#!/bin/bash

# Kinsing Malware Cleanup Script
# WARNING: Use with caution and understand each step before running
# Recommended to review and modify as per your specific server configuration

# Ensure script is run with root privileges
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 
   exit 1
fi

# Function to log actions
log() {
    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a /var/log/kinsing_cleanup.log
}

# Cleanup Function
cleanup_kinsing() {
    # Step 0: Backup critical system files before cleanup
    log "Creating backup of critical files before cleanup"
    mkdir -p /root/kinsing_backup
    cp /etc/crontab /root/kinsing_backup/
    cp /var/spool/cron/crontabs/root /root/kinsing_backup/root_crontab

    # Step 1: Disable Cron
    log "Stopping cron service"
    systemctl stop cron
    
    # Step 2: Delete Malware Files
    log "Removing known Kinsing malware files"
    rm_files=(
        "/etc/data/kinsing"
        "/etc/kinsing"
        "/tmp/kdevtmpfsi"
        "/usr/lib/secure"
        "/usr/lib/secure/udiskssd"
        "/usr/bin/network-setup.sh"
        "/usr/.sshd-network-service.sh"
        "/usr/.network-setup"
        "/usr/.network-setup/config.json"
        "/usr/.network-setup/xmrig-*tar.gz"
        "/usr/.network-watchdog.sh"
        "/dev/shm/kdevtmpfsi"
        "/etc/data/libsystem.so"
    )
    
    for file in "${rm_files[@]}"; do
        # Remove immutable flag if present
        chattr -i "$file" 2>/dev/null
        rm -rf "$file" 2>/dev/null
    done

    # Step 3: Remove Suspicious Services
    suspicious_services=(
        "bot.service"
        "systemd_s.service"
        "sshd-network-service.service"
        "network-monitor.service"
    )
    
    for service in "${suspicious_services[@]}"; do
        log "Stopping and disabling $service"
        systemctl stop "$service" 2>/dev/null
        systemctl disable "$service" 2>/dev/null
        rm "/lib/systemd/system/$service" 2>/dev/null
        rm "/etc/systemd/system/$service" 2>/dev/null
    done
    
    # Reload systemd to recognize changes
    systemctl daemon-reload

    # Step 4: Kill Suspicious Processes
    log "Killing suspicious processes"
    ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk '{print $2}' | xargs kill -9 2>/dev/null

    # Step 5: Remove Preloaded Libraries
    log "Removing preloaded libraries"
    if [ -f "/etc/ld.so.preload" ]; then
        # Kill processes using the library
        lsof | grep libsystem.so | awk '{print $2}' | xargs kill -9 2>/dev/null
        rm /etc/ld.so.preload
    fi

    # Step 6: Clean Suspicious Cron Jobs
    log "Cleaning suspicious cron jobs"
    # Remove immutable attribute from crontab
    chattr -ia /var/spool/cron/crontabs/root 2>/dev/null
    chattr -ia /var/spool/cron/root 2>/dev/null

    # Clean root user crontab
    (crontab -l 2>/dev/null | grep -v "atdb") | crontab - 2>/dev/null

    # Additional Security Steps
    log "Installing security scanning tools"
    apt-get update
    apt-get install -y chkrootkit rkhunter

    # Run rootkit hunter
    log "Running rkhunter security scan"
    rkhunter --check --sk

    # Find recently modified files (last 2 days)
    log "Finding recently modified files"
    find / -mtime -2 2>/dev/null > /root/kinsing_recent_files.txt
}

# Main execution
main() {
    log "Starting Kinsing Malware Cleanup Process"
    
    # Confirm before proceeding
    read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response
    if [[ "$response" =~ ^[Yy]$ ]]; then
        cleanup_kinsing
        log "Cleanup process completed. Please review the log and recent files list."
    else
        log "Cleanup process aborted by user"
        exit 1
    fi
}

# Run the main function
main