Your IP : 18.188.211.58
#!/bin/bash
LC_ALL=en_US.UTF-8
LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
DEST=/root/cl-report
UPLOAD_URL=https://doctor.cloudlinux.com/doctor/upload
CAT=`command -v cat`
UNAME=`command -v uname`
CP="Unknown"
SERVER_ID=
main_ip='NA'
scriptname="imunify-doctor"
IMUNIFY360_PIDFILE=/var/run/imunify360.pid
# custom tmp dir from imunify360.spec for symlink attack prevention
tmpdir=/var/imunify360/tmp
sqlite_path=/opt/alt/sqlite/usr/bin/sqlite3
IMUNIFY360_DB=/var/imunify360/imunify360.db
db_command="$sqlite_path $IMUNIFY360_DB"
cleanup() {
rm -f $DEST $DEST.wget
}
test_curl() {
command -v curl >/dev/null 2>&1
return $?
}
test_wget() {
command -v wget >/dev/null 2>&1
if [ 0 -eq $? ]; then
if [ -x `command -v wget` ]; then
return 0
fi
fi
return 1
}
curl_upload() {
curl -s -H "serverid: $SERVER_ID" -F reportfile=@"$DEST" $UPLOAD_URL
}
wget_upload() {
echo -e "--FILEUPLOAD\r\n" > $DEST.wget
echo -e "--FILEUPLOAD\r\n" > $DEST.wget
echo -e "Content-Disposition: form-data; name=\"reportfile\"; filename=\"$DEST\"\r\n" >> $DEST.wget
echo -e "Content-Type: application/octet-stream\r\n" >> $DEST.wget
echo -e "Media Type: application/octet-stream\r\n\r\n" >> $DEST.wget
cat $DEST >> $DEST.wget
echo -e "--FILEUPLOAD--\r\n" >> $DEST.wget
wget -O - -qq -t 1 --header="serverid: $SERVER_ID" --header="Content-type: multipart/form-data; boundary=FILEUPLOAD" --post-file $DEST.wget $UPLOAD_URL
}
get_server_id() {
SERVER_ID=$(/opt/imunify360/venv/bin/python -c 'import json; import sys; print(json.load(sys.stdin)["id"])' < /var/imunify360/license.json)
if [[ -z "$SERVER_ID" ]]; then
SERVER_ID="${main_ip//./_}"
fi
}
init_main_ip() {
if test_curl
then
main_ip=`curl -s -L http://cloudlinux.com/showip.php` 2>/dev/null
else
main_ip=`wget -qq -O - http://cloudlinux.com/showip.php` 2>/dev/null
fi
}
get_main_ip() {
sep "Main IP"
echo "$main_ip" >> $DEST
echo >>$DEST
}
upload() {
if test_curl
then
curl_upload
else
wget_upload
fi
}
report_error_and_exit() {
echo "$1"
exit 1
}
mecho(){
echo $1 >> $DEST
}
start(){
if ! test_wget; then
if ! test_curl; then
echo "Cannot find wget or curl"
fi
#echo "Using curl"
fi
echo "------ CL INFO ---" > $DEST
}
time_stamp(){
echo "" >> $DEST
echo "TS: $(date)" >> $DEST
}
sep(){
echo "------ $1 ---" >> $DEST
}
run(){
sep "$1"
sh -c "$1" >> $DEST 2>&1
time_stamp
}
run_cb(){
sep "$1"
$1 >> $DEST 2>&1
result=$?
