Prv8 Shell
Server : Apache
System : Linux ecngx264.inmotionhosting.com 4.18.0-553.77.1.lve.el8.x86_64 #1 SMP Wed Oct 8 14:21:00 UTC 2025 x86_64
User : lonias5 ( 3576)
PHP Version : 7.3.33
Disable Function : NONE
Directory :  /proc/self/root/proc/thread-self/root/opt/sharedrads/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //proc/self/root/proc/thread-self/root/opt/sharedrads/check_hacks
#!/bin/bash



if [ "$1" == "--help" ]; then
    echo "You can pass --full to this to get some additional info,"
    echo "otherwise just run $0 to get the basic output."

fi

function separatorbar {
	echo "========================================================================================="
}

separatorbar
echo "= You must check the processes before killing them. Some processes could be legitimate! ="
separatorbar


echo;echo "Check for Obvious Hacks and masquerading perl processes (check before killing)"
separatorbar

for proc in $(ps auwx | awk '$1 == "nobody" || $1 ~/[a-z]+[0-9]+/{print $2}');
do
     echo "$proc -  $(awk '{print $2 }'< "/proc/${proc}/stat") - $(cat "/proc/$proc/cmdline")";
done 2>/dev/null |        awk '/perl/{print}'


echo;echo "Checking for daemonized user processes"
separatorbar
ps -ef | awk '!/gam_server/ && $3==1 && $1 ~ /[a-z]+[0-9]+/{print;}'


echo;echo "Checking for scripts bound to a shell, may display dead ptys, review with lsof -p PID"
separatorbar
ps aux | awk '/\/bin\/sh/ && !/mysql/ || /\/bin\/bash/ && !/\/opt\/|check_hacks/'


echo;echo "Checking netstat output"
separatorbar
netstat -plan|awk '/perl/ && /tcp/{printf "%25s %25s %15s %s \n", $4, $5, $6,$7,$NF}'

if [ "$1" == "--full" ]; then
	netstat -plan |
	awk '/tcp/ && $NF ~/[0-9]+\/.*$/ {gsub(/::ffff:/,"",$0)gsub(/\//,": ",$0);printf ("%20s %20s\n",$NF,$5);}' |
        sort -k1

fi


echo;echo "Displaying failed ftp authentication attempts"
separatorbar
tail -60000 /var/log/messages | grep "Authentication failed"  |cut -d ' ' -f 5-13 |sort |uniq -c | \
head -20 |sort -nr|sed 's/\[WARNING\] Authentication failed for user //g' |column -t | \
sed 's/(?@//g' |sed 's/)//g' |sed 's/\[//g' |sed 's/\]//g'


echo;echo "Displaying failed email authentication attempts"
separatorbar
tail -60000 /var/log/messages | grep "LOGIN FAILED" |grep -v "method=PLAIN" |cut -d ' ' -f 5-9 |sort | \
uniq -c |sort -nr |head -20 |sed 's/, user=/ /g' |sed 's/\]//g'| \
sed 's/, ip=\[::ffff:/ /g' |column -t


echo;echo "Displaying failed cpanel authentication attempts"
separatorbar
tail -60000 /usr/local/cpanel/logs/login_log | grep "FAILED LOGIN" |cut -d ' ' -f -3 |sort | \
uniq -c |sort -nr |head -20 |column -t

@StableExploit - 2025