Mini Shell
#!/bin/bash
#load functions + banners
if [ -f /opt/sharedrads/radsfunctions.sh ]; then
source /opt/sharedrads/radsfunctions.sh
else
source /opt/dedrads/radsfunctions.sh
fi
if [ "$RADSCOLORS" == "off" ]; then
radsbanner-nocolor
echo "WARNING: THIS TOOL IS NOT TO BE USED WITHOUT THE APPROVAL OF A TIER III ADMIN"
else
radsbanner
echo "WARNING: THIS TOOL IS NOT TO BE USED WITHOUT THE APPROVAL OF A TIER III ADMIN"
fi
function usage {
echo
echo "This script will scan a partition for infected/defaced pages and compile a list."
echo "Usage: defacement_scan.sh [TARGET] <options>"
echo
echo " TARGET: partition to scan for infected/defaced pages (this is typically /home)"
echo
echo "options:"
echo " --quick \"pattern\" performs a quick scan of ~/public_html/index.* files"
echo " --docroots \"pattern\" performs scan in ALL document roots as found in httpd.conf"
echo " --wget \"pattern\" performs a wget on all domains found in /etc/userdomains"
echo " --size \"bytes\" scans the target partition for all indexes by exact size"
echo
}
test -z $1 && usage && echo "ERROR: You must supply a target partition or any scan options." && echo && exit
TARGET=$1
IFS=$'\n';
SESSIONID=`date +%s`
function pleasewait {
echo -n 'Scanning in progress...'
sleep 1
echo -ne '....'
sleep 1
echo -ne '....'
sleep 1
echo -ne '...\n'
}
if [ "$2" == "--quick" ]; then
# we have a scan method, lets setup the session log
echo > /var/log/defacement.log.$SESSIONID
echo
echo " *** View the log for this session here: /var/log/defacement.log.$SESSIONID ***"
echo
# confirm our actions
PATTERN="$3"
if [ -z "$PATTERN" ]; then
echo
echo "ERROR: Did not receive a valid PATTERN to scan for. This scan method requires you to"
echo " find a common but unique string in the hacked content to scan for. Try again."
exit 0
fi
# start scan
pleasewait &
for i in `ls -A /home` ; do grep -H "$PATTERN" /home/$i/public_html/index.* 2>/dev/null ; done >> /var/log/defacement.log.$SESSIONID
# display results and log location
INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
echo
echo " **************** SCAN COMPLETE **************** "
echo
echo " Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
echo
exit 0
fi
if [ "$2" == "--docroots" ]; then
# we have a scan method, lets setup the session log
echo > /var/log/defacement.log.$SESSIONID
echo
echo " *** View the log for this session here: /var/log/defacement.log.$SESSIONID ***"
echo
# generate list of doc roots
echo -n "Please wait.... Generating list of document root paths from httpd.conf... "
if [ -f /etc/cpanel/ea4/is_ea4 ]; then
grep DocumentRoot /etc/apache2/conf/httpd.conf | awk '{print $2}' > /tmp/.docrootscan.$SESSIONID
else
grep DocumentRoot /usr/local/apache/conf/httpd.conf | awk '{print $2}' > /tmp/.docrootscan.$SESSIONID
fi
sleep 1
echo -n "Done!"
echo ; echo
# confirm our actions
PATTERN="$3"
if [ -z "$PATTERN" ]; then
echo
echo "ERROR: Did not receive a valid PATTERN to scan for. This scan method requires you to"
echo " find a common but unique string in the hacked content to scan for. Try again."
exit 0
fi
# start scan
pleasewait &
for docroot in `cat /tmp/.docrootscan.$SESSIONID` ; do grep -H "$PATTERN" $docroot/index* 2> /dev/null ; done >> /var/log/defacement.log.$SESSIONID
rm -f /tmp/.docrootscan.$SESSIONID
# display results and log location
INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
echo
echo " **************** SCAN COMPLETE **************** "
echo
echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
echo
exit 0
fi
if [ "$2" == "--wget" ]; then
# we have a scan method, lets setup the session log
echo > /var/log/defacement.log.$SESSIONID
echo
echo " *** View or tail the log for this session here: /var/log/defacement.log.$SESSIONID ***"
echo
# confirm actions
PATTERN="$3"
if [ -z "$PATTERN" ]; then
echo
echo "ERROR: Did not receive a valid PATTERN to scan for. This scan method requires you to"
echo " find a common but unique string in the hacked content to scan for. Try again."
exit 0
fi
echo "WARNING: this is a thorough \"wget\" scan and will take awhile to complete..."
echo
# start scan notification
pleasewait &
# start wgets
mkdir -p report.$(date --iso)
for dom in $(cat /etc/userdomains|sed -e 's/://g'|awk '{print $1}'); do
wget --tries 2 -O report.$(date --iso)/$dom http://$dom
done
egrep -Hci "$PATTERN" report.$(date --iso)/ >> /var/log/defacement.log.$SESSIONID
# display results and log location
INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
echo
echo " **************** SCAN COMPLETE **************** "
echo
echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
echo
exit 0
fi
if [ "$2" == "--size" ]; then
# we have a scan method, lets setup the session log
echo > /var/log/defacement.log.$SESSIONID
echo
echo " *** View or tail the log for this session here: /var/log/defacement.log.$SESSIONID ***"
echo
# confirm our actions
BYTES="$3"
if [ -z "$BYTES" ]; then
echo
echo "ERROR: Did not receive a valid bytesize to scan for. This scan method requires you to"
echo " find a common but unique byte size for the hacked content to scan for. Try again."
exit 0
fi
echo 'WARNING: this is a thorough "find" scan and will take awhile to complete...'
echo
# start scan
pleasewait &
find $TARGET -name 'index*' -size $BYTES\c >> /var/log/defacement.log.$SESSIONID
# display results and log location
INFECTEDCOUNT1=`wc -l /var/log/defacement.log.$SESSIONID | awk '{print $1}'`
INFECTEDCOUNT2=`expr $INFECTEDCOUNT1 - 1`
echo
echo " **************** SCAN COMPLETE **************** "
echo
echo "Found $INFECTEDCOUNT2 infected index files. Saved results in /var/log/defacement.log.$SESSIONID "
echo
exit 0
fi
# no options were met, erroring out
usage
echo
echo "ERROR: You must supply a target partition and scan options."
echo
exit
Zerion Mini Shell 1.0