0x1949 Team - FAZEMRX - MANAGER
Edit File: imunify-doctor.sh
#!/bin/bash LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 DEST=/root/cl-report UPLOAD_URL=https://doctor.cloudlinux.com/doctor/upload CAT=`command -v cat` UNAME=`command -v uname` CP="Unknown" SERVER_ID= main_ip='NA' scriptname="imunify-doctor" IMUNIFY360_PIDFILE=/var/run/imunify360.pid # custom tmp dir from imunify360.spec for symlink attack prevention tmpdir=/var/imunify360/tmp sqlite_path=/opt/alt/sqlite/usr/bin/sqlite3 IMUNIFY360_DB=/var/imunify360/imunify360.db db_command="$sqlite_path $IMUNIFY360_DB" cleanup() { rm -f $DEST $DEST.wget } test_curl() { command -v curl >/dev/null 2>&1 return $? } test_wget() { command -v wget >/dev/null 2>&1 if [ 0 -eq $? ]; then if [ -x `command -v wget` ]; then return 0 fi fi return 1 } curl_upload() { curl -s -H "serverid: $SERVER_ID" -F reportfile=@"$DEST" $UPLOAD_URL } wget_upload() { echo -e "--FILEUPLOAD\r\n" > $DEST.wget echo -e "--FILEUPLOAD\r\n" > $DEST.wget echo -e "Content-Disposition: form-data; name=\"reportfile\"; filename=\"$DEST\"\r\n" >> $DEST.wget echo -e "Content-Type: application/octet-stream\r\n" >> $DEST.wget echo -e "Media Type: application/octet-stream\r\n\r\n" >> $DEST.wget cat $DEST >> $DEST.wget echo -e "--FILEUPLOAD--\r\n" >> $DEST.wget wget -O - -qq -t 1 --header="serverid: $SERVER_ID" --header="Content-type: multipart/form-data; boundary=FILEUPLOAD" --post-file $DEST.wget $UPLOAD_URL } get_server_id() { SERVER_ID=$(/opt/imunify360/venv/bin/python -c 'import json; import sys; print(json.load(sys.stdin)["id"])' < /var/imunify360/license.json) if [[ -z "$SERVER_ID" ]]; then SERVER_ID="${main_ip//./_}" fi } init_main_ip() { if test_curl then main_ip=`curl -s -L http://cloudlinux.com/showip.php` 2>/dev/null else main_ip=`wget -qq -O - http://cloudlinux.com/showip.php` 2>/dev/null fi } get_main_ip() { sep "Main IP" echo "$main_ip" >> $DEST echo >>$DEST } upload() { if test_curl then curl_upload else wget_upload fi } report_error_and_exit() { echo "$1" exit 1 } mecho(){ echo $1 >> $DEST } start(){ if ! test_wget; then if ! test_curl; then echo "Cannot find wget or curl" fi #echo "Using curl" fi echo "------ CL INFO ---" > $DEST } time_stamp(){ echo "" >> $DEST echo "TS: $(date)" >> $DEST } sep(){ echo "------ $1 ---" >> $DEST } run(){ sep "$1" sh -c "$1" >> $DEST 2>&1 time_stamp } run_cb(){ sep "$1" $1 >> $DEST 2>&1 result=$? time_stamp return $result } dump() { sep "cat $1" $CAT $1 >> $DEST 2>&1 echo >> $DEST 2>&1 time_stamp } detect_cp() { CP_VERSION="Unknown" SOFTACULOUS=0 if [ -d "/usr/local/psa/admin/" ]; then CP="Plesk" CP_VERSION=`cat /usr/local/psa/version` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/cpanel/whostmgr/docroot/" ]; then CP="cPanel" CP_VERSION=`/usr/local/cpanel/cpanel -V` if [ -e "/usr/local/cpanel/whostmgr/cgi/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/interworx/" ]; then CP="InterWorx" CP_VERSION=`cat /usr/local/interworx/iworx.ini|grep version` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/ispmgr/" ]; then CP="ISPmanager" CP_VERSION=`/usr/local/ispmgr/bin/ispmgr -v` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/directadmin/plugins/" ]; then CP="DirectAdmin" CP_VERSION=`/usr/local/directadmin/custombuild/build versions|sed -n 2p|cut -d":" -f2` if [ -e "/usr/local/directadmin/plugins/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/hostingcontroller/" ]; then CP="Hosting Controller" if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/hsphere/shared" ]; then CP="H-Sphere" fi sep "Control Panel" mecho "CP: $CP" mecho "VERSION: $CP_VERSION" mecho "SOFTACULOUS: $SOFTACULOUS" } detect_httpd() { PERL_BIN=$(which perl 2>>/dev/null) echo echo "HTTP