403WebShell

h( )($6;EbBLkfu�_l� ''8;DUFKV3Dd#,?ANk&5G$/(5M\^�ms��Sb�,;R''6c2I�!\��kx�Ve�[i��Me�IYO7:nOL~�Kr�qrv�I:�BM�y��s}r��K��x)1�6@r*2�89ma��&��'ti��{~#��t)1�2<�0:^5�W.uFzQ/u}�v��vv�u��U37yDJeEJo(/�5Ds'1�:Jlu�iy�iy�hw�1;:S`^BMLOQQn,4�7C�8C�>Lfe�]k�[i�Zg��IW�LZ�EP;,.��Tc�q(0) G,/]/1��w�r��l&-t*3�<<�u��#��j&.u��J68\8?"#$%&'()*+,-./0 !
Notice: Undefined index: dl in /var/www/html/web/simple.mini.php on line 1
403WebShell403Webshell
Server IP : 10.254.12.21 / Your IP : 10.254.12.21
Web Server : Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.40
System : Linux arit.skru.ac.th 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64
User : apache ( 48)
PHP Version : 5.6.40
Disable Function : NONE
MySQL : ON | cURL : ON | WGET : OFF | Perl : ON | Python : ON | Sudo : ON | Pkexec : ON
Directory : /proc/5800/root/opt/eset/efs/sbin/
Upload File :
[ Back ]
Current File : /proc/5800/root/opt/eset/efs/sbin/collect_logs.sh
#!/bin/sh

#set -ex

# This script should be run on customer system to collect required information about system for support purpose only.

# Must be run under root user.
if [ "$(id -u)" -ne 0 ]; then
	echo "You must run this script as root." >&2
	exit 1
fi

export LANGUAGE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"

PROVIDER="eset"
RTP_MODULE="eset_rtp"

# Find security product
if [ -f "/opt/${PROVIDER}/eea/etc/pkgid" ]; then
	PRODUCT="eea"
	LSLOG_LOCATION="sbin"
	CFG_LOCATION="lib"
	CLOUD_LOCATION="lib"

elif [ -f "/opt/${PROVIDER}/efs/etc/pkgid" ]; then
	PRODUCT="efs"
	LSLOG_LOCATION="bin"
	CFG_LOCATION="sbin"
	CLOUD_LOCATION="sbin"

else
	echo "Security product not found." >&2
	exit 1
fi

# paths
PRODUCT_PATH="${PROVIDER}/${PRODUCT}"
INSTALL_PATH="/opt/${PRODUCT_PATH}"
VAR_PATH="/var/opt/${PRODUCT_PATH}"
LOG_PATH="/var/log/${PRODUCT_PATH}"
RUN_PATH="/var/run/${PRODUCT_PATH}"

MODULE_EXCLUDES_PATH="/sys/module/${RTP_MODULE}/settings/excludes"
ECP_LOGS_PATH="${VAR_PATH}/licensed/ecp"
UDEV_FILE_PATH="/etc/udev/rules.d/00-${PROVIDER}.${PRODUCT}.rules"

LSLOG_PATH="${INSTALL_PATH}/${LSLOG_LOCATION}/lslog"
CFG_PATH="${INSTALL_PATH}/${CFG_LOCATION}/cfg"
LSDEV_PATH="${INSTALL_PATH}/bin/lsdev"
CLOUD_PATH="${INSTALL_PATH}/${CLOUD_LOCATION}/cloud"

