Update kinsing_cleanup.sh

kinsing_cleanup.sh

@@ -106,6 +106,60 @@ cleanup_kinsing() {
 }
 
 # Main execution
+# Function to check for suspicious users
+check_suspicious_users() {
+    log "Checking for suspicious system users"
+    
+    # Create a report file
+    SUSPICIOUS_USERS_REPORT="/root/suspicious_users_report.txt"
+    > "$SUSPICIOUS_USERS_REPORT"
+
+    # Check for users with UID 0 (root privileges) other than root
+    echo "Users with UID 0 (excluding root):" >> "$SUSPICIOUS_USERS_REPORT"
+    awk -F: '($3 == 0 && $1 != "root") {print $1}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT"
+
+    # Check for users with sudo access
+    echo -e "\nUsers with sudo access:" >> "$SUSPICIOUS_USERS_REPORT"
+    getent group sudo | cut -d: -f4 | tr ',' '\n' >> "$SUSPICIOUS_USERS_REPORT"
+
+    # Check for users with unusual shell access
+    echo -e "\nUsers with non-standard shells:" >> "$SUSPICIOUS_USERS_REPORT"
+    awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 != "/bin/sync") {print $1 " - " $7}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT"
+
+    # Check for recently added users
+    echo -e "\nUsers added in the last 30 days:" >> "$SUSPICIOUS_USERS_REPORT"
+    for user in $(cut -d: -f1 /etc/passwd); do
+        created=$(grep "^$user:" /etc/shadow | cut -d: -f3)
+        if [[ -n "$created" ]]; then
+            days_since_creation=$(($(date +%s) / 86400 - created))
+            if [[ $days_since_creation -le 30 ]]; then
+                echo "$user (created $days_since_creation days ago)" >> "$SUSPICIOUS_USERS_REPORT"
+            fi
+        fi
+    done
+
+    # Check SSH authorized_keys files for all users
+    echo -e "\nUnauthorized SSH keys:" >> "$SUSPICIOUS_USERS_REPORT"
+    for home in /home/*; do
+        if [[ -d "$home/.ssh" ]]; then
+            user=$(basename "$home")
+            if [[ -f "$home/.ssh/authorized_keys" ]]; then
+                echo "Checking SSH keys for user $user:" >> "$SUSPICIOUS_USERS_REPORT"
+                cat "$home/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT"
+            fi
+        fi
+    done
+
+    # Check root's SSH directory
+    if [[ -f "/root/.ssh/authorized_keys" ]]; then
+        echo -e "\nRoot SSH authorized_keys:" >> "$SUSPICIOUS_USERS_REPORT"
+        cat "/root/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT"
+    fi
+
+    # Log the report
+    log "Suspicious users report generated at $SUSPICIOUS_USERS_REPORT"
+}
+
 main() {
     log "Starting Kinsing Malware Cleanup Process"
     
@@ -113,7 +167,14 @@ main() {
     read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response
     if [[ "$response" =~ ^[Yy]$ ]]; then
         cleanup_kinsing
-        log "Cleanup process completed. Please review the log and recent files list."
+        
+        # Additional user and security checks
+        check_suspicious_users
+        
+        log "Cleanup process completed. Please review the following reports:"
+        log "1. /var/log/kinsing_cleanup.log"
+        log "2. /root/kinsing_recent_files.txt"
+        log "3. /root/suspicious_users_report.txt"
     else
         log "Cleanup process aborted by user"
         exit 1