pmacko
/
UNI


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
							#!/bin/bash
#########################################################################
#                       Script for hunting malware                      #
#                           Created by PM-DoIT                          #
#                                 ver 0.2                               #
#########################################################################

#------------------------------- VARIABLE ------------------------------#
clear
score=0
IGNORE="apache|apparmor|chrony|cron|mariadb|networking|fpm|postfix|snmpd|ssh|certbot|logrotate|rsyslog|clamav|php|redis|supervisor|getty|apt-daily|chkrootkit|monit|qemu-guest|systemd-journald|maldet|wazuh|filebea"
echo -e "\e[1;37m-------------------------------------\e[0m"
echo -e "\e[1;33mSTARTED host COMPROMISE assessment:\e[0m"
echo -e "\e[1;37m-------------------------------------\e[0m"

#------------------------- Suspicious UID 0 users ----------------------#
echo -e "- \e[1;32mChecking suspicious UID 0 users\e[0m"
uid0=$(awk -F: '$3 == 0 { print $1 }' /etc/passwd | grep -v root)
if [ -n "$uid0" ]; then
  echo -e "\e[1;31m- ! UID 0 non-root users: $uid0\e[0m"
  score=$((score+30))
fi

#------------------------- SSH keys in root/home -----------------------#
echo -e "- \e[1;32mChecking keys in root/home\e[0m"
keys=$(find /root /home -name authorized_keys 2>/dev/null | wc -l)
if [ "$keys" -gt 5 ]; then
  echo -e "\e[1;31m- ! Excess SSH keys detected: $keys\e[0m"
  score=$((score+15))
fi

#---------------------- Suspicious listening ports ---------------------#
echo -e "- \e[1;32mChecking suspicious listening ports\e[0m"
listeners=$(ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh" | wc -l)
if [ "$listeners" -gt 0 ]; then
  echo -e "\e[1;31m- ! Suspicious listeners detected\e[0m"
  ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh"
  score=$((score+15))
fi

#--------------------------- Cron persistence --------------------------#
echo -e "- \e[1;32mChecking cron persistence\e[0m"
cron_count=$(find /etc/cron* /var/spool/cron -type f 2>/dev/null | wc -l)
if [ "$cron_count" -gt 20 ]; then
  echo -e "\e[1;31m- ! High number of cron jobs: [$cron_count]\e[0m"
  find /etc/cron* /var/spool/cron -type f
  score=$((score+5))
fi

#--------------------------- Executable TMP ----------------------------#
exec_count=$(find /tmp /var/tmp /dev/shm -type f -executable -ls | grep -v "hunter.sh" | wc -l)
if [ "$exec_count" -ge 1 ]; then
  echo -e "\e[1;31m- ! High number of executable temporary detected: [$exec_count]\e[0m"
  find /tmp /var/tmp /dev/shm -type f -executable -ls | awk '{print $NF}' | grep -v "hunter.sh"
  score=$((score+10))
fi

#--------------------- SUID binaries outside baseline ------------------#
echo -e "- \e[1;32mChecking SUID binaries outside baseline\e[0m"
suid=$(find / -perm -4000 -type f 2>/dev/null | wc -l)
if [ "$suid" -gt 100 ]; then
  echo -e "\e[1;31m- ! High SUID count: $suid\e[0m"
  score=$((score+10))
fi

#------------------------ Suspicious processes -------------------------#
echo -e "- \e[1;32mChecking suspicious processes\e[0m"
proc=$(ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh" | wc -l)
if [ "$proc" -gt 0 ]; then
  echo -e "\e[1;31m- ! Suspicious processes detected\e[0m"
  ps aux | grep -iE '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh"
  score=$((score+30))
fi

#--------------------- Recent auth failures spike ----------------------#
echo -e "- \e[1;32mChecking recent auth failures spike\e[0m"
auth_fail=$(grep -i "Failed password" /var/log/auth.log 2>/dev/null | wc -l)
if [ "$auth_fail" -gt 50 ]; then
  echo -e "\e[1;31m- ! High auth failure rate: $auth_fail\e[0m"
  score=$((score+10))
fi

#------------------------------ Last logs ------------------------------#
echo -e "- \e[1;32mChecking last logs\e[0m"
last -a | head -10
lastb -a | head -10

#---------------------- Suspicious connections -------------------------#
echo -e "- \e[1;32mChecking suspicious connections\e[0m"
lsof -i -P -n | egrep -v "80|443|161|2812|323|3306|9200|6379|LISTEN"

#----------------------- Suspicious services ---------------------------#
echo -e "- \e[1;32mChecking suspicious services\e[0m"
systemctl list-unit-files --state=enabled | egrep -v "$IGNORE"
systemctl list-units --type=service --state=running | egrep -v "$IGNORE"

#---------------------- Final score normalization ----------------------#
if [ "$score" -gt 100 ]; then score=100; fi
echo -e "\e[1;37m-------------------------------------\e[0m"
echo -e "\e[1;33mCOMPROMISE SCORE:\e[0m \e[1;36m$score / 100\e[0m"
echo -e "\e[1;37m-------------------------------------\e[0m"
if [ "$score" -lt 30 ]; then
        echo -e "- Status: \e[1;32mLOW RISK\e[0m"
elif [ "$score" -lt 60 ]; then
        echo -e "- Status: \e[1;35mMEDIUM RISK\e[0m"
else
        echo -e "- Status: \e[1;31mHIGH RISK\e[0m"
fi
echo -e "\e[1;37m-------------------------------------\e[0m"