-
-
Notifications
You must be signed in to change notification settings - Fork 41
/
search_ssh_leftover_processes.py
executable file
·119 lines (92 loc) · 3.26 KB
/
search_ssh_leftover_processes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/usr/bin/env python3
# written by sqall
# twitter: https://twitter.com/sqall01
# blog: https://h4des.org
# github: https://github.com/sqall01
#
# Licensed under the MIT License.
"""
Short summary:
Searches for processes that were started by an SSH session that is now disconnected.
Requirements:
None
Reference:
https://twitter.com/CraigHRowland/status/1579582776529281026
"""
import os
import re
import sys
from lib.util import output_error, output_finding
# Read configuration.
try:
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
from config.search_ssh_leftover_processes import ACTIVATED
except:
ALERTR_FIFO = None
FROM_ADDR = None
TO_ADDR = None
ACTIVATED = True
def search_leftover_ssh_process():
# Decide where to output results.
print_output = False
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
print_output = True
if not ACTIVATED:
if print_output:
print("Module deactivated.")
return
# Search for SSH_CONNECTION and SSH_CLIENT
fd = os.popen("grep -l SSH_C /proc/*/environ 2> /dev/null")
ssh_processes = fd.read().strip()
fd.close()
for ssh_process in ssh_processes.split("\n"):
# Example output: /proc/996/environ
# noinspection RegExpRedundantEscape
matches = re.search(r'proc/(\d*)/environ', ssh_process, re.IGNORECASE)
if not matches:
continue
pid = matches.group(1)
try:
with open("/proc/" + str(pid) + "/status", "r") as fp:
status_data = fp.read()
except FileNotFoundError: # Process got terminated while searching
continue
ppid = None
name = None
for line in status_data.split("\n"):
if line.startswith("PPid:"):
line_split = line.split("\t")
try:
ppid = int(line_split[-1])
except Exception as e:
output_error(__file__, "PPid not parsable for pid %d\n\n%s\n\n%s" % (pid, status_data, str(e)))
break
elif line.startswith("Name:"):
line_split = line.split("\t")
name = line_split[-1]
if ppid is not None and name is not None:
break
if ppid is not None and name is not None:
if ppid == 1:
# Get executed file
exe_link = "/proc/" + str(pid) + "/exe"
fd = os.popen("ls -laR %s" % exe_link)
exe_raw = fd.read().strip()
fd.close()
matches = re.search(r'/proc/\d*/exe -> (.*)', exe_raw, re.IGNORECASE)
exe_file = exe_raw
if matches:
exe_file = matches.group(1)
message = "Leftover process of SSH session found.\n\n"
message += "Name: %s\n" % name
message += "Exe: %s\n" % exe_file
message += "Pid: %s\n" % pid
output_finding(__file__, message)
if __name__ == '__main__':
is_init_run = False
if len(sys.argv) == 2:
if sys.argv[1] == "--init":
is_init_run = True
# Script does not need to establish a state.
if not is_init_run:
search_leftover_ssh_process()