ZerethShell
File Manager
SQL Manager
/
opt
/
imunify360
/
venv
/
share
/
imunify360
/
scripts
imunify-doctor.sh
#!/bin/bash VERSION="8.5.8" LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 LANGUAGE=en_US.UTF-8 DEST=/root/cl-report UPLOAD_URL=https://doctor.cloudlinux.com/doctor/upload CAT=`command -v cat` UNAME=`command -v uname` CP="Unknown" SERVER_ID= main_ip='NA' scriptname="imunify-doctor" IMUNIFY360_PIDFILE=/var/run/imunify360.pid IMUNIFY360_AGENT_PIDFILE=/var/run/imunify360-agent.pid # custom tmp dir provisioned by imunify360.spec tmpdir=/var/imunify360/tmp sqlite_path=/opt/alt/sqlite/usr/bin/sqlite3 IMUNIFY360_DB=/var/imunify360/imunify360.db IMUNIFY360_RESIDENT_DB=/var/imunify360/imunify360-resident.db IMUNIFY360_IPLIST_DB=/var/imunify360/imunify360-ipsetlists.db db_command="$sqlite_path $IMUNIFY360_DB" db_command_resident="$sqlite_path $IMUNIFY360_RESIDENT_DB" db_command_iplist="$sqlite_path $IMUNIFY360_IPLIST_DB" cleanup() { # Set _skip_cleanup=1 before report_error_and_exit so a partially-built # report can be kept on disk for offline inspection (e.g. redaction # failure path). Defaults to deleting so the success path doesn't leak # the blob. [ "${_skip_cleanup:-0}" = "1" ] && return 0 rm -f $DEST $DEST.wget } test_curl() { command -v curl >/dev/null 2>&1 return $? } test_wget() { command -v wget >/dev/null 2>&1 if [ 0 -eq $? ]; then if [ -x `command -v wget` ]; then return 0 fi fi return 1 } curl_upload() { curl -s -H "serverid: $SERVER_ID" -F reportfile=@"$DEST" $UPLOAD_URL } wget_upload() { echo -e "--FILEUPLOAD\r\n" > $DEST.wget echo -e "--FILEUPLOAD\r\n" > $DEST.wget echo -e "Content-Disposition: form-data; name=\"reportfile\"; filename=\"$DEST\"\r\n" >> $DEST.wget echo -e "Content-Type: application/octet-stream\r\n" >> $DEST.wget echo -e "Media Type: application/octet-stream\r\n\r\n" >> $DEST.wget cat $DEST >> $DEST.wget echo -e "--FILEUPLOAD--\r\n" >> $DEST.wget wget -O - -qq -t 1 --header="serverid: $SERVER_ID" --header="Content-type: multipart/form-data; boundary=FILEUPLOAD" --post-file $DEST.wget $UPLOAD_URL } get_server_id() { SERVER_ID=$(/opt/imunify360/venv/bin/python -c 'import json; import sys; print(json.load(sys.stdin)["id"])' < /var/imunify360/license.json) if [[ -z "$SERVER_ID" ]]; then SERVER_ID="${main_ip//./_}" fi # CWE-93: $SERVER_ID is interpolated into curl/wget `--header` args on # upload. Strip everything but the safe alphabet so a poisoned source # (license.json or the ${main_ip//./_} fallback whose dots-only filter # lets CR/LF through) cannot inject extra HTTP headers. SERVER_ID="$(printf '%s' "$SERVER_ID" | LC_ALL=C tr -cd 'A-Za-z0-9._-')" if [[ -z "$SERVER_ID" ]]; then SERVER_ID="unknown" fi } init_main_ip() { # HTTPS and no `-L` redirect-follow: this value flows into $SERVER_ID when # the license-file lookup fails, and then into an HTTP request header on # upload — an on-path attacker who controls a plain-HTTP response could # inject CRLF and forge headers (CWE-93). Pin to TLS at the source. # # `curl --max-time 10` is a true total cap. `wget --timeout=10` is # per-phase (DNS+connect+TLS+read can each take 10s = up to ~40s wall), # so wrap wget in coreutils `timeout` to enforce the same