hhf/KinsingMalwareCleanupScriptforCyberPanelServers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KinsingMalwareCleanupScript.../kinsing_cleanup.sh
hhf e3b351cf76 Update kinsing_cleanup.sh
2024-11-26 12:40:51 +05:30

185 lines
No EOL
6.2 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
# Kinsing Malware Cleanup Script
# WARNING: Use with caution and understand each step before running
# Recommended to review and modify as per your specific server configuration
# Ensure script is run with root privileges
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
# Function to log actions
log() {
echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a /var/log/kinsing_cleanup.log
}
# Cleanup Function
cleanup_kinsing() {
# Step 0: Backup critical system files before cleanup
log "Creating backup of critical files before cleanup"
mkdir -p /root/kinsing_backup
cp /etc/crontab /root/kinsing_backup/
cp /var/spool/cron/crontabs/root /root/kinsing_backup/root_crontab
# Step 1: Disable Cron
log "Stopping cron service"
systemctl stop cron
# Step 2: Delete Malware Files
log "Removing known Kinsing malware files"
rm_files=(
"/etc/data/kinsing"
"/etc/kinsing"
"/tmp/kdevtmpfsi"
"/usr/lib/secure"
"/usr/lib/secure/udiskssd"
"/usr/bin/network-setup.sh"
"/usr/.sshd-network-service.sh"
"/usr/.network-setup"
"/usr/.network-setup/config.json"
"/usr/.network-setup/xmrig-*tar.gz"
"/usr/.network-watchdog.sh"
"/dev/shm/kdevtmpfsi"
"/etc/data/libsystem.so"
)
for file in "${rm_files[@]}"; do
# Remove immutable flag if present
chattr -i "$file" 2>/dev/null
rm -rf "$file" 2>/dev/null
done
# Step 3: Remove Suspicious Services
suspicious_services=(
"bot.service"
"systemd_s.service"
"sshd-network-service.service"
"network-monitor.service"
)
for service in "${suspicious_services[@]}"; do
log "Stopping and disabling $service"
systemctl stop "$service" 2>/dev/null
systemctl disable "$service" 2>/dev/null
rm "/lib/systemd/system/$service" 2>/dev/null
rm "/etc/systemd/system/$service" 2>/dev/null
done
# Reload systemd to recognize changes
systemctl daemon-reload
# Step 4: Kill Suspicious Processes
log "Killing suspicious processes"
ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk '{print $2}' | xargs kill -9 2>/dev/null
# Step 5: Remove Preloaded Libraries
log "Removing preloaded libraries"
if [ -f "/etc/ld.so.preload" ]; then
# Kill processes using the library
lsof | grep libsystem.so | awk '{print $2}' | xargs kill -9 2>/dev/null
rm /etc/ld.so.preload
fi
# Step 6: Clean Suspicious Cron Jobs
log "Cleaning suspicious cron jobs"
# Remove immutable attribute from crontab
chattr -ia /var/spool/cron/crontabs/root 2>/dev/null
chattr -ia /var/spool/cron/root 2>/dev/null
# Clean root user crontab
(crontab -l 2>/dev/null | grep -v "atdb") | crontab - 2>/dev/null
# Additional Security Steps
log "Installing security scanning tools"
apt-get update
apt-get install -y chkrootkit rkhunter
# Run rootkit hunter
log "Running rkhunter security scan"
rkhunter --check --sk
# Find recently modified files (last 2 days)
log "Finding recently modified files"
find / -mtime -2 2>/dev/null > /root/kinsing_recent_files.txt
}
# Main execution
# Function to check for suspicious users
check_suspicious_users() {
log "Checking for suspicious system users"
# Create a report file
SUSPICIOUS_USERS_REPORT="/root/suspicious_users_report.txt"
> "$SUSPICIOUS_USERS_REPORT"
# Check for users with UID 0 (root privileges) other than root
echo "Users with UID 0 (excluding root):" >> "$SUSPICIOUS_USERS_REPORT"
awk -F: '($3 == 0 && $1 != "root") {print $1}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT"
# Check for users with sudo access
echo -e "\nUsers with sudo access:" >> "$SUSPICIOUS_USERS_REPORT"
getent group sudo | cut -d: -f4 | tr ',' '\n' >> "$SUSPICIOUS_USERS_REPORT"
# Check for users with unusual shell access
echo -e "\nUsers with non-standard shells:" >> "$SUSPICIOUS_USERS_REPORT"
awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 != "/bin/sync") {print $1 " - " $7}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT"
# Check for recently added users
echo -e "\nUsers added in the last 30 days:" >> "$SUSPICIOUS_USERS_REPORT"
for user in $(cut -d: -f1 /etc/passwd); do
created=$(grep "^$user:" /etc/shadow | cut -d: -f3)
if [[ -n "$created" ]]; then
days_since_creation=$(($(date +%s) / 86400 - created))
if [[ $days_since_creation -le 30 ]]; then
echo "$user (created $days_since_creation days ago)" >> "$SUSPICIOUS_USERS_REPORT"
fi
fi
done
# Check SSH authorized_keys files for all users
echo -e "\nUnauthorized SSH keys:" >> "$SUSPICIOUS_USERS_REPORT"
for home in /home/*; do
if [[ -d "$home/.ssh" ]]; then
user=$(basename "$home")
if [[ -f "$home/.ssh/authorized_keys" ]]; then
echo "Checking SSH keys for user $user:" >> "$SUSPICIOUS_USERS_REPORT"
cat "$home/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT"
fi
fi
done
# Check root's SSH directory
if [[ -f "/root/.ssh/authorized_keys" ]]; then
echo -e "\nRoot SSH authorized_keys:" >> "$SUSPICIOUS_USERS_REPORT"
cat "/root/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT"
fi
# Log the report
log "Suspicious users report generated at $SUSPICIOUS_USERS_REPORT"
}
main() {
log "Starting Kinsing Malware Cleanup Process"
# Confirm before proceeding
read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response
if [[ "$response" =~ ^[Yy]$ ]]; then
cleanup_kinsing
# Additional user and security checks
check_suspicious_users
log "Cleanup process completed. Please review the following reports:"
log "1. /var/log/kinsing_cleanup.log"
log "2. /root/kinsing_recent_files.txt"
log "3. /root/suspicious_users_report.txt"
else
log "Cleanup process aborted by user"
exit 1
fi
}
# Run the main function
main
Reference in a new issue View git blame Copy permalink