Category Archives: Scripting

clamscan

Updated script to scan linux servers for viruses.

#!/bin/bash ### Test log with Infected files #LOGFILE=”/var/log/clamav/malware_detected.log”; LOGFILE=”/var/log/clamav/clamav-$(/bin/date +’%Y-%m-%d’).log”; EMAIL_TO=”you@yourdomain.com”; # Need to build an email header to know which system is scanned. # Gmail gateway is overwriting from line when it forwards the email. HEADER_OS_LEVEL=”$(/bin/uname -a)”; HEADER_DATE=”$(/bin/date)”; > /var/log/clamav/freshclam.log /usr/bin/freshclam ### Test clamscan #/usr/bin/clamscan -ri /root/* > “$LOGFILE”; /usr/bin/clamscan -ri –exclude-dir=/sys/* / > “$LOGFILE”; # get the value of “Infected lines” MALWARE=$(/bin/cat “$LOGFILE” | /bin/grep Infected | /usr/bin/cut -d” ” -f3); # if the value is not equal to zero, send an email with the log file attached if [ “$MALWARE” -ne “0” ];then /bin/echo ” ” > /var/log/clamav/EMAIL.MSG; /bin/echo “OS: $HEADER_OS_LEVEL” >> /var/log/clamav/EMAIL.MSG; /bin/echo “Date: $HEADER_DATE” >> /var/log/clamav/EMAIL.MSG; /bin/echo ” ” >> /var/log/clamav/EMAIL.MSG; /bin/echo “Freshclam Status:” >> /var/log/clamav/EMAIL.MSG; /bin/cat /var/log/clamav/freshclam.log >> /var/log/clamav/EMAIL.MSG; /bin/echo ” ” >> /var/log/clamav/EMAIL.MSG; /bin/echo “Log File: $LOGFILE” >> /var/log/clamav/EMAIL.MSG; /bin/cat “$LOGFILE” >> /var/log/clamav/EMAIL.MSG; /bin/cat /var/log/clamav/EMAIL.MSG | /usr/bin/mail -s “ClamAV Alert” “$EMAIL_TO”; fi exit 0

Passbox

usage: passbox [action]

Passbox – command line password manager utility

ACTIONS

add-field Update an existing entry to add additional fields to
delete Remove an entry from the password database
get Get a particular password entry by it’s name
generate Generate a new random password
new Prompt to create a new passbox entry
remove-field Update an existing entry to remove additional fields
search Search the password database for a particular string, returns all matching entries
update Update an existing entry in the password database

nginx+observium configuration

Update to index.php in observium to work with nginx.

Change from:

$_SERVER[‘PATH_INFO’] = (isset($_SERVER[‘PATH_INFO’]) ? $_SERVER[‘PATH_INFO’] : $_SERVER[‘ORIG_PATH_INFO’]);

Change to:

$_SERVER[‘PATH_INFO’] = $_SERVER[‘REQUEST_URI’];

nginx site configuration:

server {
listen 80;
server_name hostname.kulish.com;

access_log /var/log/nginx/hostname.kulish.com.acc.log;
error_log /var/log/nginx/hostname.kulish.com.err.log;

root /www/observium/html;
index index.php;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/www;
}

location / {
try_files $uri $uri/ @observium;
}

location @observium {
rewrite ^(.+)$ /index.php/$1/ last;
}

}

# General php settings
include php.conf;

# We need to exclude robots.txt specifically
include drop.conf;

php.conf contents:

location ~ \.php {
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx;

fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

fastcgi_pass unix:/var/run/php5-fpm/php5-fpm.sock;
}

I am connecting to a php5-fpm socket to avoid TCP overhead.

drop.conf contents:

# Drop from logging and accidental access

location = /favicon.ico { access_log off; log_not_found off; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }

irc.diff.05142011.2.txt


Index: irc.php
===================================================================
--- irc.php (revision 2317)
+++ irc.php (working copy)
@@ -1,10 +1,6 @@
#!/usr/bin/env php