total wall # budget the doctor advertises. if test_curl then main_ip=`curl -s --max-time 10 https://cloudlinux.com/showip.php` 2>/dev/null else main_ip=`timeout 10 wget -qq --timeout=10 --max-redirect=0 -O - https://cloudlinux.com/showip.php` 2>/dev/null fi } get_main_ip() { sep "Main IP" echo "$main_ip" >> $DEST echo >>$DEST } redact_sensitive() { # Best-effort scrub of common credential shapes from the collected report # before it leaves the host. Runs over $DEST in place. Bypass with # `IMUNIFY_DOCTOR_REDACT=0` (e.g. when a Cloudlinux engineer explicitly # asks for the raw blob over a trusted channel). # # On sed failure we DO NOT emit the success footer and we return non-zero, # so upload() can refuse to ship a half-scrubbed blob with a misleading # "everything was redacted" notice. [ "${IMUNIFY_DOCTOR_REDACT:-1}" = "0" ] && return 0 [ -s "$DEST" ] || return 0 # Case-insensitive key shapes (matches both JSON keys and shell vars). local ci='([Aa][Pp][Ii][_-]?[Kk][Ee][Yy]|[Aa][Pp][Ii][_-]?[Tt][Oo][Kk][Ee][Nn]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Pp][Aa][Ss][Ss][Ww][Dd]|[Ss][Ee][Cc][Rr][Ee][Tt]|[Cc][Ll][Ii][Ee][Nn][Tt][_-]?[Ss][Ee][Cc][Rr][Ee][Tt]|[Aa][Ww][Ss][_-]?[Ss][Ee][Cc][Rr][Ee][Tt][_-]?[Aa][Cc][Cc][Ee][Ss][Ss][_-]?[Kk][Ee][Yy]|[Pp][Rr][Ii][Vv][Aa][Tt][Ee][_-]?[Kk][Ee][Yy]|[Bb][Ee][Aa][Rr][Ee][Rr])' # Case-sensitive uppercase-only — CSF's actual config-variable name. The # csf.conf format is `CLUSTER_KEY = "..."`; the previous `csf_cluster_key` # pattern never matched because the real variable has no `csf` prefix. local cs='CLUSTER_KEY' # Separate patterns for JSON-quoted (terminates at closing `"`) and shell # unquoted-or-quoted (terminates at end of line / closing `"`). The # previous `[^",[:space:]]+` tail stopped at the first whitespace, so # values with spaces (e.g. `DB_PASSWORD=my secret` or `"password":"my secret"`) # were only partially scrubbed. # Use `#` as the sed delimiter so the `|` alternation in $ci doesn't # collide. The captures: \1 = prefix incl. opening quote/`=`, \2 = the # matched key name (inner group of $ci/$cs), \3 = closing quote (when # present). # `[A-Za-z0-9_]*` before $ci allows a common-prefix `DB_PASSWORD`, # `MY_API_KEY`, `OAUTH2_CLIENT_SECRET`, `V2_API_KEY` etc. to still match. # Digits in the prefix character class matter — `[A-Za-z_]*` would silently # skip credential vars whose prefix contains a digit. The trailing value # matcher requires a non-quote, non-space starting char so the unquoted # rule doesn't backtrack-match a quoted value (the [[:space:]]* before # the quote would otherwise be willing to leave the space for [^"]). if ! sed -E -i \ -e "s#(\"[A-Za-z0-9_]*$ci\"[[:space:]]*:[[:space:]]*\")[^\"]*(\")#\1<REDACTED>\3#g" \ -e "s#(\"[A-Za-z0-9_]*$cs\"[[:space:]]*:[[:space:]]*\")[^\"]*(\")#\1<REDACTED>\2#g" \ -e "s#(^[[:space:]]*[A-Za-z0-9_]*$ci[[:space:]]*=[[:space:]]*\")[^\"]*(\")#\1<REDACTED>\3#g" \ -e "s#(^[[:space:]]*[A-Za-z0-9_]*$cs[[:space:]]*=[[:space:]]*\")[^\"]*(\")#\1<REDACTED>\2#g" \ -e "s#(^[[:space:]]*[A-Za-z0-9_]*$ci[[:space:]]*=[[:space:]]*)[^\"[:space:]].*\$#\1<REDACTED>#g" \ -e "s#(^[[:space:]]*[A-Za-z0-9_]*$cs[[:space:]]*=[[:space:]]*)[^\"[:space:]].