Skip to content

Instantly share code, notes, and snippets.

@rushipkar90

rushipkar90/maliciousmail-mod.sh

Created September 25, 2015 16:13
Show Gist options
  • Save rushipkar90/6d8071667f36fe277fb5 to your computer and use it in GitHub Desktop.
Save rushipkar90/6d8071667f36fe277fb5 to your computer and use it in GitHub Desktop.
Download ZIP
maliciousmail-mod.sh
Raw
maliciousmail-mod.sh
#/bin/bash
echo > /usr/local/src/temp_eximlog
echo > /usr/local/src/maliciousresults
echo > /usr/local/src/maliciousfiles
a=`date --date="5 hours ago" +%Y-%m-%d\ %H`
b=`date +%Y-%m-%d\ %H`
awk -v s="$a" -v e="$b" '$0~s,$0~e' /var/log/exim_mainlog >> /usr/local/src/temp_eximlog
cat /usr/local/src/temp_eximlog | awk '{print $3}' | grep /home | sort | uniq -c | sort -nr > scanmaillogdir.txt
for i in `cat /usr/local/src/scanmaillogdir.txt | cut -d= -f2` ; do
find $i -type f -name '*.php' -exec egrep -q 'yMxbgVDJ96|wUu2jGoB|$xYEzDu6r3EZT|$ZR2%tuMpYFr|$knmui74|x47LOBA|EWnBCG-hUfK|vC82XHO|rOqYibX4WA|ALaEJ!Pw|vHHEE8M|v08X2QH|vO5CQ7A' {} \; -print >> /usr/local/src/maliciousfiles
find $i -type f -name "*.php" -exec grep -lr "eval(v" {} \; >> /usr/local/src/maliciousfiles
done
for j in `cat /usr/local/src/scanmaillogdir.txt | cut -d= -f2 | cut -d/ -f3 | uniq`; do
maldet -a /home/$j/public_html >> /usr/local/src/maliciousresults
done
hostsa=`hostname`
cat /usr/local/src/maliciousfiles | mail -s "Mail stats for $hostsa" [email protected]
cat /usr/local/src/maliciousresults | mail -s "Maldet scan for $hostsa" [email protected]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment