Mini Shell

Direktori : /proc/self/root/opt/sharedrads/extras/
Upload File :
Current File : //proc/self/root/opt/sharedrads/extras/defacement_scan

#!/bin/bash

#load functions + banners
if [ -f /opt/sharedrads/radsfunctions.sh ]; then
    source /opt/sharedrads/radsfunctions.sh
else
    source /opt/dedrads/radsfunctions.sh
fi

if [ "$RADSCOLORS" == "off" ]; then
    radsbanner-nocolor
    echo "WARNING: THIS TOOL IS NOT TO BE USED WITHOUT THE APPROVAL OF A TIER III ADMIN"
else
    radsbanner
    echo "WARNING: THIS TOOL IS NOT TO BE USED WITHOUT THE APPROVAL OF A TIER III ADMIN"
fi

function usage {
    echo
    echo "This script will scan a partition for infected/defaced pages and compile a list."
    echo "Usage: defacement_scan.sh [TARGET] <options>"
    echo
    echo " TARGET:  partition to scan for infected/defaced pages (this is typically /home)"
    echo
    echo "options:"
    echo "    --quick \"pattern\"       performs a quick scan of ~/public_html/index.* files"
    echo "    --docroots \"pattern\"    performs scan in ALL document roots as found in httpd.conf"
    echo "    --wget \"pattern\"     performs a wget on all domains found in /etc/userdomains"
    echo "     --size \"bytes\"      scans the target partition for all indexes by exact size"
    echo
}

test -z $1 && usage && echo "ERROR: You must supply a target partition or any scan options." && echo && exit

TARGET=$1
IFS=$'\n';

SESSIONID=`date +%s`

function pleasewait {
echo -n 'Scanning in progress...'
sleep 1
echo -ne '....'
sleep 1
echo -ne '....'
sleep 1
echo -ne '...\n'
}

if [ "$2" == "--quick" ]; then
    # we have a scan method, lets setup the session log
    echo > /var/log/defacement.log.$SESSIONID
    echo
    echo " *** View the log for this session here: /var/log/defacement.log.$SESSIONID ***"
    echo

    # confirm our actions
    PATTERN="$3"

    if [ -z "$PATTERN" ]; then
    echo
    echo "ERROR:  Did not receive a valid PATTERN to scan for.  This scan method requires you to"
    echo "        find a common but unique string in the hacked content to scan for.  Try again."
    exit 0
fi


    # start scan
    pleasewait &
    for i in `ls -A /home` ; do grep -H "$PATTERN" /home/$i/public_html/index.* 2>/dev/null ; done >> /var/log/defacement.log.$SESSIONID

    # display results and log location
    INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
    INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
    echo
    echo "                   **************** SCAN COMPLETE ****************  "
    echo
    echo " Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
    echo
    exit 0
fi

if [ "$2" == "--docroots" ]; then
    # we have a scan method, lets setup the session log
    echo > /var/log/defacement.log.$SESSIONID
    echo
    echo " *** View the log for this session here: /var/log/defacement.log.$SESSIONID ***"
    echo

    # generate list of doc roots
    echo -n "Please wait.... Generating list of document root paths from httpd.conf... "
    if [ -f /etc/cpanel/ea4/is_ea4 ]; then
        grep DocumentRoot /etc/apache2/conf/httpd.conf | awk '{print $2}' > /tmp/.docrootscan.$SESSIONID
    else
        grep DocumentRoot /usr/local/apache/conf/httpd.conf | awk '{print $2}' > /tmp/.docrootscan.$SESSIONID
    fi
    sleep 1
    echo -n "Done!"
    echo ; echo

    # confirm our actions
    PATTERN="$3"

    if [ -z "$PATTERN" ]; then
        echo
        echo "ERROR:  Did not receive a valid PATTERN to scan for.  This scan method requires you to"
        echo "        find a common but unique string in the hacked content to scan for.  Try again."
        exit 0
    fi

    # start scan
    pleasewait &
    for docroot in `cat /tmp/.docrootscan.$SESSIONID` ; do grep -H "$PATTERN" $docroot/index* 2> /dev/null ; done >> /var/log/defacement.log.$SESSIONID
    rm -f /tmp/.docrootscan.$SESSIONID

    # display results and log location
    INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
    INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
    echo
    echo "                   **************** SCAN COMPLETE ****************  "
    echo
    echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
    echo
    exit 0
fi

if [ "$2" == "--wget" ]; then

    # we have a scan method, lets setup the session log
    echo > /var/log/defacement.log.$SESSIONID
    echo
    echo " *** View or tail the log for this session here: /var/log/defacement.log.$SESSIONID ***"
    echo

    # confirm actions
    PATTERN="$3"

    if [ -z "$PATTERN" ]; then
        echo
        echo "ERROR:  Did not receive a valid PATTERN to scan for.  This scan method requires you to"
        echo "        find a common but unique string in the hacked content to scan for.  Try again."
        exit 0
    fi
    echo "WARNING: this is a thorough \"wget\" scan and will take awhile to complete..."
    echo

    # start scan notification
    pleasewait &

    # start wgets
    mkdir -p report.$(date --iso)
    for dom in $(cat /etc/userdomains|sed -e 's/://g'|awk '{print $1}'); do
        wget --tries 2 -O report.$(date --iso)/$dom http://$dom
    done

    egrep -Hci "$PATTERN" report.$(date --iso)/ >> /var/log/defacement.log.$SESSIONID

    # display results and log location
    INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
    INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
    echo
    echo "                   **************** SCAN COMPLETE ****************  "
    echo
    echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
    echo
    exit 0

fi

if [ "$2" == "--size" ]; then

    # we have a scan method, lets setup the session log
    echo > /var/log/defacement.log.$SESSIONID
    echo
    echo " *** View or tail the log for this session here: /var/log/defacement.log.$SESSIONID ***"
    echo

    # confirm our actions
    BYTES="$3"

    if [ -z "$BYTES" ]; then
        echo
        echo "ERROR:  Did not receive a valid bytesize to scan for.  This scan method requires you to"
        echo "        find a common but unique byte size for the hacked content to scan for. Try again."
        exit 0
    fi
    echo 'WARNING: this is a thorough "find" scan and will take awhile to complete...'
    echo

    # start scan
    pleasewait &

    find $TARGET -name 'index*' -size $BYTES\c >> /var/log/defacement.log.$SESSIONID

    # display results and log location
    INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
    INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
    echo
    echo "                   **************** SCAN COMPLETE ****************  "
    echo
    echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
    echo
    exit 0
fi

# no options were met, erroring out
usage
echo
echo "ERROR: You must supply a target partition and scan options."
echo
exit

Zerion Mini Shell 1.0