Skip to content

Instantly share code, notes, and snippets.

@u007

u007/trace.sh

Created December 21, 2024 04:03
Show Gist options
  • Save u007/467d32ca1b403635b03c46b1ba45f351 to your computer and use it in GitHub Desktop.
Save u007/467d32ca1b403635b03c46b1ba45f351 to your computer and use it in GitHub Desktop.
Download ZIP
audit tracing.sh ubuntu 20.04
Raw
trace.sh
#!/bin/bash
REPORT_FILE="hack_report_$(date +%Y%m%d_%H%M%S).txt"
echo "--- Start of Hack Report ---" > "$REPORT_FILE"
date >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- Authentication Logs ---" >> "$REPORT_FILE"
sudo journalctl -b --no-pager -u sshd | grep "Accepted password" >> "$REPORT_FILE"
sudo grep "Failed password" /var/log/auth.log >> "$REPORT_FILE"
sudo grep "Accepted password" /var/log/auth.log >> "$REPORT_FILE"
echo "----- last -a -----" >> "$REPORT_FILE"
sudo last -a >> "$REPORT_FILE"
echo "----- lastlog -----" >> "$REPORT_FILE"
sudo lastlog >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- System Logs (Errors, Fails, Denied) ---" >> "$REPORT_FILE"
sudo grep "error" /var/log/syslog >> "$REPORT_FILE"
sudo grep "fail" /var/log/syslog >> "$REPORT_FILE"
sudo grep "denied" /var/log/syslog >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- Running Processes ---" >> "$REPORT_FILE"
ps auxf >> "$REPORT_FILE"
echo "----- netstat -tulnp -----" >> "$REPORT_FILE"
netstat -tulnp >> "$REPORT_FILE"
echo "----- ss -tulnp -----" >> "$REPORT_FILE"
ss -tulnp >> "$REPORT_FILE"
echo "----- Established Network Connections -----" >> "$REPORT_FILE"
sudo lsof -i -n | grep ESTABLISHED >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- User Accounts and Activity ---" >> "$REPORT_FILE"
echo "----- /etc/passwd -----" >> "$REPORT_FILE"
cat /etc/passwd >> "$REPORT_FILE"
echo "----- User Additions -----" >> "$REPORT_FILE"
sudo cat /var/log/auth.log | grep "useradd" >> "$REPORT_FILE"
echo "----- User Modifications -----" >> "$REPORT_FILE"
sudo cat /var/log/auth.log | grep "usermod" >> "$REPORT_FILE"
echo "----- who -a -----" >> "$REPORT_FILE"
who -a >> "$REPORT_FILE"
echo "----- w -----" >> "$REPORT_FILE"
w >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- Recently Modified Files (Last 24 Hours) ---" >> "$REPORT_FILE"
sudo find / -type f -mmin -1440 -ls >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- Cron Jobs ---" >> "$REPORT_FILE"
echo "----- crontab -l (current user) -----" >> "$REPORT_FILE"
crontab -l >> "$REPORT_FILE"
echo "----- crontab -l (root) -----" >> "$REPORT_FILE"
sudo crontab -l -u root >> "$REPORT_FILE"
echo "----- /etc/crontab -----" >> "$REPORT_FILE"
sudo cat /etc/crontab >> "$REPORT_FILE"
echo "----- /etc/cron.d/ -----" >> "$REPORT_FILE"
ls -l /etc/cron.d/ >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- Network Configuration ---" >> "$REPORT_FILE"
echo "----- ip a -----" >> "$REPORT_FILE"
ip a >> "$REPORT_FILE"
echo "----- ip route -----" >> "$REPORT_FILE"
ip route >> "$REPORT_FILE"
echo "----- /etc/network/interfaces -----" >> "$REPORT_FILE"
cat /etc/network/interfaces >> "$REPORT_FILE"
echo "----- /etc/resolv.conf -----" >> "$REPORT_FILE"
cat /etc/resolv.conf >> "$REPORT_FILE"
echo "----- iptables -L -n -v -----" >> "$REPORT_FILE"
sudo iptables -L -n -v >> "$REPORT_FILE"
echo "----- iptables -t nat -L -n -v -----" >> "$REPORT_FILE"
sudo iptables -t nat -L -n -v >> "$REPORT_FILE"
echo "" >> "$REPORT_FILE"
echo "--- End of Hack Report ---" >> "$REPORT_FILE"
echo "Report saved to: $REPORT_FILE"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment