当前位置：首页 > news >正文

可疑文件、文件夹、进程监控查杀脚本

news 2025/1/19 11:35:09

#!/bin/bash# 可疑文件列表
SUSPICIOUS_FILES=("/root/.dragosteftp""/bin/CZEdY7oP""/data/rcu_scheb""/dev/shm/netmonxd""/usr/bin/mslog/.cfg/rcu_scheb""/tmp/.cfg""/var/tmp/logxwatch""/tmp/taskxclean""/tmp/*x*""/bin/nOabp95U""/bin/CZEdY7oP""/usr/bin/udeb""/etc/security/dev_/dev_b573d3af""/usr/lib/x86_64-linux-gnu/e2fsprogs/e2scrub_all_cron""/sbin/e2scrub_all""/usr/bin/35b0083b"
)# 可疑目录列表
SUSPICIOUS_DIRS=("/root/.cfg""/dev/shm/.cfg""/dev/shm/*x*""/tmp/.cfg""/usr/bin/mslog/.cfg""/etc/cron.*"
)# 可疑进程字段列表
SUSPICIOUS_PROC_FIELDS=("/root/.cfg""/dev/shm""/var/tmp""/tmp""mining""crypto""miner""^/[^/]*[a-zA-Z0-9]{8}$"
)# 获取所有进程及其command信息
get_all_procs() {ps -eo pid,cmd=
}# 处理可疑进程（已更新）
process_suspicious_procs() {all_procs=$(get_all_procs)match_pids=()while IFS= read -r line; dopid=$(echo $line | awk '{print $1}')cmd=$(echo $line | awk '{print $2}')for field in "${SUSPICIOUS_PROC_FIELDS[@]}"; doif [[ $cmd =~ $field ]]; thenmatch_pids+=("$pid")echo "$(date '+%Y-%m-%d %H:%M:%S') - Matched Command with suspicious field '$field': $cmd, PID: $pid"breakfidonedone <<< "$all_procs"if [ ${#match_pids[@]} -gt 0 ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Found processes with suspicious fields: ${match_pids[*]}"for pid in "${match_pids[@]}"; doCOMMAND_INFO=$(ps -p $pid -o command=)if kill -0 $pid 2>/dev/null; thensudo kill -9 $pidif [ $? -eq 0 ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Killed process with PID: $pid, Command: $COMMAND_INFO"elseecho "$(date '+%Y-%m-%d %H:%M:%S') - Failed to kill process with PID: $pid, Command: $COMMAND_INFO"fielseecho "$(date '+%Y-%m-%d %H:%M:%S') - Process with PID: $pid does not exist, Command: $COMMAND_INFO"fidonefi
}
# 处理可疑文件
process_suspicious_files() {for file in "${SUSPICIOUS_FILES[@]}"; doif [ -f "$file" ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Found suspicious file: $file"sudo rm -f "$file"if [ $? -eq 0 ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Deleted suspicious file: $file"elseecho "$(date '+%Y-%m-%d %H:%M:%S') - Failed to delete suspicious file: $file"fifidone
}# 处理可疑目录
process_suspicious_dirs() {for dir in "${SUSPICIOUS_DIRS[@]}"; doif [ -d "$dir" ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Found suspicious directory: $dir"sudo rm -rf "$dir"if [ $? -eq 0 ]; thenecho "$(date '+%Y-%m-%d %H:%M:%S') - Deleted suspicious directory: $dir"elseecho "$(date '+%Y-%m-%d %H:%M:%S') - Failed to delete suspicious directory: $dir"fifidone
}# 主循环
while true; do# 快速查杀可疑进程process_suspicious_procs# 较慢频率查杀可疑文件process_suspicious_files# 较慢频率查杀可疑目录process_suspicious_dirs# 设置不同任务的执行间隔sleep 0.5  # 进程查杀间隔sleep 1    # 文件和目录查杀间隔
done