#!/bin/bash

#Binaries
LOGGER_BIN=$(command -v logger)
LOGGER_ARGS="-s -t abused"
VZPS=0
PS_BIN=$(command -v ps)
VZPS_BIN=$(command -v vzps)
if [ $? -eq 0 ]; then VZPS=1; fi
KILL_BIN=$(command -v kill)
PS_ARGS="aux"
VZPS_ARGS="-E"

#Processes to kill
PROCS='dos2.pl stealth kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo lool slap.pl brute pscan2 SpyEyeCollector trinity shaft vadimII vadimii vadim2 vadimI xdestroy xshock udp.pl trash trash2 synsend synk synk7 synhose stream stream2 smurf5 smurf6 smack slice2 slice3 sl2 sl3 rc8 overdrop nestea juno da.sh bloop alpha udp2.pl fiberlamp'

#If possible, we use vzps. We fall back to standard `ps` in cases where vzps is not available (not all our servers have it)
PSOUT=""
if [ $VZPS -eq 1 ]; then
	PSOUT=$($VZPS_BIN $PS_ARGS $VZPS_ARGS)
else
	PSOUT=$($PS_BIN $PS_ARGS)
fi

#Could probably be done better
OUT=""
IFSB="$IFS"
IFSN="
"
PROCS=$(echo $PROCS|perl -pe 's/ /|/g')
OUT=$(echo "$PSOUT"|egrep "$PROCS")
IFS=$IFSN
for proc in $OUT; do
	IFS=$IFSB
	CTID="NaN"
	PID=""
	CMDLINE=""
	if [ $VZPS -eq 1 ]; then
		CTID=$(echo "$proc"|awk '{print $1}')
		PID=$(echo "$proc"|awk '{print $3}')
	else
		PID=$(echo "$proc"|awk '{print $2}')
	fi
	CMDLINE=$(echo "$proc"|perl -pe 's/.*:.*:[0-9]+ //')
	if [ "$CTID" != "0" ]; then
		$LOGGER_BIN $LOGGER_ARGS -- Potentially abusive process \<$CMDLINE\>/$PID in CT $CTID killed! 2>>/var/log/abusers.log
	else
		$LOGGER_BIN $LOGGER_ARGS -- Found odd process running under CT 0: \<$CMDLINE\>/$PID 2>>/var/log/abusers.log
	fi
	IFS=$IFSN
done
IFS=$IFSB