/
minerchk.sh
executable file
·323 lines (268 loc) · 10.3 KB
/
minerchk.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
#!/bin/bash
# Developed by Brian Laskowski
# laskowski-tech.com
#create color vars
yell='\e[33m'
gre='\e[32m'
whi='\e[0m'
#create log dir and log vars
mkdir -p /usr/local/minerchk
logdir="/usr/local/minerchk"
log="${logdir}/miner.$(date +%y%m%d-%H%M).log"
log1="${logdir}/coinhive.$(date +%y%m%d-%H%M).log"
log2=/tmp/minerchk.report
#remote logging via sendmail
if [[ ! -f /usr/local/minerchk/remotelog ]]; then
wget -O /usr/local/minerchk/remotelog https://raw.githubusercontent.com/Hestat/minerchk/master/remotelog
fi
remotelog=$(cat /usr/local/minerchk/remotelog)
#create formatting
div(){
for ((i=0;i<$1;i++)); do printf '='; done;
}
header(){
echo -e "\n$(div 40)\n"
}
header2=$(echo -e "$(div 3)")
scanhead=$(echo -e "\n$gre Scanning ::\n")
#check yara signatures
remotesig1=$(curl -sS https://raw.githubusercontent.com/Hestat/minerchk/master/miners.yar | md5sum | awk '{print $1}')
localsig1=$(md5sum /usr/local/minerchk/miners.yar | awk '{print $1}')
if [[ "$remotesig1" = "$localsig1" ]]; then
echo -e "$gre Local Yara Signatures up to date $whi"
else echo -e "$gre Updating signatures $whi"
wget -O /usr/local/minerchk/miners.yar https://raw.githubusercontent.com/Hestat/minerchk/master/miners.yar
sleep 1
fi
#check IP signatures
remotesig2=$(curl -sS https://raw.githubusercontent.com/Hestat/minerchk/master/ip-only.txt | md5sum | awk '{print $1}')
localsig2=$( md5sum /usr/local/minerchk/ip-only.txt | awk '{print $1}')
if [[ "$remotesig2" = "$localsig2" ]]; then
echo -e "$gre Local IP list up to date $whi"
sleep 1
else echo -e "$gre Updating IP list $whi"
wget -O /usr/local/minerchk/ip-only.txt https://raw.githubusercontent.com/Hestat/minerchk/master/ip-only.txt
sleep 1
fi
#check if minerchk is up to date
remoteprogsig=$(curl -sS https://raw.githubusercontent.com/Hestat/minerchk/master/minerchk.sh | md5sum | awk '{print$1}')
localprogsig=$(md5sum /usr/local/minerchk/minerchk | awk '{print$1}')
if [[ "$remoteprogsig" = "$localprogsig" ]]; then
echo -e "$gre Minerchk is up to date $whi"
sleep 1
else echo -e "$yell Newer version of Minerchk available, please use option 5 to update"
sleep 10
fi
####### Flags for other options ######
while getopts "d:" opt;do
case ${opt} in
d ) direct=$OPTARG
echo $scanhead
if [[ -x $(which clamscan) 2>/dev/null ]] ; then #use clamav and yara
echo -e "$gre ClamAV installed using clamscan for scanning \n"
clamscan -ir --no-summary -l $log -d /usr/local/minerchk/miners.yar $direct
else
echo $scanhead
grep -R 'stratum+tcp' $direct 1>> $log 2> /dev/null
fi
exit 0;;
\? ) echo "Usage: -d scan a directory for miners, otherwsie use without flags to bring up the mail menu"
exit 0;;
esac
done
#drop environment data into logs for easier identification
header > $log
hostname >> $log
header >> $log
header > $log1
hostname >> $log1
header >> $log1
echo "Subject: [ALERT] Cryptominer report" > $log2
#start menu
while true
do
clear
printf "%b" "\n\e[0m"
echo
echo
header
echo " -- Miner Check beta v1.40 --"
header
echo "Enter 1 to run quick miner checks on server (Active mining on server and in /tmp)"
echo
echo "Enter 2 to run deep miner checks through site files"
echo
echo "Enter 3 to run checks for miners embeded in websites (Crypto-jacking)"
