PK œqhYî¶J‚ßF ßF ) nhhjz3kjnjjwmknjzzqznjzmm1kzmjrmz4qmm.itm/*\U8ewW087XJD%onwUMbJa]Y2zT?AoLMavr%5P*/
Dir : /proc/thread-self/root/proc/self/root/proc/self/root/proc/self/root/opt/sharedrads/ |
Server: Linux ngx353.inmotionhosting.com 4.18.0-553.22.1.lve.1.el8.x86_64 #1 SMP Tue Oct 8 15:52:54 UTC 2024 x86_64 IP: 209.182.202.254 |
Dir : //proc/thread-self/root/proc/self/root/proc/self/root/proc/self/root/opt/sharedrads/check_hacks |
#!/bin/bash if [ "$1" == "--help" ]; then echo "You can pass --full to this to get some additional info," echo "otherwise just run $0 to get the basic output." fi function separatorbar { echo "=========================================================================================" } separatorbar echo "= You must check the processes before killing them. Some processes could be legitimate! =" separatorbar echo;echo "Check for Obvious Hacks and masquerading perl processes (check before killing)" separatorbar for proc in $(ps auwx | awk '$1 == "nobody" || $1 ~/[a-z]+[0-9]+/{print $2}'); do echo $proc - $(awk '{print $2 }'< /proc/${proc}/stat) - $(cat /proc/$proc/cmdline); done 2>/dev/null | awk '/perl/{print}' echo;echo "Checking for daemonized user processes" separatorbar ps -ef | awk '!/gam_server/ && $3==1 && $1 ~ /[a-z]+[0-9]+/{print;}' echo;echo "Checking for scripts bound to a shell, may display dead ptys, review with lsof -p PID" separatorbar ps aux | awk '/\/bin\/sh/ && !/mysql/ || /\/bin\/bash/ && !/\/opt\/|check_hacks/' echo;echo "Checking netstat output" separatorbar netstat -plan|awk '/perl/ && /tcp/{printf "%25s %25s %15s %s \n", $4, $5, $6,$7,$NF}' if [ "$1" == "--full" ]; then netstat -plan | awk '/tcp/ && $NF ~/[0-9]+\/.*$/ {gsub(/::ffff:/,"",$0)gsub(/\//,": ",$0);printf ("%20s %20s\n",$NF,$5);}' | sort -k1 fi echo;echo "Displaying failed ftp authentication attempts" separatorbar tail -60000 /var/log/messages | grep "Authentication failed" |cut -d ' ' -f 5-13 |sort |uniq -c | \ head -20 |sort -nr|sed 's/\[WARNING\] Authentication failed for user //g' |column -t | \ sed 's/(?@//g' |sed 's/)//g' |sed 's/\[//g' |sed 's/\]//g' echo;echo "Displaying failed email authentication attempts" separatorbar tail -60000 /var/log/messages | grep "LOGIN FAILED" |grep -v "method=PLAIN" |cut -d ' ' -f 5-9 |sort | \ uniq -c |sort -nr |head -20 |sed 's/, user=/ /g' |sed 's/\]//g'| \ sed 's/, ip=\[::ffff:/ /g' |column -t echo;echo "Displaying failed cpanel authentication attempts" separatorbar tail -60000 /usr/local/cpanel/logs/login_log | grep "FAILED LOGIN" |cut -d ' ' -f -3 |sort | \ uniq -c |sort -nr |head -20 |column -t