# temp directory
TMP_DIR="$(mktemp -d)"

# output files
INFO_FILE="${TMP_DIR}/${PRODUCT}_info"
SYSTEM_FILE="${TMP_DIR}/${PRODUCT}_system"
KERNEL_FILE="${TMP_DIR}/${PRODUCT}_kernel"
KERNEL_EXCLUDES_FILE="${TMP_DIR}/${PRODUCT}_kernel_excludes"
EVENT_FILE="${TMP_DIR}/${PRODUCT}_events"
DETECTION_FILE="${TMP_DIR}/${PRODUCT}_detections"
SCANS_FILE="${TMP_DIR}/${PRODUCT}_scans"
SENT_FILE="${TMP_DIR}/${PRODUCT}_sent_files"
BLOCKED_FILE="${TMP_DIR}/${PRODUCT}_blocked_files"
DEVICES_FILE="${TMP_DIR}/${PRODUCT}_devices"
CLOUD_FILE="${TMP_DIR}/${PRODUCT}_cloud"
CFG_DUMP_FILE="${TMP_DIR}/${PRODUCT}_cfg_dump"
CFG_EXPORT_FILE="${TMP_DIR}/${PRODUCT}_cfg_export"
LSOF_FILE="${TMP_DIR}/${PRODUCT}_lsof"
LSUSB_FILE="${TMP_DIR}/lsusb"
UDEV_FILE="${TMP_DIR}/udevadm"
TOP_FILE="${TMP_DIR}/top"
SELINUX_FILE="${TMP_DIR}/${PRODUCT}_selinux"
DISTRO_FILE="${TMP_DIR}/distro_info"
MACHINE_FILE="${TMP_DIR}/machine_info"
NETWORK_FILE="${TMP_DIR}/network_info"
ERRORS_FILE="${TMP_DIR}/script_errors"
JOURNAL_FILE="${TMP_DIR}/journal_log"

# redirect all errors into ERRORS_FILE
exec 2> "${ERRORS_FILE}"

section_header() {
	echo ""
	echo "#### $1 ####"
}

small_header() {
	echo ""
	echo "## $1 ##"
}

list_folder() {
	small_header "$1"
	ls -alZ "$1"
}

list_folder_only() {
	small_header "$1"
	ls -alZd "$1"
}

### SYSTEM AND PRODUCT INFO
section_header "STATUS" >> "${INFO_FILE}"
if which systemctl >/dev/null 2>/dev/null ; then
	systemctl status "${PRODUCT}" --full --no-page >> "${INFO_FILE}"
else
	/etc/init.d/efs status >> "${INFO_FILE}"
fi

section_header "PROCESSES" >> "${INFO_FILE}"
ps -e -L -o user,uid,tid,pgid,ppid,pcpu,pmem,vsize,start_time,stat,c,rtprio,policy,pri,ni,time,label,cmd | grep "UID\|/${PROVIDER}/" | grep -v grep >> "${INFO_FILE}"

section_header "IO PRIORITIES OF THREADS" >> "${INFO_FILE}"
IO_PRIO_LOGGED_SERVICES="scand oaeventd"
for service in $IO_PRIO_LOGGED_SERVICES; do
	echo "$service:" >> "${INFO_FILE}"
	ps -eT | awk -v pattern="$service" '$0~pattern{print $2}' | xargs ionice -p >> "${INFO_FILE}"
done

section_header "KERNEL" >> "${INFO_FILE}"
uname -a >> "${INFO_FILE}"

section_header "SELINUX" >> "${INFO_FILE}"
if which sestatus >/dev/null 2>/dev/null ; then
	sestatus >> "${INFO_FILE}"
fi
if which getenforce >/dev/null 2>/dev/null ; then
	getenforce >> "${INFO_FILE}"
	( cd /var/log/audit && grep denied audit* | grep "${PROVIDER}_${PRODUCT}" ) >> "${SELINUX_FILE}"
else
	echo "No SELinux found" >> "${INFO_FILE}"
fi

section_header "DATE" >> "${INFO_FILE}"
date >> "${INFO_FILE}"

section_header "MEMORY" >> "${INFO_FILE}"
df -h >> "${INFO_FILE}"

section_header "FILE SYSTEMS" >> "${INFO_FILE}"
mount >> "${INFO_FILE}"

section_header "MODULES" >> "${INFO_FILE}"
grep -ais "version\|type:" "${VAR_PATH}"/lib/*.dat >> "${INFO_FILE}"

section_header "FOLDERS" >> "${INFO_FILE}"
# root
list_folder_only "/" >> "${INFO_FILE}"
# /opt
list_folder_only "/opt" >> "${INFO_FILE}"
# /opt/eset
list_folder_only "/opt/${PROVIDER}" >> "${INFO_FILE}"
# binaries
echo "" >> "${INFO_FILE}"
ls -RalZ "${INSTALL_PATH}" >> "${INFO_FILE}"
# /var
list_folder_only "/var" >> "${INFO_FILE}"
# /var/run
list_folder_only "/var/run" >> "${INFO_FILE}"

#/var/run/ can be a symlink to /run
if [ -L "/var/run" ]; then
	ls -alZdL "/var/run" >> "${INFO_FILE}"
fi

