scripts/abused

53 lines
1.5 KiB
Plaintext
Raw Normal View History

#!/bin/bash
#Binaries
LOGGER_BIN=$(command -v logger)
LOGGER_ARGS="-s -t abused"
VZPS=0
PS_BIN=$(command -v ps)
VZPS_BIN=$(command -v vzps)
if [ $? -eq 0 ]; then VZPS=1; fi
KILL_BIN=$(command -v kill)
PS_ARGS="aux"
VZPS_ARGS="-E"
#Processes to kill
PROCS='dos2.pl stealth kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo lool slap.pl brute pscan2 SpyEyeCollector trinity shaft vadimII vadimii vadim2 vadimI xdestroy xshock udp.pl trash trash2 synsend synk synk7 synhose stream stream2 smurf5 smurf6 smack slice2 slice3 sl2 sl3 rc8 overdrop nestea juno da.sh bloop alpha udp2.pl fiberlamp'
#If possible, we use vzps. We fall back to standard `ps` in cases where vzps is not available (not all our servers have it)
PSOUT=""
if [ $VZPS -eq 1 ]; then
PSOUT=$($VZPS_BIN $PS_ARGS $VZPS_ARGS)
else
PSOUT=$($PS_BIN $PS_ARGS)
fi
#Could probably be done better
OUT=""
IFSB="$IFS"
IFSN="
"
PROCS=$(echo $PROCS|perl -pe 's/ /|/g')
OUT=$(echo "$PSOUT"|egrep "$PROCS")
IFS=$IFSN
for proc in $OUT; do
IFS=$IFSB
CTID="NaN"
PID=""
CMDLINE=""
if [ $VZPS -eq 1 ]; then
CTID=$(echo "$proc"|awk '{print $1}')
PID=$(echo "$proc"|awk '{print $3}')
else
PID=$(echo "$proc"|awk '{print $2}')
fi
CMDLINE=$(echo "$proc"|perl -pe 's/.*:.*:[0-9]+ //')
if [ "$CTID" != "0" ]; then
$LOGGER_BIN $LOGGER_ARGS -- Potentially abusive process \<$CMDLINE\>/$PID in CT $CTID killed! 2>>/var/log/abusers.log
else
$LOGGER_BIN $LOGGER_ARGS -- Found odd process running under CT 0: \<$CMDLINE\>/$PID 2>>/var/log/abusers.log
fi
IFS=$IFSN
done
IFS=$IFSB