#!/bin/bash ######################################################################### # Script for hunting malware # # Created by PM-DoIT # # ver 0.2 # ######################################################################### #------------------------------- VARIABLE ------------------------------# clear score=0 IGNORE="apache|apparmor|chrony|cron|mariadb|networking|fpm|postfix|snmpd|ssh|certbot|logrotate|rsyslog|clamav|php|redis|supervisor|getty|apt-daily|chkrootkit|monit|qemu-guest|systemd-journald|maldet|wazuh|filebea" echo -e "\e[1;37m-------------------------------------\e[0m" echo -e "\e[1;33mSTARTED host COMPROMISE assessment:\e[0m" echo -e "\e[1;37m-------------------------------------\e[0m" #------------------------- Suspicious UID 0 users ----------------------# echo -e "- \e[1;32mChecking suspicious UID 0 users\e[0m" uid0=$(awk -F: '$3 == 0 { print $1 }' /etc/passwd | grep -v root) if [ -n "$uid0" ]; then echo -e "\e[1;31m- ! UID 0 non-root users: $uid0\e[0m" score=$((score+30)) fi #------------------------- SSH keys in root/home -----------------------# echo -e "- \e[1;32mChecking keys in root/home\e[0m" keys=$(find /root /home -name authorized_keys 2>/dev/null | wc -l) if [ "$keys" -gt 5 ]; then echo -e "\e[1;31m- ! Excess SSH keys detected: $keys\e[0m" score=$((score+15)) fi #---------------------- Suspicious listening ports ---------------------# echo -e "- \e[1;32mChecking suspicious listening ports\e[0m" listeners=$(ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh" | wc -l) if [ "$listeners" -gt 0 ]; then echo -e "\e[1;31m- ! Suspicious listeners detected\e[0m" ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh" score=$((score+15)) fi #--------------------------- Cron persistence --------------------------# echo -e "- \e[1;32mChecking cron persistence\e[0m" cron_count=$(find /etc/cron* /var/spool/cron -type f 2>/dev/null | wc -l) if [ "$cron_count" -gt 20 ]; then echo -e "\e[1;31m- ! High number of cron jobs: [$cron_count]\e[0m" find /etc/cron* /var/spool/cron -type f score=$((score+5)) fi #--------------------------- Executable TMP ----------------------------# exec_count=$(find /tmp /var/tmp /dev/shm -type f -executable -ls | grep -v "hunter.sh" | wc -l) if [ "$exec_count" -ge 1 ]; then echo -e "\e[1;31m- ! High number of executable temporary detected: [$exec_count]\e[0m" find /tmp /var/tmp /dev/shm -type f -executable -ls | awk '{print $NF}' | grep -v "hunter.sh" score=$((score+10)) fi #--------------------- SUID binaries outside baseline ------------------# echo -e "- \e[1;32mChecking SUID binaries outside baseline\e[0m" suid=$(find / -perm -4000 -type f 2>/dev/null | wc -l) if [ "$suid" -gt 100 ]; then echo -e "\e[1;31m- ! High SUID count: $suid\e[0m" score=$((score+10)) fi #------------------------ Suspicious processes -------------------------# echo -e "- \e[1;32mChecking suspicious processes\e[0m" proc=$(ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh" | wc -l) if [ "$proc" -gt 0 ]; then echo -e "\e[1;31m- ! Suspicious processes detected\e[0m" ps aux | grep -iE '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh" score=$((score+30)) fi #--------------------- Recent auth failures spike ----------------------# echo -e "- \e[1;32mChecking recent auth failures spike\e[0m" auth_fail=$(grep -i "Failed password" /var/log/auth.log 2>/dev/null | wc -l) if [ "$auth_fail" -gt 50 ]; then echo -e "\e[1;31m- ! High auth failure rate: $auth_fail\e[0m" score=$((score+10)) fi #------------------------------ Last logs ------------------------------# echo -e "- \e[1;32mChecking last logs\e[0m" last -a | head -10 lastb -a | head -10 #---------------------- Suspicious connections -------------------------# echo -e "- \e[1;32mChecking suspicious connections\e[0m" lsof -i -P -n | egrep -v "80|443|161|2812|323|3306|9200|6379|LISTEN" #----------------------- Suspicious services ---------------------------# echo -e "- \e[1;32mChecking suspicious services\e[0m" systemctl list-unit-files --state=enabled | egrep -v "$IGNORE" systemctl list-units --type=service --state=running | egrep -v "$IGNORE" #---------------------- Final score normalization ----------------------# if [ "$score" -gt 100 ]; then score=100; fi echo -e "\e[1;37m-------------------------------------\e[0m" echo -e "\e[1;33mCOMPROMISE SCORE:\e[0m \e[1;36m$score / 100\e[0m" echo -e "\e[1;37m-------------------------------------\e[0m" if [ "$score" -lt 30 ]; then echo -e "- Status: \e[1;32mLOW RISK\e[0m" elif [ "$score" -lt 60 ]; then echo -e "- Status: \e[1;35mMEDIUM RISK\e[0m" else echo -e "- Status: \e[1;31mHIGH RISK\e[0m" fi echo -e "\e[1;37m-------------------------------------\e[0m"