-# status
-# reboot
-# log
-# help
-# down
+# port_info is broken. always reports same values no matter host selected

message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Commands: !help, !log, !status, !version, !down, !port, !device, !listdevices");
+
+echo date("m-d-y H:i:s ");
+echo "HELP\n";
+
+mysql_close();
+
+ }
+
+
+###
# Get status on !version
###
function version_info(&$irc, &$data)
@@ -40,6 +55,7 @@

$irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Observium Version " . $config['version']);

+echo date("m-d-y H:i:s ");
echo "VERSION\t\t". $config['version'] . "\n";

mysql_close();
@@ -47,6 +63,31 @@
}

###
+# Get last eventlog entry
+###
+ function log_info(&$irc, &$data)
+ {
+
+global $config;
+
+mysql_connect($config['db_host'],$config['db_user'],$config['db_pass']);
+mysql_select_db($config['db_name']);
+
+ $device = dbFetchRow("SELECT `event_id`,`host`,`datetime`,`message`,`type` FROM `eventlog` ORDER BY `event_id` DESC LIMIT 1");
+ $host=$device['host'];
+ $hostid = dbFetchRow("SELECT `hostname` FROM `devices` WHERE `device_id` = $host");
+
+$irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, $device['event_id'] ." ". $hostid['hostname'] ." ". $device['datetime'] ." ". $device['message'] ." ". $device['type']);
+
+echo date("m-d-y H:i:s ");
+echo "LOG\n";
+
+mysql_close();
+
+ }
+
+
+###
# Get status on !down devices
###
function down_info(&$irc, &$data)
@@ -56,18 +97,16 @@
mysql_connect($config['db_host'],$config['db_user'],$config['db_pass']);
mysql_select_db($config['db_name']);

- $query = mysql_query("SELECT * FROM `devices` where status=0");
- unset($message);
- while($device = mysql_fetch_assoc($query))
+ foreach (dbFetchRows("SELECT * FROM `devices` where status=0") as $device)
{
$message .= $sep . $device['hostname'];
$sep = ", ";
}
$irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, $message);
- unset($sep);

mysql_close();

+echo date("m-d-y H:i:s ");
echo "DOWN\n";

}
@@ -92,9 +131,10 @@
if ($device['ignore']) { $status = "*Ignored*"; }
if ($device['disabled']) { $status = "*Disabled*"; }

- $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, '#'.$device['device_id'] . " " . $device['os'] . " " . $device['version'] . " " .
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, $device['os'] . " " . $device['version'] . " " .
$device['features'] . " " . $status);

+echo date("m-d-y H:i:s ");
echo "DEVICE\t\t". $device['hostname']."\n";

}
@@ -122,10 +162,11 @@
$pps_in = format_bi($port['ifInUcastPkts_rate']);
$pps_out = format_bi($port['ifOutUcastPkts_rate']);

- $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, '#' . $port['interface_id'] . " " . $port['ifAdminStatus'] . "/" . $port['ifOperStatus'] . " " .
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, $port['ifAdminStatus'] . "/" . $port['ifOperStatus'] . " " .
$bps_in. " > bps > " . $bps_out . " | " . $pps_in. "pps > PPS > " . $pps_out ."pps");

-echo "PORT\t\t" . $hostname . "\t". $ifname . "\n";
+echo date("m-d-y H:i:s ");
+echo "PORT\t\t\t" . $hostname . "\t". $ifname . "\n";

}

@@ -152,9 +193,58 @@
$irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, $message);
unset($sep);

+echo date("m-d-y H:i:s ");
echo "LISTDEVICES\n";

