GIF89a; Mini Shell

Mini Shell

Direktori : /opt/imunify360/venv/share/imunify360/scripts/
Upload File :
Current File : //opt/imunify360/venv/share/imunify360/scripts/imunify-doctor.sh

#!/bin/bash

LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
DEST=/root/cl-report
UPLOAD_URL=https://doctor.cloudlinux.com/doctor/upload
CAT=`command -v cat`
UNAME=`command -v uname`
CP="Unknown"
SERVER_ID=
main_ip='NA'
scriptname="imunify-doctor"
IMUNIFY360_PIDFILE=/var/run/imunify360.pid
# custom tmp dir from imunify360.spec for symlink attack prevention
tmpdir=/var/imunify360/tmp
sqlite_path=/opt/alt/sqlite/usr/bin/sqlite3
IMUNIFY360_DB=/var/imunify360/imunify360.db
db_command="$sqlite_path $IMUNIFY360_DB"

cleanup() {
  rm -f $DEST $DEST.wget
}

test_curl() {
    command -v curl >/dev/null 2>&1
    return $?
}

test_wget() {
  command -v wget >/dev/null 2>&1
  if [ 0 -eq $? ]; then
    if [ -x `command -v wget` ]; then
	return 0
    fi
  fi
  return 1
}

curl_upload() {
 curl -s -H "serverid: $SERVER_ID" -F reportfile=@"$DEST" $UPLOAD_URL
}

wget_upload() {

    echo -e "--FILEUPLOAD\r\n" > $DEST.wget
    echo -e "--FILEUPLOAD\r\n" > $DEST.wget
    echo -e "Content-Disposition: form-data; name=\"reportfile\"; filename=\"$DEST\"\r\n" >> $DEST.wget
    echo -e "Content-Type: application/octet-stream\r\n" >> $DEST.wget
    echo -e "Media Type: application/octet-stream\r\n\r\n" >> $DEST.wget
    cat $DEST >> $DEST.wget
    echo -e "--FILEUPLOAD--\r\n" >> $DEST.wget
    wget -O - -qq -t 1 --header="serverid: $SERVER_ID" --header="Content-type: multipart/form-data; boundary=FILEUPLOAD" --post-file $DEST.wget $UPLOAD_URL
}

get_server_id() {
  SERVER_ID=$(/opt/alt/python38/bin/python3 -c 'import json; import sys; print(json.load(sys.stdin)["id"])' < /var/imunify360/license.json)
  if [[ -z "$SERVER_ID" ]]; then
    SERVER_ID="${main_ip//./_}"
  fi
}

init_main_ip() {
 if test_curl
 then
    main_ip=`curl -s -L http://cloudlinux.com/showip.php` 2>/dev/null
 else
    main_ip=`wget -qq -O - http://cloudlinux.com/showip.php` 2>/dev/null
 fi
}

get_main_ip() {
  sep "Main IP"
  echo "$main_ip" >> $DEST
  echo >>$DEST
}


upload() {
 if test_curl
 then
     curl_upload
 else
     wget_upload
 fi
}

report_error_and_exit() {
 echo "$1"
 exit 1
}

mecho(){
 echo $1 >> $DEST
}
start(){
 if ! test_wget; then
     if ! test_curl; then
	 echo "Cannot find wget or curl"
     fi
     #echo "Using curl"
 fi
 echo "------ CL INFO ---" > $DEST
}

