These days, I’m managing a number of OpenVZ Virtual Machine host servers. Therefore constantly I’m facing a lot of problems with users who run shit scripts inside their Linux Virtual Machines.
Commonly user Virtual Servers are used as a launchpad to attack hosts do illegal hacking activities or simply DDoS a host..
The virtual machines users (which by the way run on top of the CentOS OpenVZ Linux) are used to launch a Denial service scripts like kaiten.pl, trinoo, shaft, tfn etc.
As a consequence of their malicious activities, oftenly the Data Centers which colocates the servers are either null routing our server IPs until we suspend the Abusive users, or the servers go simply down because of a server overload or a kernel bug hit as a result of the heavy TCP/IP network traffic or CPU/mem overhead.
Therefore to mitigate this abusive attacks, I’ve written few bash shell scripts which, saves us a lot of manual check ups and prevents in most cases abusers to run the common DoS and “hacking” script shits which are now in the wild.
The first script I’ve written is kill_abusers.sh , what the script does is to automatically look up for a number of listed processes and kills them while logging in /var/log/abusers.log about the abusive VM user procs names killed.
I’ve set this script to run 4 times an hour and it currently saves us a lot of nerves and useless ticket communication with Data Centers (DCs), not to mention that reboot requests (about hanged up servers) has reduced significantly.
Therefore though the scripts simplicity it in general makes the servers run a way more stable than before.
Here is OpenVZ kill/suspend Abusers procs script kill_abusers.sh ready for download
Another script which later on, I’ve written is doing something similar and still different, it does scan the server hard disk using locate and find commands and tries to identify users which has script kiddies programs in their Virtual machines and therefore are most probably crackers.
The scripts looks up for abusive network scanners, DoS scripts, metasploit framework, ircds etc.
After it registers through scanning the server hdd, it lists only files which are preliminary set in the script to be dangerous, and therefore there execution inside the user VM should not be.
search_for_abusers.sh then logs in a files it’s activity as well as the OpenVZ virtual machines user IDs who owns hack related files. Right after it uses nail mailing command to send email to a specified admin email and reports the possible abusers whose VM accounts might need to either be deleted or suspended.
search_for_abusers can be download here
Honestly I truly liked my search_for_abusers.sh script as it became quite nice and I coded it quite quickly.
I’m intending now to put the Search for abusers script on a cronjob on the servers to check periodically and report the IDs of OpenVZ VM Users which are trying illegal activities on the servers.
I guess now our beloved Virtual Machine user script kiddies are in a real trouble ;P
More helpful Articles
Tags: admin job, bash scripts, bash shell scripts, CentOS, check ups, consequence, data, DDoS, Denial, denial service, download, host, host servers, job, kill, launchpad, Linux, log, malicious activities, network traffic, number, openvz, overhead, quot, script, script kiddies, Search, server overload, servers, Shell, shits, tcp ip network, tfn, ticket, trinoo, ups, Virtual, virtual machine, virtual machines, virtual servers, vm user
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Thankyou for these scripts, I have installed them and ran them to test, and they do what they are suppose to do!
🙂
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
I’m glad it helped somebody out there 😉
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Hope to see ya around
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
By the way in kill_abusers.sh it’s nice to add to the list of PROCS
PROCS=’ircd kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo slap.pl’;
same goes also for the search of abusers script.
View CommentView CommentThere are plenty of abusers which use this slap.pl shit
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
I ran them and it listed the clients that should be suspended, what is IRCd, idnt it a chat client?
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Heya Josh,
IRCd is a chat (irc) server.
View CommentView CommentYou might not need it to be in the list of processes to be killed, in my case I thought it’s better if it’s there since. Sometimes people who are devoted to irc get in quarrels and their services might later be a target of DoS.
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.122 Safari/534.30
Thanks for the description.
🙂
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Two more processes which is good to enter the scripts list of abusive processes are:
‘pscan2 SpyEyeCollector’
My current PROCS file variable, looks like so:
PROCS=’ircd kaiten dos.pl exploit msfconsole ddos tfn-child tfn-daemon trinoo slap.pl brute pscan2 SpyEyeCollector’;
Best!
View CommentView CommentGeorgi
🙂
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1
Any way to make one for cpanel server for dos.php ect?
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040119 Ubuntu/8.04 (hardy) Firefox/3.0.19
Hi Jack,
One can surely, be written. If you’re looking for someone to write you the script I can offer you my services for some fee?
Best!
View CommentView CommentGeorgi
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
I use these scripts quite often, so thanks again ^___^
However, the kill_abusers.sh script doesnt seem to work for me, tried two nodes it just goes blank :S
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Hello Josh,
The script works, I don’t know what you’re doing. Do you use the last version of the script. Previously I’ve by mistaken put online a version of the script which does echo the proccesses to kill instead of killing them, open the script and check your’re not using this old version.
regards,
View CommentView CommentGeorgi
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Hi there,
I wget the latest one and it did the same :S
Do you have teamviewer?
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Yes I have teamviewer 😉
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Care to take a look on my TV to see what could be the issue? :S
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
I can do that you can mail me on my mail with teamviewer info.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Did you manage it? If not, drop me a mail or add my in skype my sk – hipodilsky
View CommentView CommentI would not be online today but around the evening will be online for a while.
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Added 🙂
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Oops, spoke to soon.
Having issues with skype, can you add my MSN/AIM/Yahoo?
support [at] Dotvps.net
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
I was travelling, now I’m very tired and probably soon go to sleep, I’ve added you in ICQ but you seen unavailable. Whenever I’m online you should add me as well. Then I’ll quickly take a look.
Best!
View CommentView CommentGeorgi
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/534.51.22 (KHTML, like Gecko) Version/5.1.1 Safari/534.51.22
Hello
Thanks for that.
We also often have a DDoS script named lool.
Cheers.
View CommentView CommentMozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
How would i install this on centos
View CommentView CommentMozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Hi Mark,
Do you get some errors. If you explain thoroughfully what you do, maybe I’ll be able to help
View CommentView CommentBy the way, I also offer pro-admin services for some fee. If you’re interested 🙂
best
Georgi
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Add my skype mark.cayetano2
i need some pro-admin service’s 🙂
View CommentView CommentMozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Also how do i add this into cronjobs.
View CommentView CommentMozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0
So far ….so good great experience !!! Thanks!!!
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
How do I install this script? I need help please.
My e-mail ; Victor@SpetsnazHost.com
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Hi no need to install download and run it.
View CommentView CommentOr place it in cron job with crontab -u root -e.