View file

File name : monitor-modsec-post
Content :
#!/bin/bash
file=$1

if [[ $REMOTE_ADDR =~ .*192.0.64.* ]]; then
  curl -k -F supersecretkey=fanfulrofiajwearEmAb -F "privmsg=`hostname` WEB-POST-DEBUG Vaultpress IP Exclusion:$HTTP_HOST FILE:$SCRIPT_FILENAME SCRIPT:$SCRIPT_NAME IP:$REMOTE_ADDR" -F 'name=#hacks' http://nag.a2hosting.com/nagbot.php
  echo "1 A2Scan: OK"
  exit
fi

if [ -d $file ]; then
#       curl -k -F supersecretkey=fanfulrofiajwearEmAb -F "privmsg=`hostname` WEB-POST-DEBUG Not a file:$HTTP_HOST FILE:$SCRIPT_FILENAME SCRIPT:$SCRIPT_NAME IP:$REMOTE_ADDR" -F 'name=#hacks' http://nag.a2hosting.com/nagbot.php
	echo "1 A2Scan: OK"
	exit
fi

if [ ! -r $file ]; then
  echo "1 A2Scan: OK"
  exit
fi

sigp=''
for i in php.a2.ldb php.a2.ndb a2.hdb a2.ndb rfxn.ndb rfxn.hdb; do
  sigp="$sigp -d /usr/local/cpanel/3rdparty/share/clamav/$i "
done
result=`/usr/local/cpanel/3rdparty/bin/clamscan $sigp -i --no-summary "$file"|sed 's/\n//g'|cut -d: -f2`
if [ -n "$result" ];then
    #echo "Result $result" >> /tmp/465
    # These shenanigans are probably due to overly aggressive base64 related rules in the rfxn set, over which we have no control.
    if [[ "$result" =~ "base64" ]];then
      sed -i -e 's/<?.*eval(base64_decode(.*?>//' -e 's/<?php.*eval(base64_decode(.*?>//' -e 's/eval(base64_decode([^;]*;//' $file
      sed -i -e 's/<?.*eval(gzinflate(base64_decode(.*?>//' -e 's/<?php.*eval(gzinflate(base64_decode(.*?>//' -e 's/eval(gzinflate(base64_decode(.*);//' $file
      echo "1 A2Scan: OK"
      exit
    else
      curl -k -F supersecretkey=fanfulrofiajwearEmAb -F "privmsg=`hostname` WEB-POST:$result $HTTP_HOST FILE:$SCRIPT_FILENAME SCRIPT:$SCRIPT_NAME IP:$REMOTE_ADDR" -F 'name=#hacks' http://nag.a2hosting.com/nagbot.php
      echo "0 A2Scan: $result"
      exit
    fi
fi


echo "1 A2Scan: OK"
TERMOREK-IT SHELL 403

View file
