about summary refs log tree commit diff stats
path: root/bin
diff options
context:
space:
mode:
authoradmins <admins@tilde.institute>2020-07-26 14:58:36 -0400
committeradmins <admins@tilde.institute>2020-07-26 14:58:36 -0400
commit0721da9d3655de05b0fb50cae54b2913c61bc71e (patch)
treed401577d77ee16f9fcecfcba285d4aa5728010c6 /bin
parentbb4c065491015f70660cd24679c7dce61389b456 (diff)
downloadadmin-0721da9d3655de05b0fb50cae54b2913c61bc71e.tar.gz
added python script that checks for potentially malicious procs
runs every 5 minutes, emails admins if anything is found.
Diffstat (limited to 'bin')
-rwxr-xr-xbin/badprocs.py60
1 files changed, 60 insertions, 0 deletions
diff --git a/bin/badprocs.py b/bin/badprocs.py
new file mode 100755
index 0000000..a77ec54
--- /dev/null
+++ b/bin/badprocs.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python3
+
+# Checks the process list for anything that could be potentially worrisome.
+# If something is found, emails the admins@tilde.institute account.
+# gbmor <ben@gbmor.dev>
+
+from shlex import quote
+import subprocess
+import time
+
+
+def getBadProcs(procsList):
+    procsFound = []
+    procsRunning = list(
+        subprocess.check_output("/bin/ps aux", stderr=subprocess.STDOUT, shell=True)
+        .decode()
+        .split("\n")
+    )
+
+    for proc in procsRunning:
+        for badproc in procsList:
+            if badproc in proc.lower():
+                procsFound.append("Found {0} :: {1}".format(badproc, proc))
+
+    return procsFound
+
+
+def mailAdmins(procsFound):
+    msg = "WARNING: Check the following processes manually\n\n"
+    msg += "\n".join(procsFound)
+    msg += "\noutput from badprocs.py\n"
+
+    cmd = "echo {0} | mail -s 'WARNING: Found potential bad processes' admins@tilde.institute".format(
+        quote(msg)
+    )
+
+    subprocess.run(cmd, shell=True)
+
+
+if __name__ == "__main__":
+    procsList = [
+        "crowdserv",  # sauerbraten
+        "eggdrop",
+        "miner",  # lots of btc miners have this in the name
+        "nmap",
+        "regen2",  # sauerbraten
+        "sauer",  # sauerbraten
+        "torrent",
+        "transmission",
+        "tshark",
+        "xmr",  # lots of monero miners have this in the name
+    ]
+
+    while True:
+        procsFound = getBadProcs(procsList)
+
+        if len(procsFound) > 0:
+            mailAdmins(procsFound)
+
+        time.sleep(300)