hhf/KinsingMalwareCleanupScriptforCyberPanelServers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KinsingMalwareCleanupScript.../README.md
hhf 7ed1361f0e Update README.md
2024-11-26 12:42:13 +05:30

83 lines
3.4 KiB
Markdown
Raw Permalink Blame History

I've created a comprehensive Bash script to help clean up a CyberPanel server infected with Kinsing malware. Let me break down the key features of this script:
### Script Features
1. **Root Privilege Check**: Ensures the script is run with root permissions
2. **Logging**: Logs all actions to `/var/log/kinsing_cleanup.log`
3. **Backup**: Creates a backup of critical system files before cleanup
4. **Systematic Cleanup**: Follows the steps you outlined in your guide
5. **Process Termination**: Kills suspicious processes
6. **Service Removal**: Stops and disables suspicious services
7. **Security Scanning**: Installs and runs `chkrootkit` and `rkhunter`
8. **File Tracking**: Creates a list of recently modified files
## I'll update the script to include checks for suspicious system users, especially those with sudo access. I'll add a function to scan and report on potentially malicious user accounts.
I've added a comprehensive `check_suspicious_users()` function that does several important checks:
### Suspicious User Checks
1. **UID 0 Users**:
- Identifies any users with root-level privileges other than the default root user
- These could be backdoor accounts created by attackers
2. **Sudo Access Scan**:
- Lists all users with sudo privileges
- Helps identify any unauthorized users with elevated system access
3. **Non-Standard Shell Access**:
- Finds users with non-standard shells
- Unusual shells can be a sign of malicious user creation
4. **Recently Added Users**:
- Identifies users created within the last 30 days
- Helps spot recently added potentially malicious accounts
5. **SSH Key Inspection**:
- Checks SSH authorized_keys for all users and root
- Reveals any unauthorized SSH access methods
### Output
The function generates a detailed report at `/root/suspicious_users_report.txt` that includes:
- UID 0 users
- Users with sudo access
- Users with non-standard shells
- Recently added users
- SSH authorized keys for all users
### Recommended Next Steps
After running the script:
1. Carefully review the `/root/suspicious_users_report.txt`
2. Investigate any suspicious users or SSH keys
3. Remove or lock any unauthorized accounts
4. Regenerate SSH keys for legitimate users
5. Audit sudo access and remove unnecessary privileges
### Security Recommendations
- Regularly audit user accounts
- Use strong password policies
- Implement two-factor authentication
- Use tools like `fail2ban` to prevent brute-force attacks
- Keep your system updated with the latest security patches
### Usage Instructions
1. Save the script to a file (e.g., `kinsing_cleanup.sh`)
2. Make it executable: `chmod +x kinsing_cleanup.sh`
3. Run with sudo: `sudo ./kinsing_cleanup.sh`
### Precautions
- **Always review the script before running**
- **Understand each step**
- **Have a backup of your critical data**
- **Test in a staging environment first if possible**
### Additional Recommendations
1. After running the script, thoroughly review:
- `/var/log/kinsing_cleanup.log`
- `/root/kinsing_recent_files.txt`
- Results of the `rkhunter` scan
2. Consider changing all passwords
3. Review network logs and access patterns
4. If possible, restore from a known clean backup
### Disclaimer
This script is provided as-is. While it aims to help clean up the Kinsing malware, every infection is unique. Professional security consultation is recommended for complex scenarios.
Reference in a new issue View git blame Copy permalink