Initial level DDG hack detection test

hack-test.sh

#!/bin/bash

# $1 will be `whoami` for current user who has logged in
current_user=$1

echo "Verify logged in $current_user is compromised or not?"

echo "Check for /home/$current_user/.systemd-login file"
if [ -f /home/$current_user/.systemd-login ]
then
  echo "Found a malicious file systemd-login"
  echo "Run this command cat /home/$current_user/.systemd-login send screenshot to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Verifying Cron Entry in Cron folder"
if [ -f /var/spool/cron/$current_user ]
then
  cat /var/spool/cron/$current_user | grep "/i.sh"
  echo "Please send the screenshot of IP's to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Verifying Cron Entry in Crontabs folder"
if [ -f /var/spool/cron/crontabs/$current_user ]
then
  cat /var/spool/cron/crontabs/$current_user | grep "/i.sh"
  echo "Please send the screenshot of IP's to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Verifying Cron Entry in cron.d folder"
if [ -f /etc/cron.d/systemd ]
then
  cat /etc/cron.d/systemd | grep "/i.sh"
  echo "Please send the screenshot of IP's to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Removing /home/$current_user/.ssh/authorized_keys if present"
echo "If you dont type yes than please cleanup the file manually"
read -r input
if [ "$input" = "yes" ] && [ -f /home/$current_user/.ssh/authorized_keys ]
then
  rm -f /home/$current_user/.ssh/authorized_keys
elif [ "$input" != "yes" ]
then
  echo "Please clean the file asap"
fi

sleep 2
echo "======================"

echo "Doing the same things for root user"

new_user=root

echo "Verify logged in $new_user is compromised or not?"
if [ -f /$new_user/.systemd-login ]
then
  echo "Found a malicious file systemd-login"
  echo "Run this command cat /$new_user/.systemd-login send screenshot to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Verifying Cron Entry in Cron folder"
if [ -f /var/spool/cron/$new_user ]
then
  cat /var/spool/cron/$new_user | grep "/i.sh"
  echo "Please send the screenshot of IP's to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Verifying Cron Entry in Crontabs folder"
if [ -f /var/spool/cron/crontabs/$new_user ]
then
  cat /var/spool/cron/crontabs/$new_user | grep "/i.sh"
  echo "Please send the screenshot of IP's to IT Support"
else
  echo "Good! Nothing Found"
fi

sleep 2
echo "======================"

echo "Removing /$new_user/.ssh/authorized_keys if present"
echo "If you dont type yes than please cleanup the file manually"
read -r input
if [ "$input" = "yes" ] && [ -f /$new_user/.ssh/authorized_keys ]
then
  rm -f /$new_user/.ssh/authorized_keys
elif [ "$input" != "yes" ]
then
  echo "Please clean the file asap"
fi

sleep 2
echo "======================"

echo "Verifying Brute Login attempt"
count=$(sudo lastb | wc -l)
if [ $count -gt 10 ]
then
  echo "There were $count Brute Login attempts"
  echo "Please reset your password immediately with a strong password sense"
else
  echo "Good! Nothing Found"
fi

echo "Done"