time_stamp
return $result
}
dump() {
sep "cat $1"
$CAT $1 >> $DEST 2>&1
echo >> $DEST 2>&1
time_stamp
}
detect_cp() {
CP_VERSION="Unknown"
SOFTACULOUS=0
if [ -d "/usr/local/psa/admin/" ]; then
CP="Plesk"
CP_VERSION=`cat /usr/local/psa/version`
if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/usr/local/cpanel/whostmgr/docroot/" ]; then
CP="cPanel"
CP_VERSION=`/usr/local/cpanel/cpanel -V`
if [ -e "/usr/local/cpanel/whostmgr/cgi/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/usr/local/interworx/" ]; then
CP="InterWorx"
CP_VERSION=`cat /usr/local/interworx/iworx.ini|grep version`
if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/usr/local/ispmgr/" ]; then
CP="ISPmanager"
CP_VERSION=`/usr/local/ispmgr/bin/ispmgr -v`
if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/usr/local/directadmin/plugins/" ]; then
CP="DirectAdmin"
CP_VERSION=`/usr/local/directadmin/custombuild/build versions|sed -n 2p|cut -d":" -f2`
if [ -e "/usr/local/directadmin/plugins/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/usr/local/hostingcontroller/" ]; then
CP="Hosting Controller"
if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi
fi
if [ -d "/hsphere/shared" ]; then
CP="H-Sphere"
fi
sep "Control Panel"
mecho "CP: $CP"
mecho "VERSION: $CP_VERSION"
mecho "SOFTACULOUS: $SOFTACULOUS"
}
detect_httpd() {
PERL_BIN=$(which perl 2>>/dev/null)
echo
echo "HTTP Server Running Processes: "
echo
IFS=$(echo -en "\n\b")
for proc in $(ps -eo pid,user,group,cmd 2>>/dev/null | egrep "\b(httpd|apache2|litespeed|lshttpd)\b" | grep -v "egrep"); do
echo "[$proc]"
proc_pid=$(echo "$proc" | awk '{print$1}')
echo "Bin:" $(readlink "/proc/${proc_pid}/exe" 2>>/dev/null)
echo "Environment:"
cat "/proc/${proc_pid}/environ" 2>>/dev/null | tr '\0' '\n' | head -30
echo
done
unset IFS
echo
http_bins=$(ps -eo pid,comm 2>>/dev/null | egrep "\b(httpd|apache2)\b" | awk '{print "/proc/"$1"/exe"}' | xargs -n 1 readlink | uniq | egrep "\b(httpd|apache2)\b")
for http_bin in "$http_bins"; do
if [ -z "$http_bin" ]; then
continue
fi
echo "HTTP Binary Info: "
echo -e "$http_bin\n"
$http_bin -V 2>&1
echo
$http_bin -M 2>&1
echo
if [ -z "$PERL_BIN" ]; then
continue
fi
httpd_root=$($http_bin -V | grep HTTPD_ROOT | cut -d= -f2 | tr -d '"' )
httpd_config=$($http_bin -V | grep SERVER_CONFIG_FILE | cut -d= -f2 | tr -d '"' )
if [ -z "$httpd_config" ]; then
continue
fi
if [ ! ${httpd_config:0:1} = "/" ]; then
httpd_config="$httpd_root/$httpd_config"
fi
pl_script_path="$(dirname $(readlink -e "$0"))/mk_apache_conf_digest.pl"
if [ -e "$pl_script_path" ]; then
echo "Server Configs:"
$PERL_BIN "$pl_script_path" "$httpd_config" "$httpd_root" 2>>/dev/null
fi
done
}
http_server_info() {
detect_httpd 2>>/dev/null | head -5000
}
backup_systems_info() {
if [ ! -f /var/restore_infected/acronis_api_token.json ]; then
echo "/var/restore_infected/acronis_api_token.json: no such file."
