MAJOR: Add comprehensive compromise detection to suspicious login monitor
User feedback: "the script seems more about checking for login attempts
than confirm if a server has been rooted or not"
Problem: Script detected suspicious login patterns but couldn't confirm
actual system compromise.
Solution: Added 9 comprehensive compromise detection checks that run
for CRITICAL risk alerts (≥85 risk score):
NEW COMPROMISE DETECTION CHECKS:
1. check_backdoor_accounts - Unauthorized UID 0, no-password accounts,
recently added users, suspicious usernames
2. check_unauthorized_ssh_keys - Excessive keys, suspicious comments,
wrong permissions, unusual locations
3. check_system_file_tampering - Recent /etc/passwd|shadow mods,
backdoor shells, suspicious sudoers
4. check_suspicious_processes - Reverse shells, hidden processes,
/tmp execution, excessive connections
5. check_backdoor_cron_jobs - Malicious cron commands, unusual cron
locations
6. check_bash_history_malicious_commands - Attack commands, history
tampering, password manipulation
7. check_web_shells - PHP backdoors in web directories, PHP in /tmp
8. check_rootkit_indicators - Common rootkit files, suspicious kernel
modules, modified binaries, hidden directories
9. check_suspicious_network_activity - Connections to reverse shell
ports (4444,5555,1337), IRC connections, excessive outbound traffic
Report Enhancement:
- Added "COMPROMISE DETECTION - System Integrity Check" section
- Shows detailed findings for each indicator
- Risk levels:
* ≥50: "COMPROMISE CONFIRMED - Server likely rooted"
* 1-49: "Suspicious indicators found"
* 0: "No compromise indicators detected"
Impact:
- Script now confirms actual compromise, not just suspicious behavior
- Transforms from "login monitor" to "comprehensive compromise detector"
- Addresses user concern about detecting actual root compromise
Performance:
- Compromise detection: 10-30 seconds
- Only runs for CRITICAL alerts (risk ≥85)
- Optimized: limited file scans, efficient grep patterns
Code Changes:
- Added 9 new functions (+420 lines)
- Enhanced report generation with compromise results
- Total: 1,252 → 1,672 lines
Validation:
- Syntax check: PASS
- QA check: PASS (0 critical issues)
- Live test: PASS (executes successfully)
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
cschantz
feb9ee5f5c