Server Running Processes: " echo IFS=$(echo -en "\n\b") for proc in $(ps -eo pid,user,group,cmd 2>>/dev/null | egrep "\b(httpd|apache2|litespeed|lshttpd)\b" | grep -v "egrep"); do echo "[$proc]" proc_pid=$(echo "$proc" | awk '{print$1}') echo "Bin:" $(readlink "/proc/${proc_pid}/exe" 2>>/dev/null) echo "Environment:" cat "/proc/${proc_pid}/environ" 2>>/dev/null | tr '\0' '\n' | head -30 echo done unset IFS echo http_bins=$(ps -eo pid,comm 2>>/dev/null | egrep "\b(httpd|apache2)\b" | awk '{print "/proc/"$1"/exe"}' | xargs -n 1 readlink | uniq | egrep "\b(httpd|apache2)\b") for http_bin in "$http_bins"; do if [ -z "$http_bin" ]; then continue fi echo "HTTP Binary Info: " echo -e "$http_bin\n" $http_bin -V 2>&1 echo $http_bin -M 2>&1 echo if [ -z "$PERL_BIN" ]; then continue fi httpd_root=$($http_bin -V | grep HTTPD_ROOT | cut -d= -f2 | tr -d '"' ) httpd_config=$($http_bin -V | grep SERVER_CONFIG_FILE | cut -d= -f2 | tr -d '"' ) if [ -z "$httpd_config" ]; then continue fi if [ ! ${httpd_config:0:1} = "/" ]; then httpd_config="$httpd_root/$httpd_config" fi pl_script_path="$(dirname $(readlink -e "$0"))/mk_apache_conf_digest.pl" if [ -e "$pl_script_path" ]; then echo "Server Configs:" $PERL_BIN "$pl_script_path" "$httpd_config" "$httpd_root" 2>>/dev/null fi done } http_server_info() { detect_httpd 2>>/dev/null | head -5000 } backup_systems_info() { if [ ! -f /var/restore_infected/acronis_api_token.json ]; then echo "/var/restore_infected/acronis_api_token.json: no such file." else echo "/var/restore_infected/acronis_api_token.json: " # "username": "AB-99658-51" /opt/imunify360/venv/bin/python -m json.tool < /var/restore_infected/acronis_api_token.json fi echo echo "imunify360-agent backup-systems extended-status: " imunify360-agent backup-systems extended-status -v --json | tee $tmpdir/backup_systems_info.$$ /opt/imunify360/evnv/bin/python >$tmpdir/backup_systems_info.$$.current <<ENDPY import json print(json.load(open("$tmpdir/backup_systems_info.$$"))["items"]["backup_system"]) ENDPY rm $tmpdir/backup_systems_info.$$ rm $tmpdir/backup_systems_info.$$.current } webshield_selfcheck() { /usr/share/imunify360-webshield/self_check.py } pam_db_size() { mod_db_path=$(awk -F= '$1 == "mod_db_path" {print $2}' /etc/pam_imunify/i360.ini) du --human-readable --summarize "$mod_db_path" } trap cleanup EXIT start init_main_ip get_main_ip get_server_id detect_cp run "date" run "$CAT /proc/cpuinfo" run "$UNAME -a" run "$UNAME -r" run "$UNAME -m" run "$UNAME -p" run "$UNAME -o" dump "/etc/redhat-release" dump "/etc/os-release" dump "/var/imunify360/license.json" dump "/etc/sysconfig/imunify360/imunify360.config" dump "/etc/sysconfig/imunify360/imunify360-merged.config" run "tail -n +1 /etc/sysconfig/imunify360/imunify360.config.d/*" dump "/etc/sysconfig/imunify360/cpanel/imunify360.conf" run "tail -n3000 /var/log/imunify360/console.log" run "tail -n3000 /var/log/imunify360/debug.log" run "tail -n3000 /var/log/imunify360/network.log" run "tail -n3000 /var/log/imunify360/acronis-installer.log" run "tail -n3000 /var/log/imunify360/error.log" run "tail -n3000 /var/log/imunify360-webshield/access.log" run "tail -n3000 /var/log/imunify360-webshield/error.log" run "tail -n3000 /var/ossec/logs/alerts/alerts.log" run "tail -n3000 /usr/local/directadmin/custombuild/custombuild.log" dump "/etc/issue" dump "/etc/sysconfig/kernel" dump "/etc/sysconfig/kcare/systemid" dump "/proc/uptime" dump "/proc/loadavg" dump "/proc/vmstat" dump "/proc/devices" dump "/proc/diskstats" dump "/proc/cmdline" dump "/proc/mdstat" dump "/proc/meminfo" dump "/proc/swaps" dump "/proc/filesystems" dump "/proc/mounts" dump "/proc/interrupts" dump "/boot/grub/grub.conf" dump "/proc/version" dump "/etc/passwd" run "ls -la /etc/yum.repos.d/" run "tail -n 50 /etc/yum.repos.d/{*imunify360*,*sensor*}" run "grep DEFAULT /etc/default/grub" run "grep vmlinuz /boot/grub2/grub.cfg| sed 's/root=.