time_stamp(){
 echo "" >> $DEST
 echo "TS: $(date)" >> $DEST
}

sep(){
 echo "------ $1 ---" >> $DEST
}


run(){
 sep "$1"
 sh -c "$1" >> $DEST 2>&1
 time_stamp
}

run_cb(){
 sep "$1"
 $1 >> $DEST 2>&1
 result=$?
 time_stamp
 return $result
}

dump() {
 sep "cat $1"
 $CAT $1  >> $DEST 2>&1
 echo >> $DEST 2>&1
 time_stamp
}


detect_cp() {
    CP_VERSION="Unknown"
    SOFTACULOUS=0
    if [ -d "/usr/local/psa/admin/" ]; then
	    CP="Plesk"
        CP_VERSION=`cat /usr/local/psa/version`
	    if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/usr/local/cpanel/whostmgr/docroot/" ]; then
	    CP="cPanel"
        CP_VERSION=`/usr/local/cpanel/cpanel -V`
	    if [ -e "/usr/local/cpanel/whostmgr/cgi/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/usr/local/interworx/" ]; then
	    CP="InterWorx"
        CP_VERSION=`cat /usr/local/interworx/iworx.ini|grep version`
	    if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/usr/local/ispmgr/" ]; then
	    CP="ISPmanager"
        CP_VERSION=`/usr/local/ispmgr/bin/ispmgr -v`
	    if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/usr/local/directadmin/plugins/" ]; then
	    CP="DirectAdmin"
        CP_VERSION=`/usr/local/directadmin/custombuild/build versions|sed -n 2p|cut -d":" -f2`
	    if [ -e "/usr/local/directadmin/plugins/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/usr/local/hostingcontroller/" ]; then
	    CP="Hosting Controller"
	    if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
    fi
    if [ -d "/hsphere/shared" ]; then
        CP="H-Sphere"
    fi
    sep "Control Panel"
    mecho "CP: $CP"
    mecho "VERSION: $CP_VERSION"
    mecho "SOFTACULOUS: $SOFTACULOUS"
}

detect_httpd() {

    PERL_BIN=$(which perl 2>>/dev/null)

    echo
    echo "HTTP Server Running Processes: "
    echo

    IFS=$(echo -en "\n\b")
    for proc in $(ps -eo pid,user,group,cmd 2>>/dev/null | egrep "\b(httpd|apache2|litespeed|lshttpd)\b" | grep -v "egrep"); do
        echo "[$proc]"
        proc_pid=$(echo "$proc" | awk '{print$1}')
        echo "Bin:" $(readlink "/proc/${proc_pid}/exe" 2>>/dev/null)
        echo "Environment:"
        cat "/proc/${proc_pid}/environ"  2>>/dev/null | tr '\0' '\n' | head -30
        echo
    done
    unset IFS
    echo

    http_bins=$(ps -eo pid,comm 2>>/dev/null | egrep "\b(httpd|apache2)\b" | awk '{print "/proc/"$1"/exe"}' | xargs -n 1 readlink | uniq | egrep "\b(httpd|apache2)\b")

    for http_bin in "$http_bins"; do

        if [ -z "$http_bin" ]; then
            continue
        fi

        echo "HTTP Binary Info: "
        echo -e "$http_bin\n"
        $http_bin -V 2>&1
        echo
        $http_bin -M 2>&1
        echo

        if [ -z "$PERL_BIN" ]; then
            continue
        fi

        httpd_root=$($http_bin -V | grep HTTPD_ROOT | cut -d= -f2 | tr -d '"' )
        httpd_config=$($http_bin -V | grep SERVER_CONFIG_FILE | cut -d= -f2 | tr -d '"' )

        if [ -z "$httpd_config" ]; then
            continue
        fi

        if [ ! ${httpd_config:0:1} = "/" ]; then
            httpd_config="$httpd_root/$httpd_config"
        fi

        pl_script_path="$(dirname $(readlink -e "$0"))/mk_apache_conf_digest.pl"
        if [ -e "$pl_script_path" ]; then
            echo "Server Configs:"
            $PERL_BIN "$pl_script_path" "$httpd_config" "$httpd_root" 2>>/dev/null
        fi

    done

}


http_server_info() {
    detect_httpd 2>>/dev/null | head -5000
}


backup_systems_info() {
    if [ ! -f /var/restore_infected/acronis_api_token.json ]; then
        echo "/var/restore_infected/acronis_api_token.json: no such file."
    else
        echo "/var/restore_infected/acronis_api_token.json: "
        # "username": "AB-99658-51"
        /opt/alt/python38/bin/python3 -m json.tool < /var/restore_infected/acronis_api_token.json
    fi