else
echo "/var/restore_infected/acronis_api_token.json: "
# "username": "AB-99658-51"
/opt/imunify360/venv/bin/python -m json.tool < /var/restore_infected/acronis_api_token.json
fi
echo
echo "imunify360-agent backup-systems extended-status: "
imunify360-agent backup-systems extended-status -v --json | tee $tmpdir/backup_systems_info.$$
/opt/imunify360/evnv/bin/python >$tmpdir/backup_systems_info.$$.current <<ENDPY
import json
print(json.load(open("$tmpdir/backup_systems_info.$$"))["items"]["backup_system"])
ENDPY
rm $tmpdir/backup_systems_info.$$
rm $tmpdir/backup_systems_info.$$.current
}
webshield_selfcheck() {
/usr/share/imunify360-webshield/self_check.py
}
pam_db_size() {
mod_db_path=$(awk -F= '$1 == "mod_db_path" {print $2}' /etc/pam_imunify/i360.ini)
du --human-readable --summarize "$mod_db_path"
}
trap cleanup EXIT
start
init_main_ip
get_main_ip
get_server_id
detect_cp
run "date"
run "$CAT /proc/cpuinfo"
run "$UNAME -a"
run "$UNAME -r"
run "$UNAME -m"
run "$UNAME -p"
run "$UNAME -o"
dump "/etc/redhat-release"
dump "/etc/os-release"
dump "/var/imunify360/license.json"
dump "/etc/sysconfig/imunify360/imunify360.config"
dump "/etc/sysconfig/imunify360/imunify360-merged.config"
run "tail -n +1 /etc/sysconfig/imunify360/imunify360.config.d/*"
dump "/etc/sysconfig/imunify360/cpanel/imunify360.conf"
run "tail -n3000 /var/log/imunify360/console.log"
run "tail -n3000 /var/log/imunify360/debug.log"
run "tail -n3000 /var/log/imunify360/network.log"
run "tail -n3000 /var/log/imunify360/acronis-installer.log"
run "tail -n3000 /var/log/imunify360/error.log"
run "tail -n3000 /var/log/imunify360-webshield/access.log"
run "tail -n3000 /var/log/imunify360-webshield/error.log"
run "tail -n3000 /var/ossec/logs/alerts/alerts.log"
run "tail -n3000 /usr/local/directadmin/custombuild/custombuild.log"
dump "/etc/issue"
dump "/etc/sysconfig/kernel"
dump "/etc/sysconfig/kcare/systemid"
dump "/proc/uptime"
dump "/proc/loadavg"
dump "/proc/vmstat"
dump "/proc/devices"
dump "/proc/diskstats"
dump "/proc/cmdline"
dump "/proc/mdstat"
dump "/proc/meminfo"
dump "/proc/swaps"
dump "/proc/filesystems"
dump "/proc/mounts"
dump "/proc/interrupts"
dump "/boot/grub/grub.conf"
dump "/proc/version"
dump "/etc/passwd"
run "ls -la /etc/yum.repos.d/"
run "tail -n 50 /etc/yum.repos.d/{*imunify360*,*sensor*}"
run "grep DEFAULT /etc/default/grub"
run "grep vmlinuz /boot/grub2/grub.cfg| sed 's/root=.*//'"
dump "/boot/grub2/grub.cfg"
dump "/proc/zoneinfo"
run "ls /etc/grub.conf /boot/grub/grub.conf /boot/grub/menu.lst"
run "ls -l /boot"
run "grep Port /etc/ssh/sshd_config"
run "dmidecode"
run "systemd-detect-virt"
run "virt-what"
run "ipcs -m|sed -e s/-/=/g"
run "sysctl -a"
dump "/etc/sysctl.conf"
run 'rpm -q -a --queryformat="%{N}|%{V}-%{R}|%{arch}\n"'
packages=$(rpm -qa imunify* 2>>/dev/null)
for package in $packages; do
run "rpm -V $package"
done
run "dpkg -l"
run "tail -n10000 /var/log/messages"
run "ls -lR /var/cache/kcare/"
dump "/etc/sysconfig/kcare/kcare.conf"
dump "/etc/kdump.conf"
run "/opt/imunify360/venv/bin/python -m pip freeze"
[[ -f "$IMUNIFY360_PIDFILE" ]] && run "ls -l /proc/$(cat ${IMUNIFY360_PIDFILE})/fd"
run "df -h"
dump "/etc/userdomains"
run "ps aux --sort=-%mem | head -20"
run "ps aux --sort=-%cpu | head -20"
run "ps aux | grep -i imunify"
run "crontab -l"
run "service imunify360 status"
run "service imunify-antivirus status"
run "service imunify360-webshield status"
run "service wsshdict status"
run "service firewalld status"
run "service ossec-hids status"
run "service fail2ban status"
run "service httpd status"
run "service lshttpd status"
run_cb "webshield_selfcheck"
run_cb "pam_db_size"
run "imunify360-pam status --yaml"
run "ls -la /etc/pam.d/"
run "cat /etc/pam_imunify/i360.ini"
if [ -e "/usr/sbin/csf" ]; then
run "csf --status"
run "lfd --status ; echo $?"