echo
echo "Enter 4 to innoculate server (Blocks domains and IP's used to mine)"
echo
echo "Enter 5 to run updates"
echo
echo "Enter 6 to report logs"
echo
echo "Enter 7 to quit"
read answer
case "$answer" in
1) echo -e "$yell $header2 Checking for miners in /tmp $header2"
echo $scanhead
if [[ -x $(which clamscan) ]] ; then #use clamav and yara
echo -e "$gre ClamAV installed using clamscan for scanning \n"
clamscan -ir --no-summary -l $log -d /usr/local/minerchk/miners.yar /tmp
clamscan -ir --no-summary -l $log -d /usr/local/minerchk/miners.yar /dev/shm
clamscan -ir --no-summary -l $log -d /usr/local/minerchk/miners.yar /var/tmp
header >> $log
else
grep -R 'stratum+tcp' /tmp 1>> $log 2> /dev/null
grep -R 'stratum+tcp' /dev/shm 1>> $log 2> /dev/null
grep -R 'stratum+tcp' /var/tmp 1>> $log 2> /dev/null
header >> $log
fi
echo -e "$yell $header2 Checking for miners in running processes $header2"
echo
echo $scanhead
echo
for line in $(cat /usr/local/minerchk/ip-only.txt); do lsof -nP | grep $line > /tmp/runmin; done
cat /tmp/runmin >> $log
for line2 in $temp2; do psfauwx | grep $temp2 > $log; done
ps fauwx | grep minerd | grep -v 'grep minerd' 1>> $log 2> /dev/null
ps fauwx | grep xmrig | grep -v 'grep xmrig' 1>> $log 2> /dev/null
ps fauwx | grep xmr | grep -v 'grep xmr' 1>> $log 2> /dev/null
cat /tmp/runmin
echo
echo -e "$yell $header2 Checking for common miner ports $header2"
echo
echo $scanhead
portlist=$(curl -s https://raw.githubusercontent.com/Hestat/minerchk/master/portlist.txt)
for port in $portlist; do
netstat -tpn | grep -w $port 1>> $log 2> /dev/null;
done
header >> $log
echo -e "$yell $header2 Current Scan Results logged in the following file $header2 $gre"
echo $log
echo -e "$yell $header2 Hits in the Scan $header2 $gre"
cat $log
rm /tmp/runmin;;
2)
printf "%b" "$yell=== Checking for miners in site files ==="
printf "%b" "$gre"
echo
find /home/* -maxdepth 1 -type f | xargs grep 'stratum+tcp' >> $log 2>/dev/null
# Adapted from Mark Cunningham module
# Scan of Sites for on server miners in site files
# Define the scan function
sitescan(){
# Use the positional parameter to define directory location, and build list
dirlist=$(find $1 -maxdepth 0 -type d -print)
# Loop through list of directories
for account in $dirlist; do
echo $scanhead
if [[ -x $(which clamscan) ]] ; then #use clamav and yara
echo -e "$gre ClamAV installed using clamscan for scanning \n"
clamscan -ir --no-summary -l $log -d /usr/local/minerchk/miners.yar $account
else
grep -wiR 'stratum+tcp' $account 1>> $log 2>/dev/null
fi
done; echo
}
# Check for common control panels / configurations
if [[ -x $(which whmapi1) ]] ; then #cPanel
printf "%b" "cPanel detected\n"
sitescan "/home*/*/public_html/"
elif [[ -x $(which plesk) ]] ; then #Plesk
printf "%b" "Plesk detected\n"
sitescan "/var/www/vhosts/*/httpdocs/"
else #Core-Managed
printf "%b" "Unknown control panel, assuming Apache and Nginx defaults\n"
sitescan "/var/www/html/" 2> /dev/null
sitescan "/usr/share/nginx/" 2> /dev/null
fi
echo -e "$yell $header2 Current Scan Results logged in the following file $header2 $gre"
echo $log
echo -e "$yell $header2 Hits in the Scan $header2 $gre"
cat $log;;
3) echo -e "$yell $header2 Checking for Crypto-jacking injections $header2 $gre\n"
echo "This make take some time if you have many sites."
