HEX
Server: LiteSpeed
System: Linux s17246.sgp1.stableserver.net 5.14.0-611.45.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Apr 1 05:56:53 EDT 2026 x86_64
User: mykopera (1210)
PHP: 8.2.31
Disabled: NONE
Upload Files
File: //opt/sp_scripts/xmrig-autosuspend.sh
#!/bin/bash

TS=$(date)
LOG="/var/log/xmrigsuspend.log"

export PATH=$PATH:/usr/sbin
imunify360agent=$(which imunify360-agent)
os_version=$(cat /etc/redhat-release | grep -oP '\d+' | head -1)
os_id=$(grep '^ID=' /etc/os-release | cut -d '"' -f2)
malfiles='1.mcm.x86_64|xmrig|jun-socks.out'
inprocs='curl.*start.php'
vzlist=$(which vzlist)

if [ -z "$vzlist" ];then

    if [ "$os_version" -eq 6 ]; then

        cpuserspaths=`for i in $(ps -eo user,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/ && $2 >= 7200 {print}'ok| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n |awk '{print $9}' | grep -E ''$malfiles'';done | sort | uniq`

        cpuserspaths2=`ps -eo user:20,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/'ok | grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' | grep -E ''$inprocs'' | sort | uniq`

        cpusers=`echo "$cpuserspaths" | cut -d '/' -f3 | uniq`

        cpusers2=`echo "$cpuserspaths2" | awk '{print $1}' | uniq`

        cpusers="$cpusers"$'\n'"$cpusers2"

        if [[ ! -z $cpusers ]];then

            for cpuser in $cpusers; do
                cpdir=`echo "$cpuserspaths" | echo "$cpuserspaths2" | grep $cpuser` 
                /scripts/suspendacct $cpuser "xmrig detected in $cpdir"
                echo "======================================" >> $LOG
                echo "Suspended account for suspicious processes:" >> $LOG
                echo "$TS : Files: $(echo $cpdir)" >> $LOG

                if [ ! -z "$imunify360agent" ];then
                cpuserdir=$(grep $cpuser /etc/passwd | cut -d: -f6)
                imunify360-agent malware on-demand start --path $cpuserdir
                echo "Imunify360 detected on the server. Started scan in path $cpuserdir" >> $LOG
                fi

            done

        fi


    else

        cpuserspaths=`for i in $(ps -e -o user,pid,etimes,command --no-headers | awk '{if($3>7200) print $0}'| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n |awk '{print $9}' | grep -E ''$malfiles'';done | sort | uniq`

        cpuserspaths2=`ps -e -o user:20,pid,etimes,command --no-headers | grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' | grep -E ''$inprocs'' | sort | uniq`

        cpusers=`echo "$cpuserspaths" | cut -d '/' -f3 | uniq`

        cpusers2=`echo "$cpuserspaths2" | awk '{print $1}' | uniq`

        cpusers="$cpusers"$'\n'"$cpusers2"

        if [[ ! -z "$cpusers" ]];then

            for cpuser in $cpusers; do
                cpdir=`echo "$cpuserspaths" | echo "$cpuserspaths2" | grep $cpuser` 
                /scripts/suspendacct $cpuser "xmrig detected in $cpdir"
                echo "======================================" >> $LOG
                echo "Suspended account for suspicious processes:" >> $LOG
                echo "$TS : Files: $(echo $cpdir)" >> $LOG

                if [ ! -z "$imunify360agent" ];then
                cpuserdir=$(grep $cpuser /etc/passwd | cut -d: -f6)
                imunify360-agent malware on-demand start --path $cpuserdir
                echo "Imunify360 detected on the server. Started scan in path $cpuserdir" >> $LOG
                fi

            done

        fi

    fi
else
IFS=$'\n' 
    if [ "$os_version" -eq 6 ]; then

        vzpids=`for i in $(ps -eo user,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/ && $2 >= 7200 {print}'ok| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n | grep -E ''$malfiles'' ;done | sort | uniq`

        if [ ! -z "$vzpids" ];then
            for vzpida in "$vzpids"; do
                if [[ ! -z $(ps -p $(echo $vzpida| awk '{print $2}')) ]];then
                    ctid=`vzpid $vzpida | awk '{print $2}'| tail -1` 
                    isrunning=`vzlist -a | grep $ctid | grep -o running`
                    isdisabled=`grep DISABLED /etc/vz/conf/$ctid.conf`
                    if [[ ! -z "$isrunning" ]] && [[ ! -z "$isdisabled" ]];then
                        vzctl stop "$ctid"
                        echo "DISABLED=\"yes\"" >> /etc/vz/conf/$ctid.conf
                        echo "======================================" >> $LOG
                        echo "TEST: Suspended account for suspicious processes:" >> $LOG
                        echo "$TS : CTID: $(echo $ctid) Files: $(echo $vzpida)" >> $LOG
                    fi
                fi
            done
        fi

    else

        vzpids=`for i in $(ps -e -o user,pid,etimes,command --no-headers | awk '{if($3>7200) print $0}'| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n | grep -E ''$malfiles'' ;done | sort | uniq`

        if [ ! -z "$vzpids" ];then
            for vzpida in "$vzpids"; do
                if [[ ! -z $(ps -p $(echo $vzpida| awk '{print $2}')) ]];then
                    ctid=`vzpid $vzpida | awk '{print $2}'| tail -1` 
                    isrunning=`vzlist -a | grep $ctid | grep -o running`
                    isdisabled=`grep DISABLED /etc/vz/conf/$ctid.conf`
                    if [[ ! -z "$isrunning" ]] && [[ ! -z "$isdisabled" ]];then
                        vzctl stop "$ctid"
                        echo "DISABLED=\"yes\"" >> /etc/vz/conf/$ctid.conf
                        echo "======================================" >> $LOG
                        echo "TEST: Suspended account for suspicious processes:" >> $LOG
                        echo "$TS : CTID: $(echo $ctid) Files: $(echo $vzpida)" >> $LOG
                    fi
                fi
            done
        fi

    fi
fi