bin/badprocs.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

#!/usr/local/bin/python3

# Checks the process list for anything that could be potentially worrisome.
# If something is found, emails the admins@tilde.institute account.
# gbmor <ben@gbmor.dev>

from shlex import quote
import subprocess
import time


def getBadProcs(procsList):
    procsFound = []
    procsRunning = list(
        subprocess.check_output("/bin/ps aux", stderr=subprocess.STDOUT, shell=True)
        .decode()
        .split("\n")
    )

    for proc in procsRunning:
        lilproc = proc.lower()
        for badproc in procsList:
            if badproc in lilproc:
                procsFound.append("Found {0} :: {1}".format(badproc, proc))

    return procsFound


def mailAdmins(procsFound):
    msg = "WARNING: Check the following processes manually\n\n"
    msg += "\n".join(procsFound)
    msg += "\noutput from badprocs.py\n"

    cmd = "echo {0} | mail -s 'WARNING: Found potential bad processes' admins@tilde.institute".format(
        quote(msg)
    )

    subprocess.run(cmd, shell=True)


if __name__ == "__main__":
    procsList = [
        "eggdrop",
        "miner",  # lots of btc miners have this in the name
        "nmap",
        "torrent",
        "transmission",
        "tshark",
        "xmr",  # lots of monero miners have this in the name
    ]

    procsFound = getBadProcs(procsList)

    if len(procsFound) > 0:
        mailAdmins(procsFound)