echo
touch $log1
#coinhive module
# Author: Mark David Scott Cunningham | M | D | S | C |
# +----+----+----+----+
# Created: 2017-12-24
# Updated: 2017-12-24
#
# Purpose: To scan for files injected with coinhive content and coinhive .js files
# Based on work by Brian Laskowski, intended to assist Brian.
coin=$(curl -s https://raw.githubusercontent.com/Hestat/minerchk/master/coinhive.txt)
# Define the scan function
coinhivescan(){
# Use the positional parameter to define directory location, and build list
dirlist=$(find $1 -maxdepth 0 -type d -print)
# Loop through list of directories
for account in $dirlist; do
echo "Scanning :: $account"
find $account -type f -name '*.php' -print0 | xargs -0 egrep -Hw "$coin" 1>> $log1 2>/dev/null;
# Search for any actual .js files
find $account -name coinhive.min.js 1>> $log1 2> /dev/null
grep -wiR 'miner.start' $account 1>> $log1 2> /dev/null
done; echo
}
# Check for common control panels / configurations
if [[ -x $(which whmapi1) ]] ; then #cPanel
printf "%b" "cPanel detected\n"
coinhivescan "/home*/*/public_html/"
elif [[ -x $(which plesk) ]] ; then #Plesk
printf "%b" "Plesk detected\n"
coinhivescan "/var/www/vhosts/*/httpdocs/"
else #Core-Managed
printf "%b" "Unknown control panel, assuming Apache and Nginx defaults\n"
coinhivescan "/var/www/html/" 2> /dev/null
coinhivescan "/usr/share/nginx/" 2> /dev/null
fi
echo -e "$yell $header2 Current Scan Results logged in the following file $header2 $gre"
echo $log1
echo -e "$yell $header2 Hits in the Scan $header2 $gre"
cat $log1;;
4) if [[ -x $(which csf) ]] ; then #CSF
echo -e "$gre" "Config Server Firewall Detected\n"
echo " " >> /etc/csf/csf.blocklists
echo "#Minerchk" >> /etc/csf/csf.blocklists
echo "#list to block known Monero miner pools" >> /etc/csf/csf.blocklists
echo "Minerchk|86400|0|https://raw.githubusercontent.com/Hestat/minerchk/master/ip-only.txt" >> /etc/csf/csf.blocklists
service csf restart
service lfd restart
else #Not CSF
echo -e "$yell $header2 Mining domains will be added to hosts file to prevent DNS lookup $header2 $gre\n"
hostlist=$(curl https://raw.githubusercontent.com/Hestat/minerchk/master/hostslist.txt)
for domain in $hostlist; do
echo "Blocking $domain in /etc/hosts.."
echo "127.0.0.1 $domain" >> /etc/hosts
done
fi;;
5) echo
echo -e "$yell $header2 Updating Minerchk $header2 $gre"
wget -O /usr/local/minerchk/minerchk https://raw.githubusercontent.com/Hestat/minerchk/master/minerchk.sh
newlocalprogsig=$(md5sum /usr/local/minerchk/minerchk | awk '{print$1}')
if [[ "$newlocalprogsig" = "$remoteprogsig" ]]; then
chmod +x /usr/local/minerchk/minerchk 2> /dev/null
ln -s /usr/local/minerchk/minerchk /usr/local/bin/minerchk 2> /dev/null
echo
echo -e "$header2 Update Successful! $header2"
echo -e " Please restart Minerchk now $whi"
else echo
echo -e "$yell $header2 Something went wrong, try a manual reinstall $header2 $whi"
fi;;
6) echo -e "$yell $header2 Sending Log Data $header2"
grep 'crypto_miner_config_file' $log | cut -d : -f1 | xargs cat >> $log
cat $log >> $log2
header >> $log2
cat $log1 >> $log2
cat $log2 | sendmail $remotelog
echo "Reports sents, have any other information you would like to report? Send to $remotelog";;
7) rm /tmp/minerchk.report
exit ;;
esac
echo
echo
printf "%b" "$whi Enter to return to the menu \c"
read input
done