*\$#\1<REDACTED>#g" \ -e 's#(Authorization:[[:space:]]*Bearer[[:space:]]+)\S+#\1<REDACTED>#gI' \ "$DEST"; then echo "------ REDACTION FAILED ---" >> "$DEST" echo "sed -i exited non-zero; the upload will be aborted to avoid shipping" >> "$DEST" echo "partially-redacted data alongside a misleading footer. Raw report" >> "$DEST" echo "retained at $DEST for offline inspection." >> "$DEST" time_stamp return 1 fi echo "------ REDACTION ---" >> "$DEST" echo "Common credential shapes (api[_-]?key/token, password, secret, client_secret," >> "$DEST" echo "aws_secret_access_key, private_key, bearer, CLUSTER_KEY, Authorization:" >> "$DEST" echo "Bearer ...) were replaced with <REDACTED>. Set IMUNIFY_DOCTOR_REDACT=0 to" >> "$DEST" echo "disable when sending a raw blob over a trusted channel." >> "$DEST" time_stamp return 0 } upload() { if ! redact_sensitive; then # Suspend cleanup so the operator can inspect $DEST (the failure # footer in redact_sensitive points at this file). _skip_cleanup=1 report_error_and_exit "redaction failed; refusing to upload. Raw report retained at $DEST." fi if test_curl then curl_upload else wget_upload fi } report_error_and_exit() { echo "$1" exit 1 } mecho(){ echo $1 >> $DEST } start(){ if ! test_wget; then if ! test_curl; then echo "Cannot find wget or curl" fi #echo "Using curl" fi echo "------ CL INFO ---" > $DEST } time_stamp(){ echo "" >> $DEST echo "TS: $(date)" >> $DEST } sep(){ echo "------ $1 ---" >> $DEST } run(){ sep "$1" sh -c "$1" >> $DEST 2>&1 time_stamp } run_cb(){ sep "$1" $1 >> $DEST 2>&1 result=$? time_stamp return $result } dump() { sep "cat $1" $CAT $1 >> $DEST 2>&1 echo >> $DEST 2>&1 time_stamp } detect_cp() { CP_VERSION="Unknown" SOFTACULOUS=0 if [ -d "/usr/local/psa/admin/" ]; then CP="Plesk" CP_VERSION=`cat /usr/local/psa/version` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/cpanel/whostmgr/docroot/" ]; then CP="cPanel" CP_VERSION=`/usr/local/cpanel/cpanel -V` if [ -e "/usr/local/cpanel/whostmgr/cgi/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/interworx/" ]; then CP="InterWorx" CP_VERSION=`cat /usr/local/interworx/iworx.ini|grep version` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/ispmgr/" ]; then CP="ISPmanager" CP_VERSION=`/usr/local/ispmgr/bin/ispmgr -v` if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/directadmin/plugins/" ]; then CP="DirectAdmin" CP_VERSION=`/usr/local/directadmin/custombuild/build versions|sed -n 2p|cut -d":" -f2` if [ -e "/usr/local/directadmin/plugins/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/usr/local/hostingcontroller/" ]; then CP="Hosting Controller" if [ -e "/usr/local/softaculous" ]; then SOFTACULOUS=1; fi fi if [ -d "/hsphere/shared" ]; then CP="H-Sphere" fi sep "Control Panel" mecho "CP: $CP" mecho "VERSION: $CP_VERSION" mecho "SOFTACULOUS: $SOFTACULOUS" } detect_httpd() { PERL_BIN=$(which perl 2>>/dev/null) echo echo "HTTP Server Running Processes: " echo # Filter to euid==0 only — same threat model as the http_bins block # below (DEF-38151): an unprivileged local user can `exec -a httpd` # any binary they like, which would have caused us to dump their # /proc/<pid>/environ into a report later uploaded to the cloud. IFS=$(echo -en "\n\b") for proc in $(ps -eo euid,pid,user,group,cmd 2>>/dev/null | awk '$1 == 0 {$1=""; sub(/^ +/,""); print}' | egrep "\b(httpd|apache2|litespeed|lshttpd)\b" | grep -v "egrep"); do echo "[$proc]" proc_pid=$(echo "$proc" | awk '{print$1}') echo "Bin:" $(readlink "/proc/${proc_pid}/exe" 2>>/dev/null) echo "Environment:" cat "/proc/${proc_pid}/environ" 2>>/dev/null | tr '\0' '\n' | head -30 echo done unset IFS echo # Only consider httpd/apache2 processes running as root (euid 0) to # prevent local privilege escalation via attacker-controlled binaries # that match the "httpd"/"apache2" process name (DEF-38151). http_bins=$(ps -eo euid,pid,comm 2>>/dev/null | awk '$1 == 0' | egrep "\b(httpd|apache2)\b" | awk '{print "/proc/"$2"/exe"}' | xargs -n 1 readlink 2>/dev/null | sort -u | egrep "\b(httpd|apache2)\b") for http_bin in $http_bins; do if [ -z "$http_bin" ]; then continue fi echo "HTTP Binary Info: " echo -e "$http_bin\n" $http_bin -V 2>&1 echo $http_bin -M 2>&1 echo if [ -z "$PERL_BIN" ]; then continue fi httpd_root=$($http_bin -V | grep HTTPD_ROOT | cut -d= -f2 | tr -d '"' ) httpd_config=$($http_bin -V | grep SERVER_CONFIG_FILE | cut -d= -f2 | tr -d '"' ) if [ -z "$httpd_config" ]; then continue fi if [ ! ${httpd_config:0:1} = "/" ]; then httpd_config="$httpd_root/$httpd_config" fi pl_script_path="$(dirname $(readlink -e "$0"))/mk_apache_conf_digest.pl" if [ -e "$pl_script_path" ]; then echo "Server Configs:" $PERL_BIN "$pl_script_path" "$httpd_config" "$httpd_root" 2>>/dev/null fi done } http_server_info() { detect_httpd 2>>/dev/null | head -5000 } backup_systems_info() { if [ ! -f /var/restore_infected/acronis_api_token.json ]; then echo "/var/restore_infected/acronis_api_token.json: no such file." else echo "/var/restore_infected/acronis_api_token.json: " # "username": "AB-99658-51" /opt/imunify360/venv/bin/python -m json.tool < /var/restore_infected/acronis_api_token.json fi echo echo "imunify360-agent backup-systems extended-status: " mkdir -p -m 0700 "$tmpdir" 2>/dev/null local _bsi _bsi="$(mktemp -p "$tmpdir" backup_systems_info.XXXXXX)" || return 1 if [ -L "$_bsi" ] || [ ! -O "$_bsi" ] || [ ! -f "$_bsi" ]; then rm -f "$_bsi" return 1 fi imunify360-agent backup-systems extended-status -v --json | tee "$_bsi" /opt/imunify360/venv/bin/python <<ENDPY import json print(json.load(open("$_bsi"))["items"]["backup_system"]) ENDPY rm -f "$_bsi" } webshield_selfcheck() { /usr/share/imunify360-webshield/self_check.py } pam_db_size() { mod_db_path=$(awk -F= '$1 == "mod_db_path" {print $2}' /etc/pam_imunify/i360.ini) du --human-readable --summarize "$mod_db_path" } version() { sep "Version of doctor script" echo "Version: $VERSION" >> $DEST } trap cleanup EXIT start version init_main_ip get_main_ip get_server_id detect_cp run "date" run "$CAT /proc/cpuinfo" run "$UNAME -a" run "$UNAME -r" run "$UNAME -m" run "$UNAME -p" run "$UNAME -o" dump "/etc/redhat-release" dump "/etc/os-release" dump "/var/imunify360/license.json" dump "/etc/sysconfig/imunify360/imunify360.config" dump "/etc/sysconfig/imunify360/imunify360-merged.config" run "tail -n +1 /etc/sysconfig/imunify360/imunify360.config.d/*" dump "/etc/sysconfig/imunify360/cpanel/imunify360.conf" run "ls -lhaR /var/lib/unified-access-logger" run "du -hs0 /var/lib/unified-access-logger" run "tail -n3000 /var/log/imunify360/console.log" run "tail -n3000 /var/log/imunify360/debug.log" run "tail -n3000 /var/log/imunify360/network.log" run "tail -n3000 /var/log/imunify360/acronis-installer.log" run "tail -n3000 /var/log/imunify360/error.log" run "tail -n3000 /var/log/imunify360/imunify-agent-proxy.log" run "tail -n3000 /var/log/imunify360-webshield/access.log" run "tail -n3000 /var/log/imunify360-webshield/error.log" run "tail -n3000 /var/ossec/logs/alerts/alerts.log" run "tail -n3000 /usr/local/directadmin/custombuild/custombuild.log" run "tail -n3000 /var/log/patchman/patchman.log" dump "/etc/issue" dump "/etc/sysconfig/kernel" dump "/etc/sysconfig/kcare/systemid" dump "/proc/uptime" dump "/proc/loadavg" dump "/proc/vmstat" dump "/proc/devices" dump "/proc/diskstats" dump "/proc/cmdline" dump "/proc/mdstat" dump "/proc/meminfo" dump "/proc/swaps" dump "/proc/filesystems" dump "/proc/mounts" dump "/proc/interrupts" dump "/boot/grub/grub.conf" dump "/proc/version" dump "/etc/passwd" run "ls -la /etc/apt/sources.list.d/" run "tail -n 50 /etc/apt/sources.list.d/*imunify*" run "ls -la /etc/apt/preferences.d/" run "tail -n 50 /etc/apt/preferences.d/*" run "zgrep -C 5 imunify /var/log/apt/history.log*" run "zgrep -C 5 imunify /var/log/apt/term.log*" run "apt policy imunify360-firewall" run "ls -la /etc/yum.repos.d/" run "tail -n 50 /etc/yum.repos.d/{*imunify360*,*sensor*}" run "grep DEFAULT /etc/default/grub" run "grep vmlinuz /boot/grub2/grub.cfg| sed 's/root=.*//'" dump "/boot/grub2/grub.cfg" dump "/proc/zoneinfo" run "ls /etc/grub.conf /boot/grub/grub.conf /boot/grub/menu.lst" run "ls -l /boot" run "grep Port /etc/ssh/sshd_config" run "dmidecode" run "systemd-detect-virt" run "virt-what" run "ipcs -m|sed -e s/-/=/g" run "sysctl -a" dump "/etc/sysctl.conf" run 'rpm -q -a --queryformat="%{N}|%{V}-%{R}|%{arch}\n"' # Package integrity check — prefer a freshly-downloaded copy whose detached # signature verifies against the CloudLinux GPG pubkey already installed by # imunify-release; fall back to the copy shipped in imunify-core on any # error. Only a verified copy is allowed to execute. _integrity_local="" for _p in /opt/imunify360/venv/share/imunify360/scripts/imunify-check-pkg-integrity \ /usr/share/imunify360/scripts/imunify-check-pkg-integrity; do [ -x "$_p" ] && { _integrity_local="$_p"; break; } done _integrity_remote="" _integrity_workdir="" _integrity_url="https://repo.imunify360.cloudlinux.com/defence360/imunify-check-pkg-integrity.sh" _integrity_pubkey="" for _k in /etc/pki/rpm-gpg/RPM-GPG-KEY-CloudLinux-Imunify \ /etc/apt/trusted.gpg.d/RPM-GPG-KEY-CloudLinux.gpg; do [ -r "$_k" ] && { _integrity_pubkey="$_k"; break; } done if [ -n "$_integrity_pubkey" ] && command -v gpg >/dev/null 2>&1; then mkdir -p -m 0700 "$tmpdir" 2>/dev/null _integrity_workdir="$(mktemp -d -p "$tmpdir" imunify-check-pkg-integrity.XXXXXX 2>/dev/null)" if [ -n "$_integrity_workdir" ] && [ -d "$_integrity_workdir" ] \ && [ ! -L "$_integrity_workdir" ] && [ -O "$_integrity_workdir" ]; then _dl_script="$_integrity_workdir/imunify-check-pkg-integrity.sh" _dl_sig="$_integrity_workdir/imunify-check-pkg-integrity.sh.sig" _gpg_home="$_integrity_workdir/gnupg" mkdir -m 0700 "$_gpg_home" _ok=1 if test_curl; then curl -sf -o "$_dl_script" "$_integrity_url" 2>/dev/null && \ curl -sf -o "$_dl_sig" "${_integrity_url}.sig" 2>/dev/null || _ok=0 elif test_wget; then wget -q -O "$_dl_script" "$_integrity_url" 2>/dev/null && \ wget -q -O "$_dl_sig" "${_integrity_url}.sig" 2>/dev/null || _ok=0 else _ok=0 fi # gpg --import handles both ASCII-armored and binary pubkey files. if [ $_ok -eq 1 ] \ && GNUPGHOME="$_gpg_home" gpg --batch --quiet --import "$_integrity_pubkey" 2>/dev/null \ && GNUPGHOME="$_gpg_home" gpg --batch --quiet --verify "$_dl_sig" "$_dl_script" 2>/dev/null; then chmod +x "$_dl_script" _integrity_remote="$_dl_script" fi fi fi if [ -n "$_integrity_remote" ]; then run "$_integrity_remote" elif [ -n "$_integrity_local" ]; then run "$_integrity_local" else sep "imunify-check-pkg-integrity" echo "SKIPPED: signed remote copy unavailable and imunify-check-pkg-integrity not installed locally." >> $DEST echo "Install/repair the imunify-core package to enable this check." >> $DEST time_stamp fi [ -n "$_integrity_workdir" ] && rm -rf "$_integrity_workdir" run "dpkg -l" run "tail -n10000 /var/log/messages" run "ls -lR /var/cache/kcare/" dump "/etc/sysconfig/kcare/kcare.conf" dump "/etc/kdump.conf" run "/opt/imunify360/venv/bin/python -m pip freeze" # Read the pidfile into a numeric-only var FIRST (no `sh -c "$(cat ...)"` # expansion at run time — the previous form was a TOCTOU/symlink hazard: # the pidfile is read inside the `sh -c` body, after the [[ -f ]] check, # so a swap between check and use would inject shell bytes. Sanitize to # digits before re-using. _dump_pidfile_fds() { local pidfile="$1" [[ -f "$pidfile" ]] || return local pid pid="$(tr -cd '0-9' < "$pidfile")" [[ -n "$pid" && -d "/proc/$pid" ]] || return sep "$pidfile" echo "$pidfile" >> "$DEST" ls -l "/proc/$pid/fd" >> "$DEST" 2>&1 time_stamp } _dump_pidfile_fds "$IMUNIFY360_PIDFILE" _dump_pidfile_fds "$IMUNIFY360_AGENT_PIDFILE" run "df -h" dump "/etc/userdomains" run "ps aux --sort=-%mem | head -20" run "ps aux --sort=-%cpu | head -20" run "ps aux | grep -i imunify" run "crontab -l" run "service imunify360 status" run "service imunify-antivirus status" run "service imunify360-webshield status" run "service wsshdict status" run "service firewalld status" run "service ossec-hids status" run "service fail2ban status" run "service httpd status" run "service lshttpd status" run "service patchman-client status" run_cb "webshield_selfcheck" run_cb "pam_db_size" run "imunify360-pam status --yaml" run "ls -la /etc/pam.d/" run "cat /etc/pam_imunify/i360.ini" if [ -e "/usr/sbin/csf" ]; then run "csf --status" run "lfd --status ; echo $?" run "service lfd status" run "service csf status" run "csf -V" dump "/etc/csf/csf.conf" dump "/etc/csf/csf.deny" dump "/etc/csf/csf.allow" dump "/etc/csf/csf.ignore" run "tail -n3000 /var/log/lfd.log" fi run "cxs --version" if [ -e "/usr/bin/firewall-cmd" ]; then run "timeout 5 firewall-cmd -V" run "timeout 5 firewall-cmd --state" run "tail -n3000 /var/log/firewalld" fi run "service cpanel status" dump "/var/cpanel/dnsonly" run "service mysql status" run "ps aux | grep -i cphulk" run "ipset -V" run "ipset save | head -n3000" run "ipset list -t | head -n3000" run "iptables -V" run "iptables-save | head -n3000" dump "/proc/sys/net/ipv6/conf/all/disable_ipv6" run "ifconfig" run "echo .tables | $db_command" run "echo \"select plugin, count(*) from incident;\" | $db_command_resident" run "echo \"select listname, count(*) from iplist;\" | $db_command_resident" run "echo \"select iplist_id, count(*) from iplistrecord;\" | $db_command_iplist" run "echo \"select * from iplist order by ctime desc limit 1000;\" | $db_command_resident" run "echo \"select * from incident order by timestamp desc limit 1000;\" | $db_command_resident" run "echo \"select * from country limit 1000;\" | $db_command" run "echo \"select * from country_list order by ctime desc limit 1000;\" | $db_command" run "echo \"select * from last_synclist limit 1000;\" | $db_command_resident" run "echo \"select * from migratehistory limit 1000;\" | $db_command" run "echo \"select * from malware_hits limit 1000;\" | $db_command" run "echo \"select * from malware_ignore_path limit 1000;\" | $db_command" run "echo \"select * from malware_scans limit 1000;\" | $db_command" run "du --human-readable /var/imunify360/imunify360.db" run "imunify360-agent blacklist country list --json --limit 2000" run "imunify360-agent ip-list local list --purpose drop --limit 2000" run "imunify360-agent graylist ip list --json --limit 2000" run "imunify360-agent whitelist country list --json --limit 2000" run "imunify360-agent ip-list local list --purpose white --limit 2000" run "imunify360-agent blocked-port list" run "imunify360-agent rstatus" run "imunify360-agent rstatus --json -v" run "imunify360-agent version" run "imunify360-agent 3rdparty conflicts --json | /opt/imunify360/venv/bin/python -m json.tool" run "imunify360-agent config show --json -v" run "imunify360-agent notifications-config show --json -v" run "grep License /var/log/imunify360/console.log | tail -n 1000" run "grep 'Server is offline' /var/log/imunify360/console.log | tail -n 1000" run "grep 'SensorAlert' /var/log/imunify360/console.log | tail -n 3000" run "grep 'modsec' /var/log/imunify360/console.log | tail -n 3000" run "ls -la /etc/sysconfig/imunify360/" run_cb "backup_systems_info" run "tail -n3000 /var/log/i360deploy.log" run "tail -n3000 /var/log/imav-deploy.log" run "tail -n3000 /var/ossec/logs/active-responses.log" run "tail -n3000 /var/ossec/logs/alerts/alerts.log" run "tail -n3000 /var/log/yum.log" run "tail -n3000 /var/log/minidaemon.log" # cPanel run "tail -3000 /usr/local/apache/logs/error_log" run "tail -3000 /usr/local/apache/logs/access_log" run "tail -3000 /usr/local/apache/logs/modsec_audit.log" # EA4 run "tail -3000 /etc/apache2/logs/modsec_audit.log" # plesk run "tail -3000 /usr/local/apache/logs/modsec_audit.log" # DA run "tail -3000 /var/log/httpd/modsec_audit.log" run "tail -3000 /var/log/trueimage-setup.log" run "/usr/local/cpanel/scripts/modsec_vendor list" run "whmapi1 modsec_get_configs" run "whmapi1 modsec_get_settings" run "cat /etc/apache2/conf.d/modsec2.imunify.conf" run "cat /usr/local/apache/conf/includes/modsec2.imunify.conf" run "ls /var/cpanel/cwaf" # prepend each particular log with ==> logfilename <== string run "tail --lines +0 /var/log/imunify360/register_unregister_post_error_*.log" # prepend each particular log with ==> logfilename <== string run "tail --lines +0 /var/log/imunify360/*hardenedphp.log.*" run "tail --lines +0 /var/log/imunify360/*kernelcare.log*" run "tail --lines +0 /var/log/imunify360/*ea_php.log*" run "ls /opt/alt/php*/usr/bin/php" run "ls /opt/cpanel/ea-php*/root/usr/bin/php" run 'rpm -qa --queryformat "%{NAME} %{RELEASE}\n" "ea-php*"' run "getenforce" run "sestatus" run "ss -u -a" run "ss -x -a | grep defence360agent" run "timeout 10 nc -v -w 5 -i 1 imunify360.cloudlinux.com 443" run "timeout 10 nc -v -w 5 -i 1 148.251.142.83 443" dump "/usr/local/cpanel/version" run "ls /etc/rc.d/init.d/" run "systemctl list-units --all" run "systemctl status aibolit-resident.socket" run "curl ipinfo.io" run "netstat -tulpan | tail -n 3000" run "netstat -tulpan | wc -l" # only tcp listening sockets & program run "netstat -tlpn" run "lsmod | grep ip_set" dump "/etc/cagefs/cagefs.mp" for f in /var/log/imunify360/native_da.hook_log.* do dump $f done ### PLESK run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules" run "/usr/local/psa/admin/sbin/modsecurity_ctl --list-rules --enabled" run "/usr/local/psa/admin/sbin/modsecurity_ctl --status" run "/usr/local/psa/bin/server_pref --show-web-app-firewall" run_cb "http_server_info" # collect info on how huge /var/cpanel/secdatadir/ip.pag is run "ls -lh /var/cpanel/secdatadir/*" run "printenv" run "/usr/libexec/run-with-intensity show" # colect webshield info run "tail -3000 /var/log/wsshdict/wsshdict.log" run "tail -3000 /var/log/imunify360/imunify360-wafd.log" # collect UAL log run "tail -3000 /var/log/imunify360/imunify360-unified-access-logger/log.rotate" if [ -e "/etc/kdump.conf" ]; then KDUMP_PATH=`grep ^path /etc/kdump.conf|cut -d' ' -f2` if [ -z "$KDUMP_PATH" ] ; then run "ls -lR /var/crash" else run "ls -lR $KDUMP_PATH" fi fi run dmesg run "ls -la /var/ossec/etc/VERSIONS/" run "ls --lcontext /var/ossec" run "ls --lcontext /var/ossec/bin" run "ls --lcontext /var/ossec/logs" run "ls -la /etc/httpd/conf/modsecurity.d/rules/" run "ls -la /etc/apache2/conf.d/modsec_vendor_configs/" run "cat /etc/httpd/conf/modsecurity.d/rules/custom/VERSION" run "cat /usr/local/directadmin/custombuild/custom/modsecurity/conf/VERSION" run "cat /etc/apache2/conf.d/modsec_vendor_configs/imunify*/VERSION;echo" run "cat /var/cpanel/modsec_cpanel_conf_datastore" run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq | wc -l" run "cut -d\":\" -f1 /etc/userplans | sort -n | uniq" run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq" run "cut -d\":\" -f2 /etc/virtual/domainowners | sort -n | uniq | wc -l" run "plesk db \"SELECT COUNT(DISTINCT cl_id) FROM domains\"" run "httpd -t" run "journalctl --no-pager -u imunify360 --since -1d" run "journalctl --no-pager -u imunify360-agent --since -1d" run "journalctl --no-pager -u imunify360-unified-access-logger --since -1d" # Imunify Email run "ie-config status" upload && echo || report_error_and_exit "Report file upload failed. Please try again."
Kaydet
Vazgeç