igorhrq/abusefinder.sh

## abusefinder.sh
#!/bin/bash
# Author: Igor Andrade      = []
# Author: Thiago Dantas     = []
#
######
# Date: 22/01/2021 - TechOps LatAm
# Version 0.1 - abusefinder
#
# Deep analysis on the main ports that are used by cPanel
# Filter and analysis of requests that can be an attack (xmlrpc, form attack, and high number of requests GET/POST)
# Verify the processes from domain/account and show the last seven days statistics about processes that was running with high usage
# For see the full help just type 'abusefinder help'
#######################################################################

HELPERRR="
   ___  _                   ______ _           _
 / _ .| |                  |  ___(_)         | |
/ /_. . |__  _   _ ___  ___| |_   _ _ __   __| | ___ _ __
|  _  | '_ '| | | / __|/ _ '  _| | | ._ ' / _' '/ _ ' .__|
| | | | |_) | |_| '__ '  __/ |   | | | | | (_| |  __/ |
\_| |_/_.__/ '__,_|___/'___'_|   |_|_| |_|'__,_|'___|_|

#######################################################################################

<options>
abusefinder | \t\t\t\t\tnull parameter means that script will collect GET/POST requests
abusefinder | ipstatistic\t\t\twill show an statistic with the ips that are connected, mail queue and mysql statistics
abusefinder | help\t\t\t\tshows this menu
abusefinder | version\t\t\t\t0.1b01
"

DEFAULTCOLOR="\033[0m"
GREEN="\033[1;32m"
RED="\033[1;31m"
YELLOW="\033[1;33m"

case $1 in
ipstatistic)
    a=$(date +%s); touch ~/$a; netstat -plan | grep ":21\|:25\|:26\|:80\|:110\|:143\|:443\|:965\|:995\|:993" | grep -v "127.0.0.1" | grep -v ":::" | grep -v "0.0.0.0" | grep -E "[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}" > ~/$a; printf "FTP (21):\n"; grep :21 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTP (25):\n"; grep :25 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTP (26):\n"; grep :26 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nHTTP (80):\n"; grep :80 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 5; printf "\nPOP3 (110):\n"; grep :110 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n 5; printf "\nIMAP (143):\n"; grep :143 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nHTTPS (443):\n"; grep :443 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nSMTPS (965):\n"; grep :965 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nPOP3S (995):\n"; grep :995 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; printf "\nIMAPS (993):\n"; grep :993 ~/$a | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n | tail -n5; rm -f ~/$a; echo -e "\n###Fila de E-mail###"; exim -bpc; echo -e "\n###QUERYS e ESTATÍSTICAS###"; mysqladmin proc stat ;;

help)
    clear
	echo -e "$HELPERRR"
	;;

*)
ataque()
{
    echo -e "${YELLOW}[*] Analysing the logs of accounts, please wait...${DEFAULTCOLOR}"
    echo -e "${YELLOW}[*] Hint: You can obtain details of executions of one account using ${RED}'abusefinder domain.com'${YELLOW} :)${DEFAULTCOLOR}"
    echo -e "${YELLOW}[*] Hint: You can get too an analysis of connections, ports on the server and how many connections are active by this IP ${RED}'abusefinder ipstatistic'."
    echo -e "${YELLOW}[*] For see more details, type ${RED}'abusefinder help'${DEFAULTCOLOR}"
    sleep 1;
    CPUUSAGE=$(OUT=$(/usr/local/cpanel/bin/dcpumonview | grep -v Top  | sed -e 's#<[^>]*># #g' | while read i ; do NF=`echo $i | awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i | awk '{print $1}'`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER | cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" | sort -nrk4 | awk '{print $2,$4}' | head -5) | column -t ; echo; (echo -e "USER MEMORY" ; echo "$OUT" | sort -nrk5 | awk '{print $2,$5}' | head -5) | column -t)
    xmlrpc=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "xmlrpc.php" | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);
    register=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "regist" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);
    register2=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep "contato" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);

    echo -e "${GREEN}\nxmlrpc.php requests(High value means something strange).${DEFAULTCOLOR}"
    echo -e "-------------------------------------"
    echo -e "$xmlrpc"
    echo -e "-------------------------------------"

    echo -e "${GREEN}\n System register on websites requests(High value means something strange).${DEFAULTCOLOR}"
    echo -e "-------------------------------------"
    echo -e "$register"
    echo -e "-------------------------------------"

    echo -e "${GREEN}\nContact forms without captcha?(High value means something strange)${DEFAULTCOLOR}"
    echo -e "-------------------------------------"
    echo -e "$register2"
    echo -e "-------------------------------------"

    echo -e ""$GREEN"\nPOST requests filtered and counted by account.${DEFAULTCOLOR}"
    post=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep POST | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);
    echo -e "-------------------------------------"
    echo -e "$post"
    echo -e "-------------------------------------"

    echo -e ""$GREEN"\nGET requests filtered and counted by account.${DEFAULTCOLOR}"
    get=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | grep GET | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);
    echo -e "-------------------------------------"
    echo -e "$get"
    echo -e "-------------------------------------"

    echo -e "${GREEN}\nAll requests GET/POST filtered and counted by account.${DEFAULTCOLOR}"
    req=$(find /home/*/access-logs/ -type f | grep -v "ftp" | xargs grep "$(date '+%d/%b/%Y')" | egrep -o "/home/\w+/" | sort | uniq -c | sort -n | tail -10);
    echo -e "-------------------------------------"
    echo -e "$req"
    echo -e "-------------------------------------"

    echo -e "${GREEN}\nTop 5 CPU Usage and Memory from now dcpumonview.${DEFAULTCOLOR}"
    echo -e "-------------------------------------"
    echo -e "$CPUUSAGE"
    echo -e "-------------------------------------"

