diff --git a/modules/security/suspicious-login-monitor.sh b/modules/security/suspicious-login-monitor.sh index 23a7552..f4c2ea5 100755 --- a/modules/security/suspicious-login-monitor.sh +++ b/modules/security/suspicious-login-monitor.sh @@ -1059,10 +1059,21 @@ check_system_file_tampering() { risk=$((risk + 25)) fi - # Check for suspicious entries in /etc/passwd - local backdoor_shells=$(awk -F: '$7 !~ /\/(bash|sh|nologin|false)$/ && $7 != "" {print $1":"$7}' /etc/passwd) + # Check for suspicious entries in /etc/passwd (exclude system accounts) + # Look for non-standard shells on user accounts (UID >= 1000) + local backdoor_shells=$(awk -F: '$3 >= 1000 && $7 != "" { + shell = $7 + # Standard shells + if (shell ~ /\/bash$/ || shell ~ /\/sh$/ || shell ~ /nologin$/ || shell ~ /false$/ || shell ~ /true$/) next + # System accounts + if ($1 == "sync" || $1 == "shutdown" || $1 == "halt" || $1 == "operator") next + # cPanel shells + if (shell ~ /\/noshell$/) next + # If we get here, shell is suspicious + print $1":"shell + }' /etc/passwd 2>/dev/null) if [ -n "$backdoor_shells" ]; then - findings="${findings}Suspicious-Login-Shells " + findings="${findings}Suspicious-Login-Shells:$backdoor_shells " risk=$((risk + 30)) fi @@ -1128,8 +1139,8 @@ check_backdoor_cron_jobs() { risk=$((risk + 45)) fi - # Check /etc/cron.d for suspicious entries - local suspicious_cron_d=$(grep -r "wget\|curl\|nc \|bash -i" /etc/cron.d/ 2>/dev/null | grep -v "^#") + # Check /etc/cron.d for suspicious entries (exclude false positives) + local suspicious_cron_d=$(grep -rE "wget.*\||curl.*\||bash -i|/dev/tcp" /etc/cron.d/ 2>/dev/null | grep -v "^#" | grep -v "cpanel\|license_sync") if [ -n "$suspicious_cron_d" ]; then findings="${findings}Suspicious-Cron.d-Entries " risk=$((risk + 45)) @@ -1152,8 +1163,8 @@ check_bash_history_malicious_commands() { local risk=0 if [ -f /root/.bash_history ]; then - # Check for common attack commands - local malicious_cmds=$(grep -E "wget.*\/tmp\/|curl.*bash|nc -l|bash -i|chmod \+s|chattr \+i" /root/.bash_history 2>/dev/null) + # Check for common attack commands (exclude legitimate installers) + local malicious_cmds=$(grep -E "wget.*\/tmp\/.*sh|curl.*(base64|eval)|nc -l|bash -i.*\/dev\/tcp|chmod \+s \/|chattr \+i" /root/.bash_history 2>/dev/null | grep -v "claude.ai\|github.com\|githubusercontent") if [ -n "$malicious_cmds" ]; then findings="${findings}Malicious-Commands-In-History " risk=$((risk + 40)) @@ -1236,10 +1247,10 @@ check_rootkit_indicators() { risk=$((risk + 50)) fi - # Check for modified binaries (ls, ps, netstat) + # Check for modified binaries (ls, ps, netstat) - look for backdoor/rootkit strings only for cmd in /bin/ls /bin/ps /bin/netstat; do if [ -f "$cmd" ]; then - local strings_check=$(strings "$cmd" 2>/dev/null | grep -i "backdoor\|rootkit\|hide") + local strings_check=$(strings "$cmd" 2>/dev/null | grep -iE "backdoor|rootkit|\bhidden\b.*process|\bhide\b.*file") if [ -n "$strings_check" ]; then findings="${findings}Modified-Binary:$cmd " risk=$((risk + 50)) @@ -1673,6 +1684,73 @@ main() { echo "" echo "Report saved to: $REPORT_FILE" + + # ALWAYS run system-wide compromise detection (regardless of login activity) + echo "" + echo -e "${CYAN}═══════════════════════════════════════════════════════════════${NC}" + echo -e "${CYAN} SYSTEM COMPROMISE DETECTION - Integrity Check${NC}" + echo -e "${CYAN}═══════════════════════════════════════════════════════════════${NC}" + echo "" + + local compromise_result=$(perform_compromise_detection "system-wide") + local compromise_risk=$(echo "$compromise_result" | cut -d'|' -f1) + local compromise_findings=$(echo "$compromise_result" | cut -d'|' -f2-) + + if [ "$compromise_risk" -ge 100 ]; then + echo -e "${RED}🚨 CRITICAL: Server shows strong indicators of compromise${NC}" + echo -e "${RED} Risk Score: $compromise_risk/100${NC}" + echo "" + echo "Indicators found:" + for finding in $(echo "$compromise_findings" | tr ' ' '\n'); do + echo -e " ${RED}•${NC} $(echo $finding | tr '-' ' ')" + done + echo "" + echo -e "${RED}RECOMMENDED ACTIONS:${NC}" + echo " 1. Investigate all findings immediately" + echo " 2. Run full rootkit scan: rkhunter --check" + if [ "$panel" = "cpanel" ]; then + echo " 3. Run cPanel CSI: perl csi.pl --full" + fi + echo " 4. Consider full system reinstall if compromised" + elif [ "$compromise_risk" -ge 50 ]; then + echo -e "${RED}⚠️ WARNING: Suspicious indicators detected${NC}" + echo -e "${YELLOW} Risk Score: $compromise_risk/100${NC}" + echo "" + echo "Indicators found:" + for finding in $(echo "$compromise_findings" | tr ' ' '\n'); do + echo -e " ${YELLOW}•${NC} $(echo $finding | tr '-' ' ')" + done + echo "" + echo -e "${YELLOW}RECOMMENDED ACTIONS:${NC}" + echo " 1. Review all findings carefully" + echo " 2. Run rootkit scan: rkhunter --check" + echo " 3. Investigate recent account/file changes" + elif [ "$compromise_risk" -gt 0 ]; then + echo -e "${BLUE}ℹ️ NOTICE: Minor security concerns detected${NC}" + echo -e "${BLUE} Risk Score: $compromise_risk/100${NC}" + echo "" + echo "Issues found:" + for finding in $(echo "$compromise_findings" | tr ' ' '\n'); do + echo -e " ${BLUE}•${NC} $(echo $finding | tr '-' ' ')" + done + echo "" + echo "Review these items when convenient." + else + echo -e "${GREEN}✓ No compromise indicators detected${NC}" + echo "" + echo "System integrity checks:" + echo " ✓ No unauthorized UID 0 accounts" + echo " ✓ No suspicious SSH keys" + echo " ✓ No system file tampering detected" + echo " ✓ No suspicious processes found" + echo " ✓ No backdoor cron jobs" + echo " ✓ No malicious commands in bash history" + echo " ✓ No web shells detected" + echo " ✓ No rootkit indicators" + echo " ✓ No suspicious network activity" + fi + + echo -e "${CYAN}═══════════════════════════════════════════════════════════════${NC}" } # Run main function