53 lines
1.5 KiB
Bash
Executable File
53 lines
1.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
#Binaries
|
|
LOGGER_BIN=$(command -v logger)
|
|
LOGGER_ARGS="-s -t abused"
|
|
VZPS=0
|
|
PS_BIN=$(command -v ps)
|
|
VZPS_BIN=$(command -v vzps)
|
|
if [ $? -eq 0 ]; then VZPS=1; fi
|
|
KILL_BIN=$(command -v kill)
|
|
PS_ARGS="aux"
|
|
VZPS_ARGS="-E"
|
|
|
|
#Processes to kill
|
|
PROCS='dos2.pl stealth kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo lool slap.pl brute pscan2 SpyEyeCollector trinity shaft vadimII vadimii vadim2 vadimI xdestroy xshock udp.pl trash trash2 synsend synk synk7 synhose stream stream2 smurf5 smurf6 smack slice2 slice3 sl2 sl3 rc8 overdrop nestea juno da.sh bloop alpha udp2.pl fiberlamp'
|
|
|
|
#If possible, we use vzps. We fall back to standard `ps` in cases where vzps is not available (not all our servers have it)
|
|
PSOUT=""
|
|
if [ $VZPS -eq 1 ]; then
|
|
PSOUT=$($VZPS_BIN $PS_ARGS $VZPS_ARGS)
|
|
else
|
|
PSOUT=$($PS_BIN $PS_ARGS)
|
|
fi
|
|
|
|
#Could probably be done better
|
|
OUT=""
|
|
IFSB="$IFS"
|
|
IFSN="
|
|
"
|
|
PROCS=$(echo $PROCS|perl -pe 's/ /|/g')
|
|
OUT=$(echo "$PSOUT"|egrep "$PROCS")
|
|
IFS=$IFSN
|
|
for proc in $OUT; do
|
|
IFS=$IFSB
|
|
CTID="NaN"
|
|
PID=""
|
|
CMDLINE=""
|
|
if [ $VZPS -eq 1 ]; then
|
|
CTID=$(echo "$proc"|awk '{print $1}')
|
|
PID=$(echo "$proc"|awk '{print $3}')
|
|
else
|
|
PID=$(echo "$proc"|awk '{print $2}')
|
|
fi
|
|
CMDLINE=$(echo "$proc"|perl -pe 's/.*:.*:[0-9]+ //')
|
|
if [ "$CTID" != "0" ]; then
|
|
$LOGGER_BIN $LOGGER_ARGS -- Potentially abusive process \<$CMDLINE\>/$PID in CT $CTID killed! 2>>/var/log/abusers.log
|
|
else
|
|
$LOGGER_BIN $LOGGER_ARGS -- Found odd process running under CT 0: \<$CMDLINE\>/$PID 2>>/var/log/abusers.log
|
|
fi
|
|
IFS=$IFSN
|
|
done
|
|
IFS=$IFSB
|