}

if [ -z "$1" ]
    then
            echo -e "${RED}\n[*] No accounts was choiced for an analysis of last executions on 7 days from an filter of dcpumonview, passing for next step.${DEFAULTCOLOR}\n\n\n"
            ataque
        else
            dominioz=$(echo $1 | grep "^[[:alnum:]]\+[[:alnum:]\-\.]\+[[:alnum:]]\+\.[[:alpha:]]\+\$")
            if [[ $dominioz ]]
             then
                echo -e "You entered a valid domain: $1 procceding..."
                sleep 1
		        domain="$dominioz"; for i in `seq 1 7 `; do let i=$i+1 ; let  k=$i-1 ; let s="$(date +%s) - (k-1)*86400"; let t="$(date +%s) - (k-2)*86400"; echo `date -Idate -d @$s`; /usr/local/cpanel/bin/dcpumonview `date -d @$s +%s` `date -d @$t +%s` | sed -r -e 's@^<tr bgcolor=#[[:xdigit:]]+><td>(.*)</td><td>(.*)</td><td>(.*)</td><td>(.*)</td><td>(.*)</td></tr>$@Account: \1\tDomain: \2\tCPU: \3\tMem: \4\tMySQL: \5@' -e 's@^<tr><td>Top Process</td><td>(.*)</td><td colspan=3>(.*)</td></tr>$@\1 - \2@' | grep $domain -A3 ; done
            else
                echo -e "This is not a valid domain, sorry, please run the script again without errors"
                exit 1
            fi
fi;;

esac
	#!/bin/bash
	# Author: Igor Andrade = []
	# Author: Thiago Dantas = []
	#
	######
	# Date: 22/01/2021 - TechOps LatAm
	# Version 0.1 - abusefinder
	#
	# Deep analysis on the main ports that are used by cPanel
	# Filter and analysis of requests that can be an attack (xmlrpc, form attack, and high number of requests GET/POST)
	# Verify the processes from domain/account and show the last seven days statistics about processes that was running with high usage
	# For see the full help just type 'abusefinder help'
	#######################################################################

	HELPERRR="
	___ _ ______ _ _
	/ _ .\| \| \| ___(_) \| \|
	/ /_. . \|__ _ _ ___ ___\| \|_ _ _ __ __\| \| ___ _ __
	\| _ \| '_ '\| \| \| / __\|/ _ ' _\| \| \| ._ ' / _' '/ _ ' .__\|
	\| \| \| \| \|_) \| \|_\| '__ ' __/ \| \| \| \| \| \| (_\| \| __/ \|
	\_\| \|_/_.__/ '__,_\|___/'___'_\| \|_\|_\| \|_\|'__,_\|'___\|_\|

	#######################################################################################

	<options>
	abusefinder \| \t\t\t\t\tnull parameter means that script will collect GET/POST requests
	abusefinder \| ipstatistic\t\t\twill show an statistic with the ips that are connected, mail queue and mysql statistics
	abusefinder \| help\t\t\t\tshows this menu
	abusefinder \| version\t\t\t\t0.1b01
	"

	DEFAULTCOLOR="\033[0m"
	GREEN="\033[1;32m"
	RED="\033[1;31m"
	YELLOW="\033[1;33m"

	case $1 in
	ipstatistic)
	a=$(date +%s); touch ~/$a; netstat -plan \| grep ":21\\|:25\\|:26\\|:80\\|:110\\|:143\\|:443\\|:965\\|:995\\|:993" \| grep -v "127.0.0.1" \| grep -v ":::" \| grep -v "0.0.0.0" \| grep -E "[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}" > ~/$a; printf "FTP (21):\n"; grep :21 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nSMTP (25):\n"; grep :25 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nSMTP (26):\n"; grep :26 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nHTTP (80):\n"; grep :80 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n 5; printf "\nPOP3 (110):\n"; grep :110 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n 5; printf "\nIMAP (143):\n"; grep :143 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nHTTPS (443):\n"; grep :443 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nSMTPS (965):\n"; grep :965 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nPOP3S (995):\n"; grep :995 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; printf "\nIMAPS (993):\n"; grep :993 ~/$a \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n \| tail -n5; rm -f ~/$a; echo -e "\n###Fila de E-mail###"; exim -bpc; echo -e "\n###QUERYS e ESTATÍSTICAS###"; mysqladmin proc stat ;;

	help)
	clear
	echo -e "$HELPERRR"
	;;