*//'" dump "/boot/grub2/grub.cfg" dump "/proc/zoneinfo" run "ls /etc/grub.conf /boot/grub/grub.conf /boot/grub/menu.lst" run "ls -l /boot" run "grep Port /etc/ssh/sshd_config" run "dmidecode" run "systemd-detect-virt" run "virt-what" run "ipcs -m|sed -e s/-/=/g" run "sysctl -a" dump "/etc/sysctl.conf" run 'rpm -q -a --queryformat="%{N}|%{V}-%{R}|%{arch}\n"' packages=$(rpm -qa imunify* 2>>/dev/null) for package in $packages; do run "rpm -V $package" done run "dpkg -l" run "tail -n10000 /var/log/messages" run "ls -lR /var/cache/kcare/" dump "/etc/sysconfig/kcare/kcare.conf" dump "/etc/kdump.conf" run "/opt/imunify360/venv/bin/python -m pip freeze" [[ -f "$IMUNIFY360_PIDFILE" ]] && run "ls -l /proc/$(cat ${IMUNIFY360_PIDFILE})/fd" run "df -h" dump "/etc/userdomains" run "ps aux --sort=-%mem | head -20" run "ps aux --sort=-%cpu | head -20" run "ps aux | grep -i imunify" run "crontab -l" run "service imunify360 status" run "service imunify-antivirus status" run "service imunify360-webshield status" run "service wsshdict status" run "service firewalld status" run "service ossec-hids status" run "service fail2ban status" run "service httpd status" run "service lshttpd status" run_cb "webshield_selfcheck" run_cb "pam_db_size" run "imunify360-pam status --yaml" run "ls -la /etc/pam.d/" run "cat /etc/pam_imunify/i360.ini" if [ -e "/usr/sbin/csf" ]; then run "csf --status" run "lfd --status ; echo $?" run "service lfd status" run "service csf status" run "csf -V" dump "/etc/csf/csf.conf" dump "/etc/csf/csf.deny" dump "/etc/csf/csf.allow" dump "/etc/csf/csf.ignore" run "tail -n3000 /var/log/lfd.log" fi run "cxs --version" if [ -e "/usr/bin/firewall-cmd" ]; then run "timeout 5 firewall-cmd -V" run "timeout 5 firewall-cmd --state" run "tail -n3000 /var/log/firewalld" fi run "service cpanel status" dump "/var/cpanel/dnsonly" run "service mysql status" run "ps aux | grep -i cphulk" run "ipset -V" run "ipset save | head -n3000" run "ipset list -t | head -n3000" run "iptables -V" run "iptables-save | head -n3000" run "ifconfig" run "echo .tables | $db_command" run "echo \"select count(*) from incident;\" | $db_command" run "echo \"select count(*) from iplist;\" | $db_command" run "echo \"select * from iplist order by ctime desc limit 1000;\" | $db_command" run "echo \"select * from incident order by timestamp desc limit 1000;\" | $db_command" run "echo \"select * from country limit 1000;\" | $db_command" run "echo \"select * from country_list order by ctime desc limit 1000;\" | $db_command" run "echo \"select * from last_synclist limit 1000;\" | $db_command" run "echo \"select * from migratehistory limit 1000;\" | $db_command" run "echo \"select * from malware_hits limit 1000;\" | $db_command" run "echo \"select * from malware_ignore_path limit 1000;\" | $db_command" run "echo \"select * from malware_scans limit 1000;\" | $db_command" run "du --human-readable /var/imunify360/imunify360.db" run "imunify360-agent blacklist country list --json --limit 2000" run "imunify360-agent blacklist ip list --json --limit 2000" run "imunify360-agent graylist ip list --json --limit 2000" run "imunify360-agent whitelist country list --json --limit 2000" run "imunify360-agent whitelist ip list --json --limit 2000" run "imunify360-agent rstatus" run "imunify360-agent version" run "imunify360-agent 3rdparty conflicts --json | /opt/imunify360/venv/bin/python -m json.tool" run "imunify360-agent config show --json -v" run "grep License /var/log/imunify360/console.log | tail -n 