hhf/KinsingMalwareCleanupScriptforCyberPanelServers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
4 commits 1 branch 0 tags 32 KiB
Shell 100%
Find a file
hhf 7ed1361f0e Update README.md
2024-11-26 12:42:13 +05:30
kinsing_cleanup.sh Update kinsing_cleanup.sh 2024-11-26 12:40:51 +05:30
README.md Update README.md 2024-11-26 12:42:13 +05:30

README.md

I've created a comprehensive Bash script to help clean up a CyberPanel server infected with Kinsing malware. Let me break down the key features of this script:

Script Features

  1. Root Privilege Check: Ensures the script is run with root permissions
  2. Logging: Logs all actions to /var/log/kinsing_cleanup.log
  3. Backup: Creates a backup of critical system files before cleanup
  4. Systematic Cleanup: Follows the steps you outlined in your guide
  5. Process Termination: Kills suspicious processes
  6. Service Removal: Stops and disables suspicious services
  7. Security Scanning: Installs and runs chkrootkit and rkhunter
  8. File Tracking: Creates a list of recently modified files

I'll update the script to include checks for suspicious system users, especially those with sudo access. I'll add a function to scan and report on potentially malicious user accounts.

I've added a comprehensive check_suspicious_users() function that does several important checks:

Suspicious User Checks

  1. UID 0 Users:

    • Identifies any users with root-level privileges other than the default root user
    • These could be backdoor accounts created by attackers

  2. Sudo Access Scan:

    • Lists all users with sudo privileges
    • Helps identify any unauthorized users with elevated system access

  3. Non-Standard Shell Access:

    • Finds users with non-standard shells
    • Unusual shells can be a sign of malicious user creation

  4. Recently Added Users:

    • Identifies users created within the last 30 days
    • Helps spot recently added potentially malicious accounts

  5. SSH Key Inspection:

    • Checks SSH authorized_keys for all users and root
    • Reveals any unauthorized SSH access methods

Output

The function generates a detailed report at /root/suspicious_users_report.txt that includes:

  • UID 0 users
  • Users with sudo access
  • Users with non-standard shells
  • Recently added users
  • SSH authorized keys for all users

Recommended Next Steps

After running the script:

  1. Carefully review the /root/suspicious_users_report.txt
  2. Investigate any suspicious users or SSH keys
  3. Remove or lock any unauthorized accounts
  4. Regenerate SSH keys for legitimate users
  5. Audit sudo access and remove unnecessary privileges

Security Recommendations

  • Regularly audit user accounts
  • Use strong password policies
  • Implement two-factor authentication
  • Use tools like fail2ban to prevent brute-force attacks
  • Keep your system updated with the latest security patches

Usage Instructions

  1. Save the script to a file (e.g., kinsing_cleanup.sh)
  2. Make it executable: chmod +x kinsing_cleanup.sh
  3. Run with sudo: sudo ./kinsing_cleanup.sh

Precautions

  • Always review the script before running
  • Understand each step
  • Have a backup of your critical data
  • Test in a staging environment first if possible

Additional Recommendations

  1. After running the script, thoroughly review:
    • /var/log/kinsing_cleanup.log
    • /root/kinsing_recent_files.txt
    • Results of the rkhunter scan
  2. Consider changing all passwords
  3. Review network logs and access patterns
  4. If possible, restore from a known clean backup

Disclaimer

This script is provided as-is. While it aims to help clean up the Kinsing malware, every infection is unique. Professional security consultation is recommended for complex scenarios.