wlk.sh 4.38 KB
Newer Older
UltimateByte's avatar
UltimateByte committed
1
2
3
4
5
6
7
8
#!/bin/bash
# Name: Wrong Listener Killer
# Description: Makes sure that the wrong apps don't listen to the ports you want
# Help: Default settings are to make sure that what listens to port :80 is httpd and started as root
# Developer: Robin Labadie
# Version: 2017-05-24

## Settings
UltimateByte's avatar
UltimateByte committed
9
portcheck=":80" # Which port to check
UltimateByte's avatar
UltimateByte committed
10
11
12
13
14
15
16
17
18
19
20
21
allowedname="httpd" # Which process should we get on speccified port
allowedpath="/usr/sbin/httpd" # Which is the correct path to run it
allowedusers="root;" # Which is the correct user to run it (separate with ; )

logdir="/root" # Log directory (don't end with /)
maillog="root@localhost" # Mail to send an alert to if a threat is detected

## Misc vars
selfname="wlk" # Name of the script and log
log="${logdir}/${selfname}.log" # Define log name
maillogsize="10" # Define the amount of log to send by mail

UltimateByte's avatar
UltimateByte committed
22
23
24
25
############
### Code ###
############

UltimateByte's avatar
UltimateByte committed
26
27
28
29
30
## Logging
# Create logfile
if [ -n "${log}" ]&&[ ! -f "${log}" ]; then
	touch "${log}"
fi
UltimateByte's avatar
UltimateByte committed
31
32
33
34
35
36
37
38
39
40

# Simple echo with date and selfname
# Usage fn_echo "Your Message"
fn_echo(){
	currmessage="$@"
	echo -e "$(date +%Y-%m-%d_%H:%M:%S) - ${selfname} - ${currmessage}"
}

# Echo with date and output to log at the same time
# Usage fn_logecho "Your Message"
UltimateByte's avatar
UltimateByte committed
41
42
fn_logecho(){
	currmessage="$@"
UltimateByte's avatar
UltimateByte committed
43
	echo -e "$(date +%Y-%m-%d_%H:%M:%S) - ${selfname} - ${currmessage}"
UltimateByte's avatar
UltimateByte committed
44
45
46
	echo -e "$(date +%Y-%m-%d_%H:%M:%S) - ${selfname} - ${currmessage}" >> "${log}"
}

UltimateByte's avatar
UltimateByte committed
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# Set different vars
fn_set_vars(){
	pid="$(netstat -atunp | grep "${portcheck} " | grep LISTEN | awk '{print $7}' | awk -F "/" '{print $1}')"
	# Is something listening to the given port
	if [ -z "${pid}" ]; then
		fn_logecho "[ERROR] Nothing found on port ${portcheck}"
		fn_logecho "Exiting"
		exit 1
	else
		# Check name of the process listening to port 80
		pidname="$(netstat -atunp | grep "${portcheck} " | grep LISTEN | awk '{print $7}' | awk -F "/" '{print $2}')"
		# Find out which user owns this PID
		piduser="$(ps -u -p "${pid}" | tail -1 | awk '{print $1}')"
		# Find out the start command (location) of the PID
		pidcommand="$(ps -u -p "${pid}" | tail -1 | awk '{print $11}')"
		# If one of these vars are unset, then something went wrong
		if [ -z "${pidname}" ]||[ -z "${piduser}" ]||[ -z "${pidcommand}" ]; then
			fn_logecho "[ERROR] Could not get app info with PID"
			fn_logecho "Exiting"
			exit 1
		fi
		# Display some nice output to the user
		fn_echo "Current program listening to ${portcheck} is : PID: ${pid}\tName: ${pidname}\tUser: ${piduser}\tPath: ${pidcommand}"
	fi
}
UltimateByte's avatar
UltimateByte committed
72

UltimateByte's avatar
UltimateByte committed
73
74
75
76
77
78
fn_define_vars(){
	pid="$(netstat -atunp | grep "${portcheck} " | grep LISTEN | awk '{print $7}' | awk -F "/" '{print $1}')"
	pidname="$(netstat -atunp | grep "${portcheck} " | grep LISTEN | awk '{print $7}' | awk -F "/" '{print $2}')"
	piduser="$(ps -u -p "${pid}" | tail -1 | awk '{print $1}')"
	pidcommand="$(ps -u -p "${pid}" | tail -1 | awk '{print $11}')"
}
UltimateByte's avatar
UltimateByte committed
79

UltimateByte's avatar
UltimateByte committed
80
81
82
83
84
85
86
87
## Evaluate issues & take action
fn_killer(){
	# Check if a malicious program is started
	# 1) If the process name listening to port is wrong
	if [ "${pidname}" != "${allowedname}" ]; then
		harm="1"	
		fn_logecho "[WARNING] Program listening to ${portcheck} is ${pidname} instead of ${allowedname}"
	fi
UltimateByte's avatar
UltimateByte committed
88

UltimateByte's avatar
UltimateByte committed
89
90
	# 2) If the process doesn't belong to an allowed user
	usersamount="$(echo "${allowedusers}" | awk -F ';' '{ print NF }')"
UltimateByte's avatar
UltimateByte committed
91

UltimateByte's avatar
UltimateByte committed
92
93
94
95
96
97
98
99
100
101
102
103
104
105
	# Recursively check if user is part of allowed users
	allowedtorun="0"
	for ((usersindex=1; usersindex <= usersamount; usersindex++)); do
		# Put current user into a test variable
		usertest="$(echo "${allowedusers}" | awk -F ';' -v x=${usersindex} '{ print $x }')"
		# Test if user is allowed, register success if so
		if [ "${piduser}" == "${usertest}" ]; then
			allowedtorun="1"
		fi
	done
	# User not allowed
	if [ "${allowedtorun}" == "0" ]; then
		harm="1"
		fn_logecho "[WARNING] ${piduser} is not allowed to run ${allowedname}"
UltimateByte's avatar
UltimateByte committed
106
107
	fi

UltimateByte's avatar
UltimateByte committed
108
109
110
111
112
	# 3) If the process path isn't right
	if [ "${pidcommand}" != "${allowedpath}" ]; then
		harm="1"
		fn_logecho "[WARNING] ${pidcommand} is not a valid path for ${allowedname}"
	fi
UltimateByte's avatar
UltimateByte committed
113

UltimateByte's avatar
UltimateByte committed
114
115
116
117
118
119
120
121
122
123
124
	## Take action
	if [ "${harm}" == "1" ]; then
		fn_logecho "[ALERT] wrong process listening on port ${portcheck} found"
		fn_logecho "[INFO] The following process will be killed: ${pid} ${pidname} ${piduser} ${pidcommand}"
		kill -9 "${pid}"
		fn_echo "[INFO] Sending mail alert"
		tail -${maillogsize} "${log}" | mail -s "$(hostname -s) - ${pidname} - ${portcheck} killed" ${maillog}
	else 
		fn_logecho "[OK] This program seems legit, exiting."
	fi
}