1000" run "grep 'Server is offline' /var/log/imunify360/console.log | tail -n 1000" run "grep 'SensorAlert' /var/log/imunify360/console.log | tail -n 3000" run "grep 'modsec' /var/log/imunify360/console.log | tail -n 3000" run "ls -la /etc/sysconfig/imunify360/" run_cb "backup_systems_info" run "tail -n3000 /var/log/i360deploy.log" run "tail -n3000 /var/log/imav-deploy.log" run "tail -n3000 /var/ossec/logs/active-responses.log" run "tail -n3000 /var/ossec/logs/alerts/alerts.log" run "tail -n3000 /var/log/yum.log" run "tail -n3000 /var/log/minidaemon.log" run "tail -3000 /usr/local/apache/logs/error_log" run "tail -3000 /usr/local/apache/logs/access_log" run "tail -3000 /usr/local/apache/logs/modsec_audit.log" run "tail -3000 /var/log/trueimage-setup.log" run "/usr/local/cpanel/scripts/modsec_vendor list" run "whmapi1 modsec_get_configs" run "whmapi1 modsec_get_settings" run "cat /etc/apache2/conf.d/modsec2.imunify.conf" run "cat /usr/local/apache/conf/includes/modsec2.imunify.conf" run "ls /var/cpanel/cwaf" # prepend each particular log with ==> logfilename <== string run "tail --lines +0 /var/log/imunify360/register_unregister_post_error_*.log" # prepend each particular log with ==> logfilename <== string run "tail --lines +0 /var/log/imunify360/*hardenedphp.log.*" run "tail --lines +0 /var/log/imunify360/*kernelcare.log*" run "tail --lines +0 /var/log/imunify360/*ea_php.log*" run "ls /opt/alt/php*/usr/bin/php" run "ls /opt/cpanel/ea-php*/root/usr/bin/php" run 'rpm -qa --queryformat "%{NAME} %{RELEASE}\n" "ea-php*"' run "getenforce" run "sestatus" run "ss -u -a" run "ss -x -a | grep defence360agent" run "nc -v -w 5 -i 1 imunify360.cloudlinux.com 443" run "nc -v -w 5 -i 1 148.251.142.83 443" dump "/usr/local/cpanel/version" run "ls /etc/rc.d/init.d/" run "systemctl list-units --all" run "systemctl status aibolit-resident.socket" run "curl ipinfo.io" run "netstat -tulpan | tail -n 3000" run "netstat -tulpan | wc -l" # only tcp listening sockets & program run "netstat -tlpn" run "lsmod | grep ip_set" dump "/etc/cagefs/cagefs.mp" for f in /var/log/imunify360/native_da.hook_log.* do dump $f done ### PLESK run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules" run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules --enabled" run "/usr/local/psa/bin/server_pref --show-web-app-firewall" run_cb "http_server_info" # collect info on how huge /var/cpanel/secdatadir/ip.pag is run "ls -lh /var/cpanel/secdatadir/*" run "printenv" run "/usr/libexec/run-with-intensity show" # colect webshield info run "tail -3000 /var/log/wsshdict/wsshdict.log" if [ -e "/etc/kdump.conf" ]; then KDUMP_PATH=`grep ^path /etc/kdump.conf|cut -d' ' -f2` if [ -z "$KDUMP_PATH" ] ; then run "ls -lR /var/crash" else run "ls -lR $KDUMP_PATH" fi fi run dmesg run "ls -la /var/ossec/etc/VERSIONS/" run "ls --lcontext /var/ossec" run "ls --lcontext /var/ossec/bin" run "ls --lcontext /var/ossec/logs" run "ls -la /etc/httpd/conf/modsecurity.d/rules/" run "ls -la /etc/apache2/conf.d/modsec_vendor_configs/" run "cat /etc/httpd/conf/modsecurity.d/rules/custom/VERSION" run "cat /usr/local/directadmin/custombuild/custom/modsecurity/conf/VERSION" run "cat /etc/apache2/conf.d/modsec_vendor_configs/imunify*/VERSION;echo" run "cat /var/cpanel/modsec_cpanel_conf_datastore" run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq | wc -l" run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq" run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq" run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq | wc -l" run "plesk db \"SELECT COUNT(DISTINCT cl_id) FROM domains\"" run "httpd -t" upload && echo || report_error_and_exit "Report file upload failed. Please try again."