From 0721da9d3655de05b0fb50cae54b2913c61bc71e Mon Sep 17 00:00:00 2001 From: admins Date: Sun, 26 Jul 2020 14:58:36 -0400 Subject: added python script that checks for potentially malicious procs runs every 5 minutes, emails admins if anything is found. --- bin/badprocs.py | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100755 bin/badprocs.py (limited to 'bin') diff --git a/bin/badprocs.py b/bin/badprocs.py new file mode 100755 index 0000000..a77ec54 --- /dev/null +++ b/bin/badprocs.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python3 + +# Checks the process list for anything that could be potentially worrisome. +# If something is found, emails the admins@tilde.institute account. +# gbmor + +from shlex import quote +import subprocess +import time + + +def getBadProcs(procsList): + procsFound = [] + procsRunning = list( + subprocess.check_output("/bin/ps aux", stderr=subprocess.STDOUT, shell=True) + .decode() + .split("\n") + ) + + for proc in procsRunning: + for badproc in procsList: + if badproc in proc.lower(): + procsFound.append("Found {0} :: {1}".format(badproc, proc)) + + return procsFound + + +def mailAdmins(procsFound): + msg = "WARNING: Check the following processes manually\n\n" + msg += "\n".join(procsFound) + msg += "\noutput from badprocs.py\n" + + cmd = "echo {0} | mail -s 'WARNING: Found potential bad processes' admins@tilde.institute".format( + quote(msg) + ) + + subprocess.run(cmd, shell=True) + + +if __name__ == "__main__": + procsList = [ + "crowdserv", # sauerbraten + "eggdrop", + "miner", # lots of btc miners have this in the name + "nmap", + "regen2", # sauerbraten + "sauer", # sauerbraten + "torrent", + "transmission", + "tshark", + "xmr", # lots of monero miners have this in the name + ] + + while True: + procsFound = getBadProcs(procsList) + + if len(procsFound) > 0: + mailAdmins(procsFound) + + time.sleep(300) -- cgit 1.4.1-2-gfad0