One Hat Cyber Team

Your IP : 13.59.69.96

Server IP : 192.145.235.60

Server : Linux ngx365.inmotionhosting.com 5.14.0-427.33.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Aug 30 09:45:56 EDT 2024 x86_64

Server Software : Apache

PHP Version : 8.2.27

Buat File | Buat Folder

Dir : ~/opt/sharedrads/

Edit File: check_hacks

#!/usr/bin/bash

if [ "$1" == "--help" ]; then
    echo "You can pass --full to this to get some additional info,"
    echo "otherwise just run $0 to get the basic output."

fi

function separatorbar {
	echo "========================================================================================="
}

separatorbar
echo "= You must check the processes before killing them. Some processes could be legitimate! ="
separatorbar

echo;echo "Check for Obvious Hacks and masquerading perl processes (check before killing)"
separatorbar

for proc in $(ps auwx | awk '$1 == "nobody" || $1 ~/[a-z]+[0-9]+/{print $2}');
do
     echo $proc -  $(awk '{print $2 }'< /proc/${proc}/stat) - $(cat /proc/$proc/cmdline);
done 2>/dev/null |        awk '/perl/{print}'

echo;echo "Checking for daemonized user processes"
separatorbar
ps -ef | awk '!/gam_server/ && $3==1 && $1 ~ /[a-z]+[0-9]+/{print;}'

echo;echo "Checking for scripts bound to a shell, may display dead ptys, review with lsof -p PID"
separatorbar
ps aux | awk '/\/bin\/sh/ && !/mysql/ || /\/bin\/bash/ && !/\/opt\/|check_hacks/'

echo;echo "Checking netstat output"
separatorbar
netstat -plan|awk '/perl/ && /tcp/{printf "%25s %25s %15s %s \n", $4, $5, $6,$7,$NF}'

if [ "$1" == "--full" ]; then
	netstat -plan |
	awk '/tcp/ && $NF ~/[0-9]+\/.*$/ {gsub(/::ffff:/,"",$0)gsub(/\//,": ",$0);printf ("%20s %20s\n",$NF,$5);}' |
        sort -k1

fi