File: //opt/sp_scripts/xmrig-autosuspend.sh
#!/bin/bash
TS=$(date)
LOG="/var/log/xmrigsuspend.log"
export PATH=$PATH:/usr/sbin
imunify360agent=$(which imunify360-agent)
os_version=$(cat /etc/redhat-release | grep -oP '\d+' | head -1)
os_id=$(grep '^ID=' /etc/os-release | cut -d '"' -f2)
malfiles='1.mcm.x86_64|xmrig|jun-socks.out'
inprocs='curl.*start.php'
vzlist=$(which vzlist)
if [ -z "$vzlist" ];then
if [ "$os_version" -eq 6 ]; then
cpuserspaths=`for i in $(ps -eo user,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/ && $2 >= 7200 {print}'ok| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n |awk '{print $9}' | grep -E ''$malfiles'';done | sort | uniq`
cpuserspaths2=`ps -eo user:20,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/'ok | grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' | grep -E ''$inprocs'' | sort | uniq`
cpusers=`echo "$cpuserspaths" | cut -d '/' -f3 | uniq`
cpusers2=`echo "$cpuserspaths2" | awk '{print $1}' | uniq`
cpusers="$cpusers"$'\n'"$cpusers2"
if [[ ! -z $cpusers ]];then
for cpuser in $cpusers; do
cpdir=`echo "$cpuserspaths" | echo "$cpuserspaths2" | grep $cpuser`
/scripts/suspendacct $cpuser "xmrig detected in $cpdir"
echo "======================================" >> $LOG
echo "Suspended account for suspicious processes:" >> $LOG
echo "$TS : Files: $(echo $cpdir)" >> $LOG
if [ ! -z "$imunify360agent" ];then
cpuserdir=$(grep $cpuser /etc/passwd | cut -d: -f6)
imunify360-agent malware on-demand start --path $cpuserdir
echo "Imunify360 detected on the server. Started scan in path $cpuserdir" >> $LOG
fi
done
fi
else
cpuserspaths=`for i in $(ps -e -o user,pid,etimes,command --no-headers | awk '{if($3>7200) print $0}'| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n |awk '{print $9}' | grep -E ''$malfiles'';done | sort | uniq`
cpuserspaths2=`ps -e -o user:20,pid,etimes,command --no-headers | grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' | grep -E ''$inprocs'' | sort | uniq`
cpusers=`echo "$cpuserspaths" | cut -d '/' -f3 | uniq`
cpusers2=`echo "$cpuserspaths2" | awk '{print $1}' | uniq`
cpusers="$cpusers"$'\n'"$cpusers2"
if [[ ! -z "$cpusers" ]];then
for cpuser in $cpusers; do
cpdir=`echo "$cpuserspaths" | echo "$cpuserspaths2" | grep $cpuser`
/scripts/suspendacct $cpuser "xmrig detected in $cpdir"
echo "======================================" >> $LOG
echo "Suspended account for suspicious processes:" >> $LOG
echo "$TS : Files: $(echo $cpdir)" >> $LOG
if [ ! -z "$imunify360agent" ];then
cpuserdir=$(grep $cpuser /etc/passwd | cut -d: -f6)
imunify360-agent malware on-demand start --path $cpuserdir
echo "Imunify360 detected on the server. Started scan in path $cpuserdir" >> $LOG
fi
done
fi
fi
else
IFS=$'\n'
if [ "$os_version" -eq 6 ]; then
vzpids=`for i in $(ps -eo user,pid,etime,args --sort=start_time | awk '$3 ~ /^[0-9]+-[0-9]+:/ && $2 >= 7200 {print}'ok| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n | grep -E ''$malfiles'' ;done | sort | uniq`
if [ ! -z "$vzpids" ];then
for vzpida in "$vzpids"; do
if [[ ! -z $(ps -p $(echo $vzpida| awk '{print $2}')) ]];then
ctid=`vzpid $vzpida | awk '{print $2}'| tail -1`
isrunning=`vzlist -a | grep $ctid | grep -o running`
isdisabled=`grep DISABLED /etc/vz/conf/$ctid.conf`
if [[ ! -z "$isrunning" ]] && [[ ! -z "$isdisabled" ]];then
vzctl stop "$ctid"
echo "DISABLED=\"yes\"" >> /etc/vz/conf/$ctid.conf
echo "======================================" >> $LOG
echo "TEST: Suspended account for suspicious processes:" >> $LOG
echo "$TS : CTID: $(echo $ctid) Files: $(echo $vzpida)" >> $LOG
fi
fi
done
fi
else
vzpids=`for i in $(ps -e -o user,pid,etimes,command --no-headers | awk '{if($3>7200) print $0}'| grep -vE '^root|grep|dovecot|gpg-agent|memcached|lsnode|pure-ftpd|newrelic|mongod|^dbus|^rpc|postgres|^mailman|^named|^icinga|wp-toolkit|^ossec|^polkitd|^mysql|^systemd|^chrony|cpanelsolr|^nscd|cpanelconnecttrack|redis-server|lsphp|exim|clamav|python3|caldav|CalendarServer|sftp-server|im360|sshd|sd-pam|/usr/lib/systemd/systemd|bash|wget|cpsrvd|zabbix|nagios|/usr/sbin/httpd|/usr/sbin/apache2|/usr/sbin/named|/lib/systemd/systemd|/usr/sbin/nscd|/usr/sbin/mysqld|/usr/bin/dbus-daemon|openvpn-openssl|/usr/sbin/rsyslogd|/usr/sbin/openvpn|nginx: worker process' |awk '{print $2}');do lsof -w -p $i -n | grep -E ''$malfiles'' ;done | sort | uniq`
if [ ! -z "$vzpids" ];then
for vzpida in "$vzpids"; do
if [[ ! -z $(ps -p $(echo $vzpida| awk '{print $2}')) ]];then
ctid=`vzpid $vzpida | awk '{print $2}'| tail -1`
isrunning=`vzlist -a | grep $ctid | grep -o running`
isdisabled=`grep DISABLED /etc/vz/conf/$ctid.conf`
if [[ ! -z "$isrunning" ]] && [[ ! -z "$isdisabled" ]];then
vzctl stop "$ctid"
echo "DISABLED=\"yes\"" >> /etc/vz/conf/$ctid.conf
echo "======================================" >> $LOG
echo "TEST: Suspended account for suspicious processes:" >> $LOG
echo "$TS : CTID: $(echo $ctid) Files: $(echo $vzpida)" >> $LOG
fi
fi
done
fi
fi
fi