Created
May 13, 2009 19:05
-
-
Save skriticos/111218 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# This script searches for suspicious files in the paths ${DEFAULT_DIRS[@]} or in TARGET. | |
# It can also remove them. Based on blacklist and whitelist's. | |
################# | |
### VARIABLES ### | |
################# | |
######## YOU SHOULD CHANGE THE FOLLOWING VARIABLES SUITING YOUR NEEDS !!! ###### | |
# Log files directory (something writable please). | |
# LOGDIR=/var/log | |
LOGDIR=/tmp | |
# Temporary files path (/tmp is a good idea) | |
TMPDIR=/tmp | |
# Directories searched by default, if no directories are passed to the script. | |
# DEFAULT_DIRS=( /home /profiles ) | |
DEFAULT_DIRS=( \ | |
/home \ | |
/profiles ) | |
# List of evil files (blacklist). Will be passed to delete process. | |
DEFAULT_BLACKLIST_EXT=( exe zip rar avi mp3 mpg mpeg ) | |
# List of good files (whitelist). Will be left out of delete process. | |
WHITELIST_EXT=( doc pdf ppt odf cpp pas ) | |
# List of paths, which should be left out of searches. | |
# WHITELIST_PATH=( /home/lehrerA /home/lehrerB ) | |
WHITELIST_PATH=( \ | |
/profiles/prof1 \ | |
/home/ordner2 ) | |
######## YOU SHOULD __NOT__ HAVE TO CHANGE ANYTHING BEYOND THIS POINT !!! ###### | |
# FLAGS | |
DELETE=0 | |
FILETYPE=0 | |
INTERACTIVE=0 | |
SIZE=0 | |
UNIQE_BLACKLIST=0 | |
# DEFAULTS (REMEMBER NOT TO TOUCH THESE, UNLESS YOU REALLY KNOW, WHAT YOU DO!) | |
TARGET=${DEFAULT_DIRS[@]} | |
BLACKLIST_EXT= | |
SW_TMP_FILE="$TMPDIR/`date +%Y%m%d`.sweeper.tmp" # work dump file (phrased) | |
SW_TMP2_FILE="$TMPDIR/`date +%Y%m%d`.sweeper.tmp2" # needed for filters | |
SW_LOG_FILE="$LOGDIR/`date +%Y%m%d`.sweeper.log" # log file (phrased) | |
### FUNCTIONS ### | |
# Print help | |
fn_print_help () | |
{ | |
echo "NAME" | |
echo " sweeper.sh - serch and delete unwanted files" | |
echo | |
echo "SYNOPSIS" | |
echo " sweeper [-d|--delete] [--help] [-s SIZE|--size=SIZE]" | |
echo " [-f|--filetype] [-i|--interactive] [TARGET]" | |
echo | |
echo "DESCRIPTION" | |
echo " This script searches for suspicious files in the paths" | |
echo " ${DEFAULT_DIRS[@]} or in TARGET." | |
echo " Default suspicious files are: ${DEFAULT_BLACKLIST_EXT[@]}" | |
echo " Default unsuspicious (trusted) files are: ${WHITELIST_EXT[@]}" | |
echo | |
echo "OPTIONS" | |
echo " -d --delete" | |
echo " execute cleaning operation (delete suspicious files)" | |
echo " -s --size=[SIZE IN KB]" | |
echo " set a suspicious file size limit" | |
echo " -f --filetype" | |
echo " search for suspicious files" | |
echo " -e --extension" | |
echo " set costume blacklist entry (disable the default)" | |
echo " -i --interactive" | |
echo " break between phases" | |
echo " --help" | |
echo " display this help" | |
echo | |
echo "EXAMPLES" | |
echo " sweeper -fi" | |
echo " search and list suspicious files in the ${DEFAULT_DIRS[@]}" | |
echo " directory tree" | |
echo | |
echo " sweeper --size=4096 --filetype -i" | |