run "service lfd status"
run "service csf status"
run "csf -V"
dump "/etc/csf/csf.conf"
dump "/etc/csf/csf.deny"
dump "/etc/csf/csf.allow"
dump "/etc/csf/csf.ignore"
run "tail -n3000 /var/log/lfd.log"
fi
run "cxs --version"
if [ -e "/usr/bin/firewall-cmd" ]; then
run "timeout 5 firewall-cmd -V"
run "timeout 5 firewall-cmd --state"
run "tail -n3000 /var/log/firewalld"
fi
run "service cpanel status"
dump "/var/cpanel/dnsonly"
run "service mysql status"
run "ps aux | grep -i cphulk"
run "ipset -V"
run "ipset save | head -n3000"
run "ipset list -t | head -n3000"
run "iptables -V"
run "iptables-save | head -n3000"
run "ifconfig"
run "echo .tables | $db_command"
run "echo \"select count(*) from incident;\" | $db_command"
run "echo \"select count(*) from iplist;\" | $db_command"
run "echo \"select * from iplist order by ctime desc limit 1000;\" | $db_command"
run "echo \"select * from incident order by timestamp desc limit 1000;\" | $db_command"
run "echo \"select * from country limit 1000;\" | $db_command"
run "echo \"select * from country_list order by ctime desc limit 1000;\" | $db_command"
run "echo \"select * from last_synclist limit 1000;\" | $db_command"
run "echo \"select * from migratehistory limit 1000;\" | $db_command"
run "echo \"select * from malware_hits limit 1000;\" | $db_command"
run "echo \"select * from malware_ignore_path limit 1000;\" | $db_command"
run "echo \"select * from malware_scans limit 1000;\" | $db_command"
run "du --human-readable /var/imunify360/imunify360.db"
run "imunify360-agent blacklist country list --json --limit 2000"
run "imunify360-agent blacklist ip list --json --limit 2000"
run "imunify360-agent graylist ip list --json --limit 2000"
run "imunify360-agent whitelist country list --json --limit 2000"
run "imunify360-agent whitelist ip list --json --limit 2000"
run "imunify360-agent rstatus"
run "imunify360-agent version"
run "imunify360-agent 3rdparty conflicts --json | /opt/imunify360/venv/bin/python -m json.tool"
run "imunify360-agent config show --json -v"
run "grep License /var/log/imunify360/console.log | tail -n 1000"
run "grep 'Server is offline' /var/log/imunify360/console.log | tail -n 1000"
run "grep 'SensorAlert' /var/log/imunify360/console.log | tail -n 3000"
run "grep 'modsec' /var/log/imunify360/console.log | tail -n 3000"
run "ls -la /etc/sysconfig/imunify360/"
run_cb "backup_systems_info"
run "tail -n3000 /var/log/i360deploy.log"
run "tail -n3000 /var/log/imav-deploy.log"
run "tail -n3000 /var/ossec/logs/active-responses.log"
run "tail -n3000 /var/ossec/logs/alerts/alerts.log"
run "tail -n3000 /var/log/yum.log"
run "tail -n3000 /var/log/minidaemon.log"
run "tail -3000 /usr/local/apache/logs/error_log"
run "tail -3000 /usr/local/apache/logs/access_log"
run "tail -3000 /usr/local/apache/logs/modsec_audit.log"
run "tail -3000 /var/log/trueimage-setup.log"
run "/usr/local/cpanel/scripts/modsec_vendor list"
