Back
Current Directory
/opt/sharedrads
Type Name Operations
__pycache__ Open
account_review Open
autosuspend Open
check_software_mods Open
cms_tools Open
domainchecker Open
etc Open
extras Open
failsuspend Open
guds_modules Open
mailers Open
mitigatord Open
mysql Open
nlp_scripts Open
oldrads Open
ops Open
perl Open
python Open
suspended Open
temporary Open
README
Edit Get
account-review
Edit Get
alp.py
Edit Get
autossl_runner.sh
Edit Get
autosusprunner.sh
Edit Get
backup_scan.sh
Edit Get
blockip
Edit Get
check_apache
Edit Get
check_autossl
Edit Get
check_bandwidth
Edit Get
check_boxtrapper
Edit Get
check_cpu
Edit Get
check_crons
Edit Get
check_darkmailer.py
Edit Get
check_dcpumon
Edit Get
check_dns
Edit Get
check_domcount.sh
Edit Get
check_exim
Edit Get
check_hacks
Edit Get
check_imap
Edit Get
check_io
Edit Get
check_lve
Edit Get
check_mailchannels_dns
Edit Get
check_max_children
Edit Get
check_mem
Edit Get
check_misc
Edit Get
check_mysql
Edit Get
check_pacct
Edit Get
check_pop3
Edit Get
check_raid
Edit Get
check_server
Edit Get
check_size
Edit Get
check_software
Edit Get
check_spamd
Edit Get
check_traffic
Edit Get
check_user
Edit Get
check_zoneh
Edit Get
clean_exim.py
Edit Get
clean_moveuser
Edit Get
cms_counter.py
Edit Get
cms_creds
Edit Get
cms_dumpdb
Edit Get
cms_pw
Edit Get
cmspass.py
Edit Get
cpanel-api
Edit Get
cpumon
Edit Get
ctrl_alt_del
Edit Get
dcpumon.pl
Edit Get
disk_cleanup.py
Edit Get
dns-sync
Edit Get
docroot.py
Edit Get
du-tree
Edit Get
envinfo.py
Edit Get
exclude_rbl.py
Edit Get
exclude_sender
Edit Get
extract-vhost
Edit Get
find_warez
Edit Get
findbadscripts
Edit Get
fixwpcron.py
Edit Get
forensic.py
Edit Get
fraudhunter.py
Edit Get
generate_cpmove_tix
Edit Get
hostsfilemods
Edit Get
imap_io
Edit Get
killall911
Edit Get
lastcommcache.sh
Edit Get
legal_lock_down.sh
Edit Get
lil-cpanel
Edit Get
limit_bots
Edit Get
listacct
Edit Get
mail_sources.py
Edit Get
mailscan
Edit Get
mass_arp_fixer.py
Edit Get
mass_mysql_recover.py
Edit Get
megaclisas-status
Edit Get
modify-account
Edit Get
modsec_disable.py
Edit Get
move_generator.py
Edit Get
msp.pl
Edit Get
mysql_dstat
Edit Get
nlp
Edit Get
packandgo
Edit Get
pastebin
Edit Get
postmortem
Edit Get
procscrape
Edit Get
quarantine
Edit Get
quick_post
Edit Get
radsfunctions.sh
Edit Get
reap_fpm_orphans.sh
Edit Get
recent-cp
Edit Get
reclaim_suspensions
Edit Get
remote_dump
Edit Get
rescp.sh
Edit Get
reset_cpanel
Edit Get
reset_email
Edit Get
rotate_ip_addresses.py
Edit Get
rrdtooldisable.sh
Edit Get
rrdtoolenable.sh
Edit Get
sadatarunner.sh
Edit Get
send_customer_str
Edit Get
send_pp_email
Edit Get
server-load
Edit Get
setmaxemails
Edit Get
show-conns
Edit Get
software_report.py
Edit Get
sqltop
Edit Get
strmailer
Edit Get
suspend_domain
Edit Get
suspend_user
Edit Get
temp_apache_fix
Edit Get
unsuspend_user
Edit Get
unsusprunner.sh
Edit Get
update_spf
Edit Get
upgrade-check
Edit Get
vhost_data.py
Edit Get

File Transfer

Upload files to current directory

File Editor: check_darkmailer.py

#!/usr/lib/rads/venv/bin/python3 from argparse import ArgumentParser from dataclasses import dataclass from fnmatch import fnmatch from pathlib import Path import shlex import sys import time import platform from collections.abc import Generator import pwd import psutil import rads BAD_CMDS = [ 'httpd.pl', 'bash', 'exim', 'proc', './cache.sh', './xmr', 'xargsu', 'perxg', 'mdxfs', './backupm', './dirty', './apache2', '/usr/bin/host', '/usr/sbin/acpid', './cron.php', './milemined', './annizod', './fpm-worker-main', '[stealth]', ] OKAY_CMDS = [ 'usr/local/cpanel/bin/ftpput', '/usr/local/cpanel/3rdparty/bin/awstats.pl', 'mail.cgi', ] @dataclass class Proc: cmdline: list[str] pid: int create_time: float age_secs: float username: str ppid: int cmd_str: str def iter_procs() -> Generator[Proc]: """Iterate all system processes which match check_proc, as Proc objects""" now = time.time() for psutil_proc in psutil.process_iter(): try: proc_dict = psutil_proc.as_dict( attrs=['username', 'pid', 'ppid', 'create_time', 'cmdline'] ) except psutil.NoSuchProcess: continue if not proc_dict['cmdline']: continue yield Proc( age_secs=now - proc_dict['create_time'], cmd_str=shlex.join(proc_dict['cmdline']), **proc_dict, ) def check_proc(proc: Proc) -> bool: """Use some criteria to filter to only malicious processes""" if proc.ppid == 1 or proc.username == 'root' or proc.age_secs < 300: return False if proc.cmdline[0] not in BAD_CMDS or proc.cmdline[0] in OKAY_CMDS: return False try: home = Path(pwd.getpwnam(proc.username).pw_dir) except KeyError: return True ignore_file = home / ".imh" / ".check_darkmailer.ignore" try: for line in ignore_file.read_text().splitlines(): glob = line.strip() if glob and fnmatch(proc.cmd_str, glob): return False except OSError: pass return True def main(): """Locates possible running malicious scripts""" parser = ArgumentParser() parser.add_argument( "--make-ticket", action="store_true", help="This is used by the cron; it creates an STR ticket if any " "potentially malicious scripts are found", ) make_ticket: bool = parser.parse_args().make_ticket bad_procs = filter(check_proc, iter_procs()) if not bad_procs: return 0 proc_info = [] for proc in bad_procs: proc_info.append(f"{proc.pid} {proc.username} {proc.cmd_str}") print(*proc_info, sep='\n') if not make_ticket: return 2 body = f""" {platform.node()} found {len(bad_procs)} potentially malicious scripts. {__file__} found these processes by filtering to any non-root processes older than 5 minutes and not with a parent PID of 1, then checking their names for anything that looks like it might be malicious. If there's any false positives, you can mark them in the user's home dir in ~/.imh/.check_darkmailer.ignore - each line in the file is a glob. You can test that your glob works by running {__file__} again without --make-ticket and seeing if it still lists the process. Processes: {'\n'.join(proc_info)} """ try: rads.make_ticket( dest='str@imhadmin.net', subject="Darkmailer Processes", body=body, ) except rads.TicketError as exc: print(f"Failed to create STR ticket - {exc}", file=sys.stderr) return 3 return 2 if __name__ == "__main__": sys.exit(main())