echo " search for suspicious files in the ${DEFAULT_DIRS[@]} dirs." | |
echo " tree, including files bigger than 4MB" | |
echo | |
echo " sweeper -dfs 4096 /tmp" | |
echo " search for suspicious and big files in /tmp, and delete them" | |
echo " all" | |
echo | |
echo " sweeper -if -e bak -e jar" | |
echo " replace the default blacklist file extensions and list the " | |
echo " search results." | |
} | |
# Print error | |
fn_print_error () | |
{ | |
echo $1 | tee -a $SW_LOG_FILE 1>&2 | |
exit 1 | |
} | |
# Interactive output | |
fn_intact () | |
{ | |
if [[ "$INTERACTIVE" = "1" ]]; then | |
echo "$1" | |
fi | |
} | |
# Adding uniqe blacklist extension serach | |
fn_add_blacklist () | |
{ | |
UNIQE_BLACKLIST=1 | |
BLACKLIST_EXT2=( ${BLACKLIST_EXT[@]} $1 ) | |
BLACKLIST_EXT=${BLACKLIST_EXT2[@]} | |
} | |
# Show help message, if no options/parameters are supplied | |
if [ ! $1 ]; then | |
fn_print_help; exit 1; fi | |
# We need PHRASE_PARM as the `eval set --' would nuke the return value of getopt | |
PHRASE_PARM=`getopt -o dfe:s:i --long delete,filetype,extension:,size:,interactive,help -n $0 -- "$@"` | |
# Evalute the position of the remaining arguments (not parameters) | |
eval set -- "$PHRASE_PARM" | |
# Read parameter values and set variables and flags | |
while true ; do | |
case "$1" in | |
-d|--delete) DELETE=1; shift ;; | |
-f|--filetype) FILETYPE=1; shift ;; | |
-e|--extension) fn_add_blacklist $2; shift 2;; | |
-s|--size) SIZE=$2; shift 2 ;; | |
-i|--interactive) INTERACTIVE=1; shift ;; | |
--help) fn_print_help; exit 0 ;; | |
--) shift ; break ;; | |
*) echo "Internal error!" 1>&2 ; exit 1 ;; | |
esac | |
done | |
# Quit, if neighter filtype and size flags are set | |
if [ $((SIZE+FILETYPE)) = 0 ]; then | |
fn_print_help; exit 1; fi | |
# Phrase remaining arguments (change default path, if specified) | |
if [[ "$1" != "" ]]; then | |
TARGET=$@; fi | |
# Set default blacklist, if no costume blacklist was specified | |
if [[ "$UNIQE_BLACKLIST" = "0" ]]; then | |
echo ${DEFAULT_BLACKLIST_EXT[@]} | |
BLACKLIST_EXT=${DEFAULT_BLACKLIST_EXT[@]} | |
fi | |
# Print the acquired working parameters | |
fn_intact "Delete Flag: $DELETE" | |
fn_intact "Filetype Flag: $FILETYPE" | |
fn_intact "Size: $SIZE KBytes (0 means no size-check)" | |
fn_intact "Interactive: $INTERACTIVE" | |
fn_intact "Target for sweeping: ${TARGET[@]}" | |
fn_intact "Costume Blacklist flag: $UNIQE_BLACKLIST" | |
fn_intact "Current Blacklist: ${BLACKLIST_EXT[@]}" | |
# Break after working parameter listing, if interactive flag was set | |
if [[ "$INTERACTIVE" = "1" ]]; then | |
echo "Starting prasing of the command file, press Enter to continue.." | |
read | |
fi | |
# Create pharsing file or die with error message | |
fn_intact "Creating files: $SW_TMP_FILE, $SW_TMP2_FILE and $SW_LOG_FILE" | |
for TMPFILE in $SW_TMP_FILE $SW_TMP2_FILE; do | |
if [ -f $TMPFILE ]; then | |
rm $TMPFILE || fn_print_error "Could not remove $TMPFILE file!" | |
