Last active
September 24, 2019 06:47
-
-
Save ismail0352/47abc368162061c46d89deccbe750895 to your computer and use it in GitHub Desktop.
Initial level DDG hack detection test
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# $1 will be `whoami` for current user who has logged in | |
current_user=$1 | |
echo "Verify logged in $current_user is compromised or not?" | |
echo "Check for /home/$current_user/.systemd-login file" | |
if [ -f /home/$current_user/.systemd-login ] | |
then | |
echo "Found a malicious file systemd-login" | |
echo "Run this command cat /home/$current_user/.systemd-login send screenshot to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Cron Entry in Cron folder" | |
if [ -f /var/spool/cron/$current_user ] | |
then | |
cat /var/spool/cron/$current_user | grep "/i.sh" | |
echo "Please send the screenshot of IP's to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Cron Entry in Crontabs folder" | |
if [ -f /var/spool/cron/crontabs/$current_user ] | |
then | |
cat /var/spool/cron/crontabs/$current_user | grep "/i.sh" | |
echo "Please send the screenshot of IP's to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Cron Entry in cron.d folder" | |
if [ -f /etc/cron.d/systemd ] | |
then | |
cat /etc/cron.d/systemd | grep "/i.sh" | |
echo "Please send the screenshot of IP's to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Removing /home/$current_user/.ssh/authorized_keys if present" | |
echo "If you dont type yes than please cleanup the file manually" | |
read -r input | |
if [ "$input" = "yes" ] && [ -f /home/$current_user/.ssh/authorized_keys ] | |
then | |
rm -f /home/$current_user/.ssh/authorized_keys | |
elif [ "$input" != "yes" ] | |
then | |
echo "Please clean the file asap" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Doing the same things for root user" | |
new_user=root | |
echo "Verify logged in $new_user is compromised or not?" | |
if [ -f /$new_user/.systemd-login ] | |
then | |
echo "Found a malicious file systemd-login" | |
echo "Run this command cat /$new_user/.systemd-login send screenshot to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Cron Entry in Cron folder" | |
if [ -f /var/spool/cron/$new_user ] | |
then | |
cat /var/spool/cron/$new_user | grep "/i.sh" | |
echo "Please send the screenshot of IP's to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Cron Entry in Crontabs folder" | |
if [ -f /var/spool/cron/crontabs/$new_user ] | |
then | |
cat /var/spool/cron/crontabs/$new_user | grep "/i.sh" | |
echo "Please send the screenshot of IP's to IT Support" | |
else | |
echo "Good! Nothing Found" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Removing /$new_user/.ssh/authorized_keys if present" | |
echo "If you dont type yes than please cleanup the file manually" | |
read -r input | |
if [ "$input" = "yes" ] && [ -f /$new_user/.ssh/authorized_keys ] | |
then | |
rm -f /$new_user/.ssh/authorized_keys | |
elif [ "$input" != "yes" ] | |
then | |
echo "Please clean the file asap" | |
fi | |
sleep 2 | |
echo "======================" | |
echo "Verifying Brute Login attempt" | |
count=$(sudo lastb | wc -l) | |
if [ $count -gt 10 ] | |
then | |
echo "There were $count Brute Login attempts" | |
echo "Please reset your password immediately with a strong password sense" | |
else | |
echo "Good! Nothing Found" | |
fi | |
echo "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment