I've created a comprehensive Bash script to help clean up a CyberPanel server infected with Kinsing malware. Let me break down the key features of this script:

### Script Features
1. **Root Privilege Check**: Ensures the script is run with root permissions
2. **Logging**: Logs all actions to `/var/log/kinsing_cleanup.log`
3. **Backup**: Creates a backup of critical system files before cleanup
4. **Systematic Cleanup**: Follows the steps you outlined in your guide
5. **Process Termination**: Kills suspicious processes
6. **Service Removal**: Stops and disables suspicious services
7. **Security Scanning**: Installs and runs `chkrootkit` and `rkhunter`
8. **File Tracking**: Creates a list of recently modified files

## I'll update the script to include checks for suspicious system users, especially those with sudo access. I'll add a function to scan and report on potentially malicious user accounts.

I've added a comprehensive `check_suspicious_users()` function that does several important checks:

### Suspicious User Checks
1. **UID 0 Users**: 
   - Identifies any users with root-level privileges other than the default root user
   - These could be backdoor accounts created by attackers

2. **Sudo Access Scan**:
   - Lists all users with sudo privileges
   - Helps identify any unauthorized users with elevated system access

3. **Non-Standard Shell Access**:
   - Finds users with non-standard shells
   - Unusual shells can be a sign of malicious user creation

4. **Recently Added Users**:
   - Identifies users created within the last 30 days
   - Helps spot recently added potentially malicious accounts

5. **SSH Key Inspection**:
   - Checks SSH authorized_keys for all users and root
   - Reveals any unauthorized SSH access methods

### Output
The function generates a detailed report at `/root/suspicious_users_report.txt` that includes:
- UID 0 users
- Users with sudo access
- Users with non-standard shells
- Recently added users
- SSH authorized keys for all users

### Recommended Next Steps
After running the script:
1. Carefully review the `/root/suspicious_users_report.txt`
2. Investigate any suspicious users or SSH keys
3. Remove or lock any unauthorized accounts
4. Regenerate SSH keys for legitimate users
5. Audit sudo access and remove unnecessary privileges

### Security Recommendations
- Regularly audit user accounts
- Use strong password policies
- Implement two-factor authentication
- Use tools like `fail2ban` to prevent brute-force attacks
- Keep your system updated with the latest security patches


### Usage Instructions
1. Save the script to a file (e.g., `kinsing_cleanup.sh`)
2. Make it executable: `chmod +x kinsing_cleanup.sh`
3. Run with sudo: `sudo ./kinsing_cleanup.sh`

### Precautions
- **Always review the script before running**
- **Understand each step**
- **Have a backup of your critical data**
- **Test in a staging environment first if possible**

### Additional Recommendations
1. After running the script, thoroughly review:
   - `/var/log/kinsing_cleanup.log`
   - `/root/kinsing_recent_files.txt`
   - Results of the `rkhunter` scan
2. Consider changing all passwords
3. Review network logs and access patterns
4. If possible, restore from a known clean backup

### Disclaimer
This script is provided as-is. While it aims to help clean up the Kinsing malware, every infection is unique. Professional security consultation is recommended for complex scenarios.