andrewelkins/kill_spooler.sh

## kill_spooler.sh
#!/usr/bin/env bash
shopt -s nocasematch
procs=$(ps aux | egrep '(crond[0-9]+)' | awk '{print $2}')
for pid in $procs; do
 path=$(ls -l /proc/$pid/exe | cut -d'>' -f2 | cut -d' ' -f2)
 if [ "$path" ]; then
 echo "Process $pid is running the suspected file $path:"
 if [ -f $path ]; then
 echo "$path is still present on the filesystem..."
 read -p "Would you like to prevent future execution of this file?
(Y/n):" -e
 if [[ $REPLY != "n" ]]; then
 chmod 000 $path
 echo "[ permissions changed: execution disabled ]"
 fi
 read -p "Would you like to delete $path? (y/N):" -e
 if [[ $REPLY = "y" ]]; then
 rm -f $path
 echo "[ deleted suspected file: $path ]"
 fi
 fi
 read -p "Would you like to kill this process? (y/N):" -e
 if [[ $REPLY = "y" ]]; then
 kill -9 $pid
 echo "[ suspected process $pid was killed ]"
 fi
 fi
done
	#!/usr/bin/env bash
	shopt -s nocasematch
	procs=$(ps aux \| egrep '(crond[0-9]+)' \| awk '{print $2}')
	for pid in $procs; do
	path=$(ls -l /proc/$pid/exe \| cut -d'>' -f2 \| cut -d' ' -f2)
	if [ "$path" ]; then
	echo "Process $pid is running the suspected file $path:"
	if [ -f $path ]; then
	echo "$path is still present on the filesystem..."
	read -p "Would you like to prevent future execution of this file?
	(Y/n):" -e
	if [[ $REPLY != "n" ]]; then
	chmod 000 $path
	echo "[ permissions changed: execution disabled ]"
	fi
	read -p "Would you like to delete $path? (y/N):" -e
	if [[ $REPLY = "y" ]]; then
	rm -f $path
	echo "[ deleted suspected file: $path ]"
	fi
	fi
	read -p "Would you like to kill this process? (y/N):" -e
	if [[ $REPLY = "y" ]]; then
	kill -9 $pid
	echo "[ suspected process $pid was killed ]"
	fi
	fi
	done