    echo
    echo "imunify360-agent backup-systems extended-status: "
    imunify360-agent backup-systems extended-status -v --json | tee $tmpdir/backup_systems_info.$$
    /opt/alt/python38/bin/python3 >$tmpdir/backup_systems_info.$$.current <<ENDPY
import json
print(json.load(open("$tmpdir/backup_systems_info.$$"))["items"]["backup_system"])
ENDPY

    rm $tmpdir/backup_systems_info.$$
    rm $tmpdir/backup_systems_info.$$.current
}


webshield_selfcheck() {
    /usr/share/imunify360-webshield/self_check.py
}


pam_db_size() {
    mod_db_path=$(awk -F= '$1 == "mod_db_path" {print $2}' /etc/pam_imunify/i360.ini)
    du --human-readable --summarize "$mod_db_path"
}

trap cleanup EXIT

start
init_main_ip
get_main_ip
get_server_id
detect_cp
run "date"
run "$CAT /proc/cpuinfo"
run "$UNAME -a"
run "$UNAME -r"
run "$UNAME -m"
run "$UNAME -p"
run "$UNAME -o"
dump "/etc/redhat-release"
dump "/etc/os-release"
dump "/var/imunify360/license.json"
dump "/etc/sysconfig/imunify360/imunify360.config"
dump "/etc/sysconfig/imunify360/imunify360-merged.config"
run "tail -n +1 /etc/sysconfig/imunify360/imunify360.config.d/*"
dump "/etc/sysconfig/imunify360/cpanel/imunify360.conf"
run "tail -n3000 /var/log/imunify360/console.log"
run "tail -n3000 /var/log/imunify360/debug.log"
run "tail -n3000 /var/log/imunify360/network.log"
run "tail -n3000 /var/log/imunify360/acronis-installer.log"
run "tail -n3000 /var/log/imunify360/error.log"
run "tail -n3000 /var/log/imunify360-webshield/access.log"
run "tail -n3000 /var/log/imunify360-webshield/error.log"
run "tail -n3000 /var/ossec/logs/alerts/alerts.log"
run "tail -n3000 /usr/local/directadmin/custombuild/custombuild.log"
dump "/etc/issue"
dump "/etc/sysconfig/kernel"
dump "/etc/sysconfig/kcare/systemid"
dump "/proc/uptime"
dump "/proc/loadavg"
dump "/proc/vmstat"
dump "/proc/devices"
dump "/proc/diskstats"
dump "/proc/cmdline"
dump "/proc/mdstat"
dump "/proc/meminfo"
dump "/proc/swaps"
dump "/proc/filesystems"
dump "/proc/mounts"
dump "/proc/interrupts"
dump "/boot/grub/grub.conf"
dump "/proc/version"
dump "/etc/passwd"
run "ls -la /etc/yum.repos.d/"
run "tail -n 50 /etc/yum.repos.d/{*imunify360*,*sensor*}"
run "grep DEFAULT /etc/default/grub"
run "grep vmlinuz /boot/grub2/grub.cfg| sed 's/root=.*//'"
dump "/boot/grub2/grub.cfg"
dump "/proc/zoneinfo"
run "ls /etc/grub.conf /boot/grub/grub.conf /boot/grub/menu.lst"
run "ls -l /boot"
run "grep Port /etc/ssh/sshd_config"
run "dmidecode"
run "systemd-detect-virt"
run "virt-what"
run "ipcs -m|sed -e s/-/=/g"
run "sysctl -a"
dump "/etc/sysctl.conf"
run 'rpm -q -a --queryformat="%{N}|%{V}-%{R}|%{arch}\n"'
packages=$(rpm -qa imunify* 2>>/dev/null)
for package in $packages; do
    run "rpm -V $package"
done

run "dpkg -l"
run "tail -n10000 /var/log/messages"
run "ls -lR /var/cache/kcare/"
dump "/etc/sysconfig/kcare/kcare.conf"
dump "/etc/kdump.conf"
run "/opt/alt/python38/bin/pip freeze"
[[ -f "$IMUNIFY360_PIDFILE" ]] && run "ls -l /proc/$(cat ${IMUNIFY360_PIDFILE})/fd"