# /var/run/eset
list_folder_only "/var/run/${PROVIDER}" >> "${INFO_FILE}"
# sockets
list_folder "${RUN_PATH}/" >> "${INFO_FILE}"
# /var/opt
list_folder_only "/var/opt" >> "${INFO_FILE}"
# /var/opt/eset
list_folder_only "/var/opt/${PROVIDER}" >> "${INFO_FILE}"
# /var/opt/eset/product
list_folder "${VAR_PATH}" >> "${INFO_FILE}"
# configuration
list_folder "${VAR_PATH}/confd/" >> "${INFO_FILE}"
# license and activation info
list_folder "${VAR_PATH}/licensed/" >> "${INFO_FILE}"
# modules
list_folder "${VAR_PATH}/lib/" >> "${INFO_FILE}"
# modules - nups
list_folder "${VAR_PATH}/lib/data/updfiles" >> "${INFO_FILE}"
# cache
list_folder "${VAR_PATH}/cache/" >> "${INFO_FILE}"
# /var/log/
list_folder_only "/var/log" >> "${INFO_FILE}"
# /var/log/eset/
list_folder_only "/var/log/${PROVIDER}" >> "${INFO_FILE}"
# logs
list_folder "${LOG_PATH}" >> "${INFO_FILE}"
list_folder "${LOG_PATH}/ods" >> "${INFO_FILE}"

### DISTRIBUTION INFO
section_header "VERSION" >> "${DISTRO_FILE}"
cat "/proc/version" >> "${DISTRO_FILE}"

section_header "RELEASE" >> "${DISTRO_FILE}"
if [ -x "/usr/bin/lsb_release" ] ; then
	"/usr/bin/lsb_release" -a >> "${DISTRO_FILE}"
elif [ -f "/etc/redhat-release" ] ; then
	cat "/etc/redhat-release" >> "${DISTRO_FILE}"
elif [ -f "/etc/sles-release" ] ; then
	cat "/etc/sles-release" >> "${DISTRO_FILE}"
elif [ -f "/etc/os-release" ] ; then
	cat "/etc/os-release" >> "${DISTRO_FILE}"
fi

### MACHINE INFO
section_header "STATUS" >> "${MACHINE_FILE}"
if which hostnamectl >/dev/null 2>&1; then
	hostnamectl status >> "${MACHINE_FILE}"
else
	#hostnamectl is systemd command and rhel6/centos 6 dont have it
	printf "Hostname: " >> "${MACHINE_FILE}"
	uname -n >> "${MACHINE_FILE}"
	printf "Kernel: " >> "${MACHINE_FILE}"
	uname -sr >> "${MACHINE_FILE}"
	printf "Architecture: " >> "${MACHINE_FILE}"
	uname -i >> "${MACHINE_FILE}"
fi

section_header "DMIDECODE" >> "${MACHINE_FILE}"
dmidecode >> "${MACHINE_FILE}"

section_header "LSCPU" >> "${MACHINE_FILE}"
lscpu >> "${MACHINE_FILE}"

section_header "CPU" >> "${MACHINE_FILE}"
cat "/proc/cpuinfo" >> "${MACHINE_FILE}"

section_header "MEMINFO" >> "${MACHINE_FILE}"
cat "/proc/meminfo" >> "${MACHINE_FILE}"

section_header "SECURE BOOT STATUS" >> "${MACHINE_FILE}"
if which mokutil >/dev/null 2>&1; then
	mokutil --sb-state >> "${MACHINE_FILE}" 2>&1
else
	od --address-radix=n --format=u1 /sys/firmware/efi/efivars/SecureBoot* >> "${MACHINE_FILE}" 2>&1
fi

### NETWORK INFO
section_header "IP ADDR" >> "${NETWORK_FILE}"
ip addr list >> "${NETWORK_FILE}"

if which netstat >/dev/null 2>/dev/null ; then
	section_header "NETSTAT" >> "${NETWORK_FILE}"
	netstat -tulpn >> "${NETWORK_FILE}"

elif which ss >/dev/null 2>/dev/null ; then
	section_header "SS" >> "${NETWORK_FILE}"
	ss -tulwnp >> "${NETWORK_FILE}"
fi

if [ -f "/etc/sysconfig/network" ] ; then
	section_header "/etc/sysconfig/network" >> "${NETWORK_FILE}"
	cat "/etc/sysconfig/network" >> "${NETWORK_FILE}"
fi

### KERNEL MODULE LOGS
if which dmesg >/dev/null 2>/dev/null ; then
	dmesg -r | grep "${RTP_MODULE}" >> "${KERNEL_FILE}"
fi

### KERNEL MODULE EXCLUDES
if [ -f "${MODULE_EXCLUDES_PATH}/files" ] ; then
	section_header "FILES" >> "${KERNEL_EXCLUDES_FILE}"
	cat "${MODULE_EXCLUDES_PATH}/files" | tr -d '\0' >> "${KERNEL_EXCLUDES_FILE}"
fi
if [ -f "${MODULE_EXCLUDES_PATH}/procs" ] ; then
	section_header "PROCESSES" >> "${KERNEL_EXCLUDES_FILE}"
	cat "${MODULE_EXCLUDES_PATH}/procs" | tr -d '\0' >> "${KERNEL_EXCLUDES_FILE}"
fi

### SYSTEM LOGS
if which journalctl >/dev/null 2>/dev/null ; then
	journalctl -x | grep -i "${PROVIDER}" >> "${SYSTEM_FILE}"
	journalctl -xe >> "${JOURNAL_FILE}"
fi

if [ -f "/var/log/messages" ] ; then
	( cd /var/log && cp ./*messages* "${TMP_DIR}" )
fi

if [ -f "/var/log/syslog" ] ; then
	( cd /var/log && cp ./*syslog* "${TMP_DIR}" )
fi

if [ -f "/var/log/debug" ] ; then
	( cd /var/log && cp ./*debug* "${TMP_DIR}" )
fi

### CONFIGURATION
cp "${VAR_PATH}/confd/settings.json" "${TMP_DIR}"

### PRODUCT LOGS
if ps -ef | grep "${PRODUCT_PATH}" | grep -v grep >/dev/null ; then
	"${LSLOG_PATH}" --csv --events >> "${EVENT_FILE}"
	"${LSLOG_PATH}" --csv --detections >> "${DETECTION_FILE}"
	"${LSLOG_PATH}" --csv --scans >> "${SCANS_FILE}"
	"${LSLOG_PATH}" --csv --sent-files >> "${SENT_FILE}"
	"${LSLOG_PATH}" --csv --blocked-files >> "${BLOCKED_FILE}"
	"${CFG_PATH}" --dump >> "${CFG_DUMP_FILE}"
	"${CFG_PATH}" --export-xml="${CFG_EXPORT_FILE}"

	## DEVICE CONTROL
	if [ -f "${LSDEV_PATH}" ] ; then
		section_header "DEVICES" >> "${DEVICES_FILE}"
		"${LSDEV_PATH}" --csv --list >> "${DEVICES_FILE}"
		section_header "LOGS" >> "${DEVICES_FILE}"
		"${LSLOG_PATH}" --csv --device-control  >> "${DEVICES_FILE}"
	fi

	## CLOUD
	if [ -f "${CLOUD_PATH}" ] ; then
		section_header "EDTD" >> "${CLOUD_FILE}"
		"${CLOUD_PATH}" --edtd-status >> "${CLOUD_FILE}"
	fi
else
	echo "Warning: Product is not running. Please start it if possible."
fi

## UDEV FILE
if [ -f "${UDEV_FILE_PATH}" ] ; then
	cp "${UDEV_FILE_PATH}" "${TMP_DIR}"
fi

### ECP LOGS
if [ -d "${ECP_LOGS_PATH}" ] ; then
	cp -r "${ECP_LOGS_PATH}" "${TMP_DIR}"
fi

### LSOF
if which lsof >/dev/null 2>/dev/null ; then
	for p in $(ps -Af | grep "${PRODUCT_PATH}" | grep -v grep | awk '{ print $2; }'); do
		echo "" >> "${LSOF_FILE}"
		lsof -p "$p" 2>/dev/null >> "${LSOF_FILE}"
	done
fi

### LSUSB
if which lsusb >/dev/null 2>/dev/null ; then
	lsusb --tree 2>/dev/null >> "${LSUSB_FILE}"
	echo "" >> "${LSUSB_FILE}"
	lsusb --verbose 2>/dev/null >> "${LSUSB_FILE}"
fi

### UDEVADM
if which udevadm >/dev/null 2>/dev/null ; then
	udevadm info --export-db 2>/dev/null >> