#!/bin/bash # server01-forensic-observe.sh # Read-only forensic observation script for cPanel/WHM server. # Makes NO remediation changes. Creates only a report directory. set -u HOST="$(hostname -f 2>/dev/null || hostname)" STAMP="$(date +%F_%H%M%S)" OUT="/root/forensic-observe-${HOST}-${STAMP}" LOG="$OUT/report.txt" mkdir -p "$OUT" exec > >(tee -a "$LOG") 2>&1 section() { echo echo "============================================================" echo "$1" echo "============================================================" } run() { echo echo "### $*" timeout 60 bash -c "$*" 2>&1 || echo "[WARN] command failed or timed out: $*" } section "FORENSIC OBSERVATION REPORT" echo "Host: $HOST" echo "Date: $(date)" echo "Output: $OUT" echo echo "READ-ONLY MODE: no services restarted, no files deleted, no users changed." section "SYSTEM IDENTIFICATION" run "cat /etc/redhat-release 2>/dev/null || cat /etc/os-release" run "uname -a" run "uptime" run "who -a" run "last -n 30" run "lastb -n 30 2>/dev/null" section "CPANEL / WHM VERSION AND STATUS" run "/usr/local/cpanel/cpanel -V 2>/dev/null" run "/usr/local/cpanel/cpkeyclt --help >/dev/null 2>&1; echo 'cpkeyclt exists:' \$?" run "systemctl is-active cpanel 2>/dev/null" run "systemctl is-active exim 2>/dev/null" run "systemctl is-active dovecot 2>/dev/null" run "systemctl is-active httpd 2>/dev/null" section "SUSPICIOUS USERS / RESELLERS / ROOT-LIKE ACCOUNTS" run "awk -F: '(\$3==0){print}' /etc/passwd" run "awk -F: '(\$3>=500 || \$3==0){print \$1\":\"\$3\":\"\$6\":\"\$7}' /etc/passwd | sort" run "grep -R \"root1\\|reseller\\|wheel\" /var/cpanel/users /etc/passwd /etc/group 2>/dev/null" run "cat /etc/group | egrep 'wheel|sudo|root'" run "ls -la /var/cpanel/users 2>/dev/null | head -100" section "SSH CONFIG AND ACCESS ARTIFACTS" run "grep -Ei '^(Port|PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|AuthorizedKeysFile|AllowUsers|AllowGroups|DenyUsers|DenyGroups)' /etc/ssh/sshd_config 2>/dev/null" run "find /root /home -path '*/.ssh/authorized_keys' -type f -exec ls -la {} \\; -exec echo '--- {} ---' \\; -exec sed -n '1,20p' {} \\; 2>/dev/null" run "find /root /home -path '*/.ssh/config' -type f -exec ls -la {} \\; -exec echo '--- {} ---' \\; -exec sed -n '1,80p' {} \\; 2>/dev/null" run "grep -R \"95834723_server_1\\|cpanel.net\\|ssh-rsa\\|ssh-ed25519\" /root/.ssh /home/*/.ssh 2>/dev/null" section "RECENT AUTHENTICATION ACTIVITY" run "grep -Ei 'Accepted|Failed|Invalid user|session opened|sudo|su:' /var/log/secure | tail -300" run "grep -Ei 'root1|Accepted password|Accepted publickey|Failed password' /var/log/secure* 2>/dev/null | tail -300" section "CPANEL ACCESS / API / ACCOUNT CREATION INDICATORS" run "grep -RiE 'root1|createacct|setupreseller|setacls|api_token|whostmgr|xml-api|json-api|adduser|passwd' /usr/local/cpanel/logs /var/cpanel 2>/dev/null | tail -500" run "ls -la /root/.cpanel /var/cpanel/authn /var/cpanel/api_tokens 2>/dev/null" run "find /var/cpanel -iname '*token*' -o -iname '*session*' 2>/dev/null | head -100" section "MAIL QUEUE AND QTOX INDICATORS" run "exim -bpc 2>/dev/null" run "exim -bp 2>/dev/null | head -300" run "exim -bp 2>/dev/null | grep -i 'qtox' || true" run "grep -RiI 'qtox\\|download qtox' /var/log/exim* /home/*/mail 2>/dev/null | head -500" section "EXIM AUTH / PHP MAIL / SPAM INDICATORS" run "grep -Ei 'cwd=|authenticated_id=|X-PHP-Script|qtox|frozen|rejected|temporarily rejected|spam|malware' /var/log/exim_mainlog* 2>/dev/null | tail -800" run "grep -Ei 'authenticated_id=' /var/log/exim_mainlog* 2>/dev/null | tail -300" run "grep -Ei 'cwd=/home|X-PHP-Script' /var/log/exim_mainlog* 2>/dev/null | tail -300" section "QTOX MESSAGE FILE LOCATIONS" run "grep -RilI 'qtox\\|download qtox' /home/*/mail/*/*/{cur,new} 2>/dev/null | tee '$OUT/qtox-message-files.txt' | head -500" run "wc -l '$OUT/qtox-message-files.txt' 2>/dev/null" section "RUNNING PROCESSES" run "ps auxww --sort=-%cpu | head -80" run "ps auxww --sort=-%mem | head -80" run "ps auxww | egrep -i 'xmrig|miner|kinsing|kdevtmpfsi|dbus-systemd|qtox|masscan|pnscan|watchdog|cryptonight|stratum|bash -i|nc |ncat|perl |python |curl |wget ' | grep -v egrep" section "NETWORK LISTENERS AND CONNECTIONS" run "ss -tulpn" run "ss -tanp | head -300" run "lsof -i -P -n 2>/dev/null | head -300" section "CRON / PERSISTENCE" run "crontab -l 2>/dev/null" run "ls -la /var/spool/cron /etc/cron* 2>/dev/null" run "for f in /var/spool/cron/* /etc/crontab /etc/cron.d/* /etc/cron.hourly/* /etc/cron.daily/*; do [ -e \"\$f\" ] && echo '---' \$f && sed -n '1,160p' \"\$f\"; done 2>/dev/null" run "grep -RIE 'curl|wget|base64|eval|xmrig|dbus-systemd|/tmp|/dev/shm|qtox|nc |ncat|bash -i|python|perl' /var/spool/cron /etc/cron* 2>/dev/null" section "SYSTEMD PERSISTENCE" run "systemctl list-unit-files --type=service --no-pager | egrep -i 'enabled|static' | head -300" run "find /etc/systemd/system /usr/lib/systemd/system -type f -mtime -90 -exec ls -la {} \\; 2>/dev/null | head -300" run "grep -RIE 'curl|wget|xmrig|dbus-systemd|/tmp|/dev/shm|qtox|bash -c|python|perl|ExecStart' /etc/systemd/system /usr/lib/systemd/system 2>/dev/null | head -500" section "SUSPICIOUS FILES IN TEMP LOCATIONS" run "find /tmp /var/tmp /dev/shm -xdev -type f -ls 2>/dev/null | head -500" run "find /tmp /var/tmp /dev/shm -xdev -type f -perm /111 -ls 2>/dev/null" run "grep -RIE 'xmrig|stratum|qtox|curl|wget|bash -i|/bin/sh|base64|eval' /tmp /var/tmp /dev/shm 2>/dev/null | head -300" section "KNOWN MINER / PRIOR INCIDENT INDICATORS" run "find /root /home /tmp /var/tmp /dev/shm -iname '*xmrig*' -o -iname '*dbus-systemd*' -o -iname '.config.json' 2>/dev/null" run "grep -RIE 'xmrig|stratum|dbus-systemd|cryptonight|monero|pool\\.' /root /etc /var/spool/cron /tmp /var/tmp /dev/shm 2>/dev/null | head -500" section "RECENTLY MODIFIED FILES" run "find /root /etc /usr/local/cpanel /var/cpanel -xdev -type f -mtime -14 -ls 2>/dev/null | head -700" run "find /home -xdev -type f -mtime -14 -ls 2>/dev/null | head -1000" section "WEBROOT SUSPICIOUS PHP PATTERNS" run "find /home -path '*/public_html/*' -type f \\( -name '*.php' -o -name '*.phtml' -o -name '*.php.*' \\) -mtime -90 -ls 2>/dev/null | head -700" run "grep -RIE 'base64_decode|eval\\(|assert\\(|shell_exec|passthru|system\\(|proc_open|popen|gzinflate|str_rot13|preg_replace.*e|FilesMan|c99|r57|WSO|b374k|mailer|smtp|qtox' /home/*/public_html 2>/dev/null | head -1000" section "WORLD-WRITABLE AND SUID FILES" run "find / -xdev -type f -perm -4000 -ls 2>/dev/null" run "find / -xdev -type d -perm -0002 -ls 2>/dev/null | head -300" run "find /home -xdev -type f -perm -0002 -ls 2>/dev/null | head -300" section "IMMUTABLE / APPEND-ONLY ATTRIBUTES" run "lsattr -R /root /etc /var/spool/cron 2>/dev/null | egrep '----i|-----a|i----|a----' | head -300" section "PACKAGE / RPM INTEGRITY SIGNALS" run "rpm -Va --nomtime --nosize --nomd5 2>/dev/null | head -500" section "CSF / FIREWALL OBSERVATIONS" run "csf -v 2>/dev/null" run "csf -l 2>/dev/null | head -300" run "grep -E '^(TESTING|TCP_IN|TCP_OUT|UDP_IN|UDP_OUT|CC_ALLOW|CC_DENY|SMTP_BLOCK|LF_|DENY_IP_LIMIT|ALLOW_IP_LIMIT)' /etc/csf/csf.conf 2>/dev/null" run "tail -200 /var/log/lfd.log 2>/dev/null" section "MALWARE / AV TOOLS IF PRESENT" run "command -v imunify-antivirus || command -v imunify360-agent || command -v clamscan || true" run "imunify360-agent malware malicious list 2>/dev/null | head -200" run "imunify-antivirus malware malicious list 2>/dev/null | head -200" section "SUMMARY FILES" echo "Report saved to: $LOG" echo "qTox message list, if any: $OUT/qtox-message-files.txt" echo echo "To archive:" echo "tar -czf ${OUT}.tar.gz -C /root $(basename "$OUT")"