}
+
+
+###
+# !status gives overall status
+###
+ function status_info(&$irc, &$data)
+ {
+ $statustype = $data->messageex[1];
+
+global $config;
+mysql_connect($config['db_host'],$config['db_user'],$config['db_pass']);
+mysql_select_db($config['db_name']);
+
+ if ($statustype == "dev") {
+ $devcount = array_pop(dbFetchRow("SELECT count(*) FROM devices"));
+ $devup = array_pop(dbFetchRow("SELECT count(*) FROM devices WHERE status = '1' AND `ignore` = '0'"));
+ $devdown = array_pop(dbFetchRow("SELECT count(*) FROM devices WHERE status = '0' AND `ignore` = '0'"));
+ $devign = array_pop(dbFetchRow("SELECT count(*) FROM devices WHERE `ignore` = '1'"));
+ $devdis = array_pop(dbFetchRow("SELECT count(*) FROM devices WHERE `disabled` = '1'"));
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Devices: " .$devcount . " (" .$devup . " up, " .$devdown . " down, " .$devign . " ignored, " .$devdis . " disabled" . ")"); }
+
+ else if ($statustype == "prt") {
+ $prtcount = array_pop(dbFetchRow("SELECT count(*) FROM ports"));
+ $prtup = array_pop(dbFetchRow("SELECT count(*) FROM ports AS I, devices AS D WHERE I.ifOperStatus = 'up' AND I.ignore = '0' AND I.device_id = D.device_id AND D.ignore = '0'"));
+ $prtdown = array_pop(dbFetchRow("SELECT count(*) FROM ports AS I, devices AS D WHERE I.ifOperStatus = 'down' AND I.ifAdminStatus = 'up' AND I.ignore = '0' AND D.device_id = I.device_id AND D.ignore = '0'"));
+ $prtsht = array_pop(dbFetchRow("SELECT count(*) FROM ports AS I, devices AS D WHERE I.ifAdminStatus = 'down' AND I.ignore = '0' AND D.device_id = I.device_id AND D.ignore = '0'"));
+ $prtign = array_pop(dbFetchRow("SELECT count(*) FROM ports AS I, devices AS D WHERE D.device_id = I.device_id AND (I.ignore = '1' OR D.ignore = '1')"));
+ $prterr = array_pop(dbFetchRow("SELECT count(*) FROM ports AS I, devices AS D WHERE D.device_id = I.device_id AND (I.ignore = '0' OR D.ignore = '0') AND (I.ifInErrors_delta > '0' OR I.ifOutErrors_delta > '0')"));
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Ports: " .$prtcount . " (" .$prtup . " up, " .$prtdown . " down, " .$prtign . " ignored, " .$prtsht . " shutdown" . ")");}
+
+ else if ($statustype == "srv") {
+ $srvcount = array_pop(dbFetchRow("SELECT count(service_id) FROM services"));
+ $srvup = array_pop(dbFetchRow("SELECT count(service_id) FROM services WHERE service_status = '1' AND service_ignore ='0'"));
+ $srvdown = array_pop(dbFetchRow("SELECT count(service_id) FROM services WHERE service_status = '0' AND service_ignore = '0'"));
+ $srvign = array_pop(dbFetchRow("SELECT count(service_id) FROM services WHERE service_ignore = '1'"));
+ $srvdis = array_pop(dbFetchRow("SELECT count(service_id) FROM services WHERE service_disabled = '1'"));
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Services: " .$srvcount . " (" .$srvup . " up, " .$srvdown . " down, " .$srvign . " ignored, " .$srvdis . " disabled" . ")"); }
+
+ else {
+ $irc->message(SMARTIRC_TYPE_CHANNEL, $data->channel, "Error: STATUS requires one of the following "); }
+
+mysql_close();
+
+echo date("m-d-y H:i:s ");
+echo "STATUS\t\t$statustype\n";
+
+ }
+
}

$bot = &new observiumbot();
@@ -166,6 +256,9 @@
$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!port', $bot, 'port_info');
$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!down', $bot, 'down_info');
$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!version', $bot, 'version_info');
+$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!status', $bot, 'status_info');
+$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!log', $bot, 'log_info');
+$irc->registerActionhandler(SMARTIRC_TYPE_CHANNEL, '!help', $bot, 'help_info');

$irc->connect($config['irc_host'], $config['irc_port']);
$irc->login($config['irc_nick'], 'Observium Bot', 0, $config['irc_nick']);