run "df -h"
dump "/etc/userdomains"

run "ps aux --sort=-%mem | head -20"
run "ps aux --sort=-%cpu | head -20"
run "ps aux | grep -i imunify"

run "crontab -l"
run "service imunify360 status"
run "service imunify-antivirus status"
run "service imunify360-webshield status"
run "service wsshdict status"
run "service firewalld status"
run "service ossec-hids status"
run "service fail2ban status"
run "service httpd status"
run "service lshttpd status"

run_cb "webshield_selfcheck"

run_cb "pam_db_size"
run "imunify360-pam status --yaml"
run "ls -la /etc/pam.d/"
run "cat /etc/pam_imunify/i360.ini"

if [ -e "/usr/sbin/csf" ]; then
  run "csf --status"
  run "lfd --status ; echo $?"
  run "service lfd status"
  run "service csf status"
  run "csf -V"
  dump "/etc/csf/csf.conf"
  dump "/etc/csf/csf.deny"
  dump "/etc/csf/csf.allow"
  dump "/etc/csf/csf.ignore"
  run "tail -n3000 /var/log/lfd.log"
fi
run "cxs --version"

if [ -e "/usr/bin/firewall-cmd" ]; then
    run "timeout 5 firewall-cmd -V"
    run "timeout 5 firewall-cmd --state"
    run "tail -n3000 /var/log/firewalld"
fi

run "service cpanel status"
dump "/var/cpanel/dnsonly"
run "service mysql status"
run "ps aux | grep -i cphulk"

run "ipset -V"
run "ipset save | head -n3000"
run "ipset list -t | head -n3000"
run "iptables -V"
run "iptables-save | head -n3000"

run "ifconfig"
run "echo .tables | $db_command"
run "echo \"select count(*) from incident;\" | $db_command"
run "echo \"select count(*) from iplist;\" | $db_command"
run "echo \"select * from iplist order by ctime desc limit 1000;\" | $db_command"
run "echo \"select * from incident order by timestamp desc limit 1000;\" | $db_command"
run "echo \"select * from country limit 1000;\" | $db_command"
run "echo \"select * from country_list order by ctime desc limit 1000;\" | $db_command"
run "echo \"select * from last_synclist limit 1000;\" | $db_command"
run "echo \"select * from migratehistory limit 1000;\" | $db_command"
run "echo \"select * from malware_hits limit 1000;\" | $db_command"
run "echo \"select * from malware_ignore_path limit 1000;\" | $db_command"
run "echo \"select * from malware_scans limit 1000;\" | $db_command"
run "du --human-readable /var/imunify360/imunify360.db"
run "imunify360-agent blacklist country list --json --limit 2000"
run "imunify360-agent blacklist ip list --json --limit 2000"
run "imunify360-agent graylist ip list --json --limit 2000"
run "imunify360-agent whitelist country list --json --limit 2000"
run "imunify360-agent whitelist ip list --json --limit 2000"

run "imunify360-agent rstatus"
run "imunify360-agent version"
run "imunify360-agent 3rdparty conflicts --json | python -m json.tool"
run "imunify360-agent config show --json -v"
run "grep License /var/log/imunify360/console.log | tail -n 1000"
run "grep 'Server is offline' /var/log/imunify360/console.log | tail -n 1000"
run "grep 'SensorAlert' /var/log/imunify360/console.log | tail -n 3000"
run "grep 'modsec' /var/log/imunify360/console.log | tail -n 3000"
run "ls -la /etc/sysconfig/imunify360/"
run_cb "backup_systems_info"

run "tail -n3000 /var/log/i360deploy.log"
run "tail -n3000 /var/log/imav-deploy.log"
run "tail -n3000 /var/ossec/logs/active-responses.log"
run "tail -n3000 /var/ossec/logs/alerts/alerts.log"
run "tail -n3000 /var/log/yum.log"
run "tail -n3000 /var/log/minidaemon.log"

