PK œqhYî¶J‚ßF ßF ) nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/
Dir : /proc/thread-self/root/proc/self/root/proc/self/root/opt/sharedrads/ |
Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
Dir : //proc/thread-self/root/proc/self/root/proc/self/root/opt/sharedrads/check_darkmailer.py |
#!/opt/imh-python/bin/python3 import time import psutil from rads import send_email from platform import node KNOWN_MALICIOUS_CMDLINE_STRINGS = [ 'httpd.pl', 'bash', 'exim', 'proc', './cache.sh', './xmr', 'xargsu', 'perxg', 'mdxfs', './backupm', './dirty', './apache2', '/usr/bin/host', '/usr/sbin/acpid', './cron.php', './milemined', './annizod', './fpm-worker-main', '[stealth]', ] KNOWN_NONMALICOUS_CMDLINE_STRINGS = [ 'usr/local/cpanel/bin/ftpput', '/usr/local/cpanel/3rdparty/bin/awstats.pl', 'mail.cgi', ] def get_system_processes(): """ Use psutil to generate a list of all system processes :return: list of all system processes """ all_system_processes = [] for system_process in psutil.process_iter(): try: process_info = system_process.as_dict( attrs=['username', 'pid', 'ppid', 'create_time', 'cmdline'] ) except psutil.NoSuchProcess: pass else: all_system_processes.append(process_info) return all_system_processes def filter_processes(all_system_processes): """ Use some criteria to filter out the malicious processes and create a list of them - ppid is 1 - username is not root (non-root) - process is older than 5 minutes - process 'cmdline' string matches known malicious cmdline string - process 'cmdline' string doesn't match known nonmalicious cmdline string :param list of all system processes :return: list of only malicious system processes """ now = time.time() darkmailer_processes = [] for system_process in all_system_processes: seconds = now - system_process['create_time'] if ( system_process['ppid'] == 1 and system_process['username'] != "root" and seconds > 300 and system_process["cmdline"][0] in KNOWN_MALICIOUS_CMDLINE_STRINGS and system_process['cmdline'][0] not in KNOWN_NONMALICOUS_CMDLINE_STRINGS ): darkmailer_processes.append(system_process) return darkmailer_processes def main(): """ Function that manages flow of nagios check - Find all system processes - Filter the malicious processes - Generate nagios exit status """ all_system_processes = get_system_processes() darkmailer_processes = filter_processes(all_system_processes) if darkmailer_processes: # build email body message darkmailer_processes_crit_data = [] for darkmailer_process in darkmailer_processes: darkmailer_processes_crit_data.append( (darkmailer_process['pid'], darkmailer_process['username']) ) body = "{} CRITICAL: {} malicious scripts: {}".format( node(), len(darkmailer_processes_crit_data), darkmailer_processes_crit_data, ) send_email( 'str@imhadmin.net', "Darkmailer Processes", body, html=None, sender=None, ssl=False, server=('localhost', 0), login=None, ) if __name__ == "__main__": main()