	*)
	ataque()
	{
	echo -e "${YELLOW}[*] Analysing the logs of accounts, please wait...${DEFAULTCOLOR}"
	echo -e "${YELLOW}[*] Hint: You can obtain details of executions of one account using ${RED}'abusefinder domain.com'${YELLOW} :)${DEFAULTCOLOR}"
	echo -e "${YELLOW}[*] Hint: You can get too an analysis of connections, ports on the server and how many connections are active by this IP ${RED}'abusefinder ipstatistic'."
	echo -e "${YELLOW}[*] For see more details, type ${RED}'abusefinder help'${DEFAULTCOLOR}"
	sleep 1;
	CPUUSAGE=$(OUT=$(/usr/local/cpanel/bin/dcpumonview \| grep -v Top \| sed -e 's#<[^>]*># #g' \| while read i ; do NF=`echo $i \| awk {'print NF'}` ; if [[ "$NF" == "5" ]] ; then USER=`echo $i \| awk '{print $1}'`; OWNER=`grep -e "^OWNER=" /var/cpanel/users/$USER \| cut -d= -f2` ; echo "$OWNER $i"; fi ; done) ; (echo "USER CPU" ; echo "$OUT" \| sort -nrk4 \| awk '{print $2,$4}' \| head -5) \| column -t ; echo; (echo -e "USER MEMORY" ; echo "$OUT" \| sort -nrk5 \| awk '{print $2,$5}' \| head -5) \| column -t)
	xmlrpc=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| grep "xmlrpc.php" \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);
	register=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| grep "regist" \| grep POST \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);
	register2=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| grep "contato" \| grep POST \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);

	echo -e "${GREEN}\nxmlrpc.php requests(High value means something strange).${DEFAULTCOLOR}"
	echo -e "-------------------------------------"
	echo -e "$xmlrpc"
	echo -e "-------------------------------------"

	echo -e "${GREEN}\n System register on websites requests(High value means something strange).${DEFAULTCOLOR}"
	echo -e "-------------------------------------"
	echo -e "$register"
	echo -e "-------------------------------------"

	echo -e "${GREEN}\nContact forms without captcha?(High value means something strange)${DEFAULTCOLOR}"
	echo -e "-------------------------------------"
	echo -e "$register2"
	echo -e "-------------------------------------"

	echo -e ""$GREEN"\nPOST requests filtered and counted by account.${DEFAULTCOLOR}"
	post=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| grep POST \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);
	echo -e "-------------------------------------"
	echo -e "$post"
	echo -e "-------------------------------------"

	echo -e ""$GREEN"\nGET requests filtered and counted by account.${DEFAULTCOLOR}"
	get=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| grep GET \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);
	echo -e "-------------------------------------"
	echo -e "$get"
	echo -e "-------------------------------------"

	echo -e "${GREEN}\nAll requests GET/POST filtered and counted by account.${DEFAULTCOLOR}"
	req=$(find /home/*/access-logs/ -type f \| grep -v "ftp" \| xargs grep "$(date '+%d/%b/%Y')" \| egrep -o "/home/\w+/" \| sort \| uniq -c \| sort -n \| tail -10);
	echo -e "-------------------------------------"
	echo -e "$req"
	echo -e "-------------------------------------"

	echo -e "${GREEN}\nTop 5 CPU Usage and Memory from now dcpumonview.${DEFAULTCOLOR}"
	echo -e "-------------------------------------"
	echo -e "$CPUUSAGE"
	echo -e "-------------------------------------"

	}

	if [ -z "$1" ]
	then
	echo -e "${RED}\n[*] No accounts was choiced for an analysis of last executions on 7 days from an filter of dcpumonview, passing for next step.${DEFAULTCOLOR}\n\n\n"
	ataque
	else
	dominioz=$(echo $1 \| grep "^[[:alnum:]]\+[[:alnum:]\-\.]\+[[:alnum:]]\+\.[[:alpha:]]\+\$")
	if [[ $dominioz ]]
	then
	echo -e "You entered a valid domain: $1 procceding..."
	sleep 1
	domain="$dominioz"; for i in `seq 1 7 `; do let i=$i+1 ; let k=$i-1 ; let s="$(date +%s) - (k-1)86400"; let t="$(date +%s) - (k-2)86400"; echo `date -Idate -d @$s`; /usr/local/cpanel/bin/dcpumonview `date -d @$s +%s` `date -d @$t +%s` \| sed -r -e 's@^<tr bgcolor=#[[:xdigit:]]+><td>(.)</td><td>(.)</td><td>(.)</td><td>(.)</td><td>(.)</td></tr>$@Account: \1\tDomain: \2\tCPU: \3\tMem: \4\tMySQL: \5@' -e 's@^<tr><td>Top Process</td><td>(.)</td><td colspan=3>(.*)</td></tr>$@\1 - \2@' \| grep $domain -A3 ; done
	else
	echo -e "This is not a valid domain, sorry, please run the script again without errors"
	exit 1
	fi
	fi;;

	esac