1 개월 전 · 8cbb861bbb
--- a/hunter.sh
+++ b/hunter.sh
@@ -0,0 +1,109 @@
 
				+#!/bin/bash
			
 
				+#########################################################################
			
 
				+#                       Script for hunting malware                      #
			
 
				+#                           Created by PM-DoIT                          #
			
 
				+#                                 ver 0.1                               #
			
 
				+#########################################################################
			
 
				+
			
 
				+#------------------------------- VARIABLE ------------------------------#
			
 
				+clear
			
 
				+score=0
			
 
				+IGNORE="apache|apparmor|chrony|cron|mariadb|networking|fpm|postfix|snmpd|ssh|certbot|logrotate|rsyslog|clamav|php|redis|supervisor|getty|apt-daily|chkrootkit|monit|qemu-guest|systemd-journald|maldet"
			
 
				+echo -e "\e[1;37m-------------------------------------\e[0m"
			
 
				+echo -e "\e[1;33mSTARTED host COMPROMISE assessment:\e[0m"
			
 
				+echo -e "\e[1;37m-------------------------------------\e[0m"
			
 
				+
			
 
				+#------------------------- Suspicious UID 0 users ----------------------#
			
 
				+echo -e "- \e[1;32mChecking suspicious UID 0 users\e[0m"
			
 
				+uid0=$(awk -F: '$3 == 0 { print $1 }' /etc/passwd | grep -v root)
			
 
				+if [ -n "$uid0" ]; then
			
 
				+  echo -e "\e[1;31m- ! UID 0 non-root users: $uid0\e[0m"
			
 
				+  score=$((score+30))
			
 
				+fi
			
 
				+
			
 
				+#------------------------- SSH keys in root/home -----------------------#
			
 
				+echo -e "- \e[1;32mChecking keys in root/home\e[0m"
			
 
				+keys=$(find /root /home -name authorized_keys 2>/dev/null | wc -l)
			
 
				+if [ "$keys" -gt 5 ]; then
			
 
				+  echo -e "\e[1;31m- ! Excess SSH keys detected: $keys\e[0m"
			
 
				+  score=$((score+15))
			
 
				+fi
			
 
				+
			
 
				+#---------------------- Suspicious listening ports ---------------------#
			
 
				+echo -e "- \e[1;32mChecking suspicious listening ports\e[0m"
			
 
				+listeners=$(ss -tulpn | grep -E 'bash|sh|python|nc|perl' | wc -l)
			
 
				+if [ "$listeners" -gt 0 ]; then
			
 
				+  echo -e "\e[1;31m- ! Suspicious listeners detected\e[0m"
			
 
				+  ss -tulpn | grep -E 'bash|sh|python|nc|perl'
			
 
				+  score=$((score+25))
			
 
				+fi
			
 
				+
			
 
				+#--------------------------- Cron persistence --------------------------#
			
 
				+echo -e "- \e[1;32mChecking cron persistence\e[0m"
			
 
				+cron_count=$(find /etc/cron* /var/spool/cron -type f 2>/dev/null | wc -l)
			
 
				+if [ "$cron_count" -gt 10 ]; then
			
 
				+  echo -e "\e[1;31m- ! High number of cron jobs: [$cron_count]\e[0m"
			
 
				+  find /etc/cron* /var/spool/cron -type f
			
 
				+  score=$((score+10))
			
 
				+fi
			
 
				+
			
 
				+#--------------------------- Executable TMP ----------------------------#
			
 
				+exec_count=$(find /tmp /var/tmp /dev/shm -type f -executable -ls | wc -l)
			
 
				+if [ "$cron_count" -ge 1 ]; then
			
 
				+  echo -e "\e[1;31m- ! High number of executable temporary detected: [$exec_count]\e[0m"
			
 
				+  find /tmp /var/tmp /dev/shm -type f -executable -ls | awk '{print $NF}'
			
 
				+  score=$((score+10))
			
 
				+fi
			
 
				+
			
 
				+#--------------------- SUID binaries outside baseline ------------------#
			
 
				+echo -e "- \e[1;32mChecking SUID binaries outside baseline\e[0m"
			
 
				+suid=$(find / -perm -4000 -type f 2>/dev/null | wc -l)
			
 
				+if [ "$suid" -gt 100 ]; then
			
 
				+  echo -e "\e[1;31m- ! High SUID count: $suid\e[0m"
			
 
				+  score=$((score+10))
			
 
				+fi
			
 
				+
			
 
				+#------------------------ Suspicious processes -------------------------#
			
 
				+echo -e "- \e[1;32mChecking suspicious processes\e[0m"
			
 
				+proc=$(ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter" | wc -l)
			
 
				+if [ "$proc" -gt 0 ]; then
			
 
				+  echo -e "\e[1;31m- ! Suspicious processes detected\e[0m"
			
 
				+  ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter"
			
 
				+  score=$((score+30))
			
 
				+fi
			
 
				+
			
 
				+#--------------------- Recent auth failures spike ----------------------#
			
 
				+echo -e "- \e[1;32mChecking recent auth failures spike\e[0m"
			
 
				+auth_fail=$(grep -i "Failed password" /var/log/auth.log 2>/dev/null | wc -l)
			
 
				+if [ "$auth_fail" -gt 50 ]; then
			
 
				+  echo -e "\e[1;31m- ! High auth failure rate: $auth_fail\e[0m"
			
 
				+  score=$((score+10))
			
 
				+fi
			
 
				+
			
 
				+#------------------------------ Last logs ------------------------------#
			
 
				+echo -e "- \e[1;32mChecking last logs\e[0m"
			
 
				+last -a | head -10
			
 
				+lastb -a | head -10
			
 
				+
			
 
				+#---------------------- Suspicious connections -------------------------#
			
 
				+echo -e "- \e[1;32mChecking suspicious connections\e[0m"
			
 
				+lsof -i -P -n | egrep -v "80|443|161|2812|323|LISTEN"
			
 
				+
			
 
				+#----------------------- Suspicious services ---------------------------#
			
 
				+echo -e "- \e[1;32mChecking suspicious services\e[0m"
			
 
				+systemctl list-unit-files --state=enabled | egrep -v "$IGNORE"
			
 
				+systemctl list-units --type=service --state=running | egrep -v "$IGNORE"
			
 
				+
			
 
				+#---------------------- Final score normalization ----------------------#
			
 
				+if [ "$score" -gt 100 ]; then score=100; fi
			
 
				+echo -e "\e[1;37m-------------------------------------\e[0m"
			
 
				+echo -e "\e[1;33mCOMPROMISE SCORE:\e[0m \e[1;36m$score / 100\e[0m"
			
 
				+echo -e "\e[1;37m-------------------------------------\e[0m"
			
 
				+if [ "$score" -lt 20 ]; then
			
 
				+        echo -e "- Status: \e[1;32mLOW RISK\e[0m"
			
 
				+elif [ "$score" -lt 50 ]; then
			
 
				+        echo -e "- Status: \e[1;35mMEDIUM RISK\e[0m"
			
 
				+else
			
 
				+        echo -e "- Status: \e[1;31mHIGH RISK\e[0m"
			
 
				+fi
			
 
				+echo -e "\e[1;37m-------------------------------------\e[0m"