run "tail -3000 /usr/local/apache/logs/error_log"
run "tail -3000 /usr/local/apache/logs/access_log"
run "tail -3000 /usr/local/apache/logs/modsec_audit.log"

run "tail -3000 /var/log/trueimage-setup.log"

run "/usr/local/cpanel/scripts/modsec_vendor list"
run "whmapi1 modsec_get_configs"
run "whmapi1 modsec_get_settings"
run "cat /etc/apache2/conf.d/modsec2.imunify.conf"
run "cat /usr/local/apache/conf/includes/modsec2.imunify.conf"
run "ls /var/cpanel/cwaf"

# prepend each particular log with ==> logfilename <== string
run "tail --lines +0 /var/log/imunify360/register_unregister_post_error_*.log"

# prepend each particular log with ==> logfilename <== string
run "tail --lines +0 /var/log/imunify360/*hardenedphp.log.*"
run "tail --lines +0 /var/log/imunify360/*kernelcare.log*"
run "tail --lines +0 /var/log/imunify360/*ea_php.log*"
run "ls /opt/alt/php*/usr/bin/php"
run "ls /opt/cpanel/ea-php*/root/usr/bin/php"
run 'rpm -qa --queryformat "%{NAME} %{RELEASE}\n" "ea-php*"'

run "getenforce"
run "sestatus"
run "ss -u -a"
run "ss -x -a | grep defence360agent"
run "nc -v -w 5 -i 1 imunify360.cloudlinux.com 443"
run "nc -v -w 5 -i 1 148.251.142.83 443"
dump "/usr/local/cpanel/version"
run "ls /etc/rc.d/init.d/"
run "systemctl list-units --all"
run "systemctl status aibolit-resident.socket"
run "curl ipinfo.io"
run "netstat -tulpan | tail -n 3000"
run "netstat -tulpan | wc -l"
# only tcp listening sockets & program
run "netstat -tlpn"
run "lsmod | grep ip_set"
dump "/etc/cagefs/cagefs.mp"
for f in /var/log/imunify360/native_da.hook_log.*
do dump $f
done

### PLESK
run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules"
run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules --enabled"
run "/usr/local/psa/bin/server_pref --show-web-app-firewall"

run_cb "http_server_info"
# collect info on how huge /var/cpanel/secdatadir/ip.pag is
run "ls -lh /var/cpanel/secdatadir/*"
run "printenv"

run "/usr/libexec/run-with-intensity show"

# colect webshield  info
run "tail -3000 /var/log/wsshdict/wsshdict.log"

if [ -e "/etc/kdump.conf" ]; then
  KDUMP_PATH=`grep ^path /etc/kdump.conf|cut -d' ' -f2`
  if [ -z "$KDUMP_PATH" ] ; then
    run "ls -lR /var/crash"
  else
    run "ls -lR $KDUMP_PATH"
  fi
fi
run dmesg

run "ls -la /var/ossec/etc/VERSIONS/"
run "ls --lcontext /var/ossec"
run "ls --lcontext /var/ossec/bin"
run "ls --lcontext /var/ossec/logs"

run "ls -la /etc/httpd/conf/modsecurity.d/rules/"
run "ls -la /etc/apache2/conf.d/modsec_vendor_configs/"

run "cat /etc/httpd/conf/modsecurity.d/rules/custom/VERSION"
run "cat /usr/local/directadmin/custombuild/custom/modsecurity/conf/VERSION"
run "cat /etc/apache2/conf.d/modsec_vendor_configs/imunify*/VERSION;echo"
run "cat /var/cpanel/modsec_cpanel_conf_datastore"

run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq | wc -l"
run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq"
run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq"
run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq | wc -l"
run "plesk db \"SELECT COUNT(DISTINCT cl_id) FROM domains\""
run "httpd  -t"

upload && echo || report_error_and_exit "Report file upload failed. Please try again."

./BlackJoker Mini Shell 1.0