run "whmapi1 modsec_get_configs"
run "whmapi1 modsec_get_settings"
run "cat /etc/apache2/conf.d/modsec2.imunify.conf"
run "cat /usr/local/apache/conf/includes/modsec2.imunify.conf"
run "ls /var/cpanel/cwaf"
# prepend each particular log with ==> logfilename <== string
run "tail --lines +0 /var/log/imunify360/register_unregister_post_error_*.log"
# prepend each particular log with ==> logfilename <== string
run "tail --lines +0 /var/log/imunify360/*hardenedphp.log.*"
run "tail --lines +0 /var/log/imunify360/*kernelcare.log*"
run "tail --lines +0 /var/log/imunify360/*ea_php.log*"
run "ls /opt/alt/php*/usr/bin/php"
run "ls /opt/cpanel/ea-php*/root/usr/bin/php"
run 'rpm -qa --queryformat "%{NAME} %{RELEASE}\n" "ea-php*"'
run "getenforce"
run "sestatus"
run "ss -u -a"
run "ss -x -a | grep defence360agent"
run "nc -v -w 5 -i 1 imunify360.cloudlinux.com 443"
run "nc -v -w 5 -i 1 148.251.142.83 443"
dump "/usr/local/cpanel/version"
run "ls /etc/rc.d/init.d/"
run "systemctl list-units --all"
run "systemctl status aibolit-resident.socket"
run "curl ipinfo.io"
run "netstat -tulpan | tail -n 3000"
run "netstat -tulpan | wc -l"
# only tcp listening sockets & program
run "netstat -tlpn"
run "lsmod | grep ip_set"
dump "/etc/cagefs/cagefs.mp"
for f in /var/log/imunify360/native_da.hook_log.*
do dump $f
done
### PLESK
run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules"
run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules --enabled"
run "/usr/local/psa/bin/server_pref --show-web-app-firewall"
run_cb "http_server_info"
# collect info on how huge /var/cpanel/secdatadir/ip.pag is
run "ls -lh /var/cpanel/secdatadir/*"
run "printenv"
run "/usr/libexec/run-with-intensity show"
# colect webshield info
run "tail -3000 /var/log/wsshdict/wsshdict.log"
if [ -e "/etc/kdump.conf" ]; then
KDUMP_PATH=`grep ^path /etc/kdump.conf|cut -d' ' -f2`
if [ -z "$KDUMP_PATH" ] ; then
run "ls -lR /var/crash"
else
run "ls -lR $KDUMP_PATH"
fi
fi
run dmesg
run "ls -la /var/ossec/etc/VERSIONS/"
run "ls --lcontext /var/ossec"
run "ls --lcontext /var/ossec/bin"
run "ls --lcontext /var/ossec/logs"
run "ls -la /etc/httpd/conf/modsecurity.d/rules/"
run "ls -la /etc/apache2/conf.d/modsec_vendor_configs/"
run "cat /etc/httpd/conf/modsecurity.d/rules/custom/VERSION"
run "cat /usr/local/directadmin/custombuild/custom/modsecurity/conf/VERSION"
run "cat /etc/apache2/conf.d/modsec_vendor_configs/imunify*/VERSION;echo"
run "cat /var/cpanel/modsec_cpanel_conf_datastore"
run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq | wc -l"
run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq"
run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq"
run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq | wc -l"
run "plesk db \"SELECT COUNT(DISTINCT cl_id) FROM domains\""
run "httpd -t"
upload && echo || report_error_and_exit "Report file upload failed. Please try again."