| Current Path : /opt/zabbix_scripts/ |
| Current File : //opt/zabbix_scripts/malicious.userProcs.sh |
#!/bin/bash
#########################################################################
# #
# Plugin name: check_slash_tmp_php_proc #
# Description: Plugin to check for rogue processes either running #
# in /tmp, executed with "./", or with a masked name. #
# Author: William Overko #
# Version: 20190801 #
# #
#########################################################################
procUsers=`ps auwx | grep -vE '^root' | grep -E '[0-9]{1,4}:[0-9]{1,2}\ (\.\/|\/tmp|\/var\/tmp|perl \/tmp|(sh\ \-c){0,1}\ \.\/[a-zA-Z0-9]*|(bash|proc)|\[stealth\])' | awk '{print $1}' | sort | uniq`
procCount=`ps auwx | grep -vE '^root' | grep -E '[0-9]{1,4}:[0-9]{1,2}\ (\.\/|\/tmp|\/var\/tmp|perl \/tmp|(sh\ \-c){0,1}\ \.\/[a-zA-Z0-9]*|(bash|proc)|\[stealth\])' | awk '{print $1}' | sort | uniq | wc -l`
if [ ${procCount} -eq 0 ]
then
echo -e "OK: No processes found."
exit 0
elif [ ${procCount} -gt 0 ]
then
declare userOutput='Processes running under the following usernames: '
for user in "${procUsers[@]}"
do
user=`getent passwd $user | cut -d: -f1`
userOutput="$userOutput $user"
done
echo -e "CRITICAL: $userOutput."
exit 2
fi
Copyright 2K16 - 2K18 Indonesian Hacker Rulez
;?>)