echo "You shouldn't see this message! Did you abort something? \ | |
Well.. never mind, cleaning up now :)" | |
fi | |
done | |
# Check for existing log file | |
if [ -f $SW_LOG_FILE ]; then | |
fn_intact "Seems, this is not the first run today, right? \ | |
Will append to log file on this run." | |
fi | |
# Poke at the files | |
for TMPFILE in $SW_TMP_FILE $SW_TMP2_FILE $SW_LOG_FILE; do | |
touch $TMPFILE || fn_print_error "Could not create/access $TMPFILE file!" | |
done | |
# Add phrasing commands to SW_TMP_FILE in case of extension search | |
# {| grep -ve "^$"} = filter non empty lines | |
if [[ "$FILETYPE" = "1" ]]; then | |
for ARG_EXT in ${BLACKLIST_EXT[@]}; do | |
for ARG_PATH in ${TARGET[@]}; do | |
echo "`find "$ARG_PATH" -iname "*.$ARG_EXT" -print`" | grep -ve "^$" >> $SW_TMP_FILE | |
done | |
done | |
fi | |
# Add phrasing commands to SW_CMD_SEARCH in case of size based search | |
if [[ ! "$SIZE" = "0" ]]; then | |
for ARG_PATH in ${TARGET[@]}; do | |
echo "`find "$ARG_PATH" -size +${SIZE}k -print`" | grep -ve "^$" >> $SW_TMP_FILE | |
done | |
fi | |
# Filter whitelist from temp file | |
fn_intact "Filtering whitelist.." | |
for ENTRY in ${WHITELIST_PATH[@]}; do # do loop for every entry in the white list | |
cat $SW_TMP_FILE | while read LINE; do | |
echo "${LINE}" | grep -v "$ENTRY" >> $SW_TMP2_FILE | |
done | |
cat $SW_TMP2_FILE > $SW_TMP_FILE # copy back after whitelist entry | |
echo "" > $SW_TMP2_FILE # clear filter dump | |
done | |
for ENTRY in ${WHITELIST_EXT[@]}; do | |
cat $SW_TMP_FILE | while read LINE; do | |
echo "${LINE}" | grep -v ".$ENTRY" >> $SW_TMP2_FILE | |
done | |
cat $SW_TMP2_FILE > $SW_TMP_FILE | |
echo "" > $SW_TMP2_FILE | |
done | |
# Clear empty lines | |
cat $SW_TMP_FILE | while read LINE; do | |
echo "$LINE" | grep -ve "^$" >> $SW_TMP2_FILE | |
done | |
cat $SW_TMP2_FILE > $SW_TMP_FILE | |
echo "" > $SW_TMP2_FILE | |
# Delete doubel occurances | |
cat $SW_TMP_FILE | sort -u > $SW_TMP2_FILE | |
cat $SW_TMP2_FILE > $SW_TMP_FILE | |
echo "" > $SW_TMP2_FILE | |
fn_intact "" | |
fn_intact "" | |
# The delete flag effect | |
if [[ "$DELETE" = "1" ]]; then | |
fn_intact "Starting delete process:" | |
cat $SW_TMP_FILE | while read ARG_DEL; do | |
fn_intact "Deleting: ${ARG_DEL}" | |
FILETMP=`ls -lh "${ARG_DEL}"` | |
rm -f "${ARG_DEL}" || fn_print_error "Was not able to delete file ${ARG_DEL}!" | |
echo "Deleted: ${FILETMP}" >> $SW_LOG_FILE | |
done | |
else | |
fn_intact "These are the evil files I found and would delete, if you specify the delete option:" | |
if [[ "$INTERACTIVE" = "1" ]]; then | |
cat $SW_TMP_FILE; fi | |
echo "------------" >> $SW_LOG_FILE | |
echo "Search only done on `date`" >> $SW_LOG_FILE | |
echo "Here are the results (evil files, that would be deleted:" >> $SW_LOG_FILE | |
cat $SW_TMP_FILE >> $SW_LOG_FILE | |
fi | |
fn_intact "Clearing temp file.." | |
rm -f $SW_TMP_FILE $SW_TMP2_FILE || fn_print_error "Could not delete a temp file!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment