Last active
January 6, 2022 19:50
-
-
Save igorhrq/a16aaa8bec104481ece8ed1134e08f08 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Author: Igor Andrade = [] | |
# Author: Thiago Dantas = [] | |
# | |
###### | |
# Date: 22/01/2021 - TechOps LatAm | |
# Version 0.1 - abusefinder | |
# | |
# Deep analysis on the main ports that are used by cPanel | |
# Filter and analysis of requests that can be an attack (xmlrpc, form attack, and high number of requests GET/POST) | |
# Verify the processes from domain/account and show the last seven days statistics about processes that was running with high usage | |
# For see the full help just type 'abusefinder help' | |
####################################################################### | |
HELPERRR=" | |
___ _ ______ _ _ | |
/ _ .| | | ___(_) | | | |
/ /_. . |__ _ _ ___ ___| |_ _ _ __ __| | ___ _ __ | |
| _ | '_ '| | | / __|/ _ ' _| | | ._ ' / _' '/ _ ' .__| | |
| | | | |_) | |_| '__ ' __/ | | | | | | (_| | __/ | | |
\_| |_/_.__/ '__,_|___/'___'_| |_|_| |_|'__,_|'___|_| | |
####################################################################################### | |
<options> | |
abusefinder | \t\t\t\t\tnull parameter means that script will collect GET/POST requests | |
abusefinder | ipstatistic\t\t\twill show an statistic with the ips that are connected, mail queue and mysql statistics | |
abusefinder | help\t\t\t\tshows this menu | |
abusefinder | version\t\t\t\t0.1b01 | |
" | |
DEFAULTCOLOR="\033[0m" | |
GREEN="\033[1;32m" | |
RED="\033[1;31m" | |
YELLOW="\033[1;33m" | |
case $1 in | |
ipstatistic) | |
a=$(date +%s); touch ~/$a; netstat -plan | grep ":21\|:25\|:26\|:80\|:110\|:143\|:443\|:965\|:995\|:993" | grep -v "127.0.0.1" | grep -v ":::" | grep -v "0.0.0.0" | grep -E "[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}" > ~/$a; printf "FTP (21):\n"; grep :21 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTP (25):\n"; grep :25 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTP (26):\n"; grep :26 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nHTTP (80):\n"; grep :80 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 5; printf "\nPOP3 (110):\n"; grep :110 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 5; printf "\nIMAP (143):\n"; grep :143 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nHTTPS (443):\n"; grep :443 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTPS (965):\n"; grep :965 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nPOP3S (995):\n"; grep :995 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nIMAPS (993):\n"; grep :993 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; rm -f ~/$a; echo -e "\n###Fila de E-mail###"; exim -bpc; echo -e "\n###QUERYS e ESTATÍSTICAS###"; mysqladmin proc stat ;; | |
help) | |
clear | |
echo -e "$HELPERRR" | |
;; | |
*) | |
ataque() | |
{ | |
echo -e "${YELLOW}[*] Analysing the logs of accounts, please wait...${DEFAULTCOLOR}" | |
echo -e "${YELLOW}[*] Hint: You can obtain details of executions of one account using ${RED}'abusefinder domain.com'${YELLOW} :)${DEFAULTCOLOR}" | |
echo -e "${YELLOW}[*] Hint: You can get too an analysis of connections, ports on the server and how many connections are active by this IP ${RED}'abusefinder ipstatistic'." | |
echo -e "${YELLOW}[*] For see more details, type ${RED}'abusefinder help'${DEFAULTCOLOR}" | |
sleep 1; | |
CPUUSAGE=$(OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk '{print $1}'`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{print $2,$4}' | head -5) | column -t ; echo; (echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{print $2,$5}' | head -5) | column -t) | |
xmlrpc=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "xmlrpc.php" | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
register=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "regist" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
register2=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "contato" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
echo -e "${GREEN}\nxmlrpc.php requests(High value means something strange).${DEFAULTCOLOR}" | |
echo -e "-------------------------------------" | |
echo -e "$xmlrpc" | |
echo -e "-------------------------------------" | |
echo -e "${GREEN}\n System register on websites requests(High value means something strange).${DEFAULTCOLOR}" | |
echo -e "-------------------------------------" | |
echo -e "$register" | |
echo -e "-------------------------------------" | |
echo -e "${GREEN}\nContact forms without captcha?(High value means something strange)${DEFAULTCOLOR}" | |
echo -e "-------------------------------------" | |
echo -e "$register2" | |
echo -e "-------------------------------------" | |
echo -e ""$GREEN"\nPOST requests filtered and counted by account.${DEFAULTCOLOR}" | |
post=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
echo -e "-------------------------------------" | |
echo -e "$post" | |
echo -e "-------------------------------------" | |
echo -e ""$GREEN"\nGET requests filtered and counted by account.${DEFAULTCOLOR}" | |
get=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep GET | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
echo -e "-------------------------------------" | |
echo -e "$get" | |
echo -e "-------------------------------------" | |
echo -e "${GREEN}\nAll requests GET/POST filtered and counted by account.${DEFAULTCOLOR}" | |
req=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10); | |
echo -e "-------------------------------------" | |
echo -e "$req" | |
echo -e "-------------------------------------" | |
echo -e "${GREEN}\nTop 5 CPU Usage and Memory from now dcpumonview.${DEFAULTCOLOR}" | |
echo -e "-------------------------------------" | |
echo -e "$CPUUSAGE" | |
echo -e "-------------------------------------" | |
} | |
if [ -z "$1" ] | |
then | |
echo -e "${RED}\n[*] No accounts was choiced for an analysis of last executions on 7 days from an filter of dcpumonview, passing for next step.${DEFAULTCOLOR}\n\n\n" | |
ataque | |
else | |
dominioz=$(echo $1 | grep "^[[:alnum:]]\+[[:alnum:]\-\.]\+[[:alnum:]]\+\.[[:alpha:]]\+\$") | |
if [[ $dominioz ]] | |
then | |
echo -e "You entered a valid domain: $1 procceding..." | |
sleep 1 | |
domain="$dominioz"; for i in `seq 1 7 `; do let i=$i+1 ; let k=$i-1 ; let s="$(date +%s) - (k-1)*86400"; let t="$(date +%s) - (k-2)*86400"; echo `date -Idate -d @$s`; /usr/local/cpanel/bin/dcpumonview `date -d @$s +%s` `date -d @$t +%s` | sed -r -e 's@^<tr bgcolor=#[[:xdigit:]]+><td>(.*)</td><td>(.*)</td><td>(.*)</td><td>(.*)</td><td>(.*)</td></tr>$@Account: \1\tDomain: \2\tCPU: \3\tMem: \4\tMySQL: \5@' -e 's@^<tr><td>Top Process</td><td>(.*)</td><td colspan=3>(.*)</td></tr>$@\1 - \2@' | grep $domain -A3 ; done | |
else | |
echo -e "This is not a valid domain, sorry, please run the script again without errors" | |
exit 1 | |
fi | |
fi;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment