: Config): """gets arguments""" parser = argparse.ArgumentParser(description=__doc__) # fmt: off parser.add_argument( '-a', '--audit', action='store_true', help='aduit processes for malware', ) parser.add_argument( '-c', '--check-queue', action='store_true', help='check procwatch queue and run scans', ) parser.add_argument( '-q', '--quarantine', action='store_true', help='automatically quarantine malware', ) parser.add_argument( '-i', '--ignore', type=int, nargs='?', default=None, const='', help='has procwatch ignore user for int(N) days, use with -u [USER]', ) parser.add_argument( '-v', '--verbose', action='store_true', help='enables verbose output to stdout', ) parser.add_argument( '-A', '--all', action='store_true', help='runs the audit then checks the queue', ) parser.add_argument( '-u', '--user', help='checks for completed user scanlogs' ) # fmt: on args = parser.parse_args() if args.user: if not rads.is_cpuser(args.user): parser.print_help() sys.exit('error: invalid username, exiting') if args.user == 'root': sys.exit('error: procwatch doesnt support root audits') if args.ignore == '': # -i flag with no input args.ignore = conf.ignore_duration args.ignore_run = True elif args.ignore is None: # no -i flag args.ignore_run = False else: # -i flag with input args.ignore *= 86400 # days -> secs args.ignore_run = True if args.ignore_run and not args.user: sys.exit('error: ignore flag needs a user specified with -u') if args.check_queue: if not args.quarantine and '@' not in conf.admin_email: sys.exit( 'error: email address invalid and is required ' 'when not using auto quarantine' ) return args def main(): conf = Config() args = get_args(conf) if os.getuid() != 0: sys.exit("This script must run as root") IGNORE_DIR.mkdir(mode=0o755, parents=True, exist_ok=True) Q_DIR.mkdir(mode=0o755, parents=True, exist_ok=True) SCANLOG_DIR.mkdir(mode=0o700, parents=True, exist_ok=True) check_cpu() proc_watch = ProcWatch(args, conf) if args.user and not proc_watch.ignore_run: proc_watch.q_prompt() return if proc_watch.ignore_run: proc_watch.ignore_user(args.user, args.ignore) return if args.audit or args.all: proc_watch.audit_procs() if args.check_queue or args.all: if not proc_watch.get_lock(): proc_watch.verbose('scanner already running the queue') sys.exit(1) for user, actions in proc_watch.iter_queue(): proc_watch.handle_user(user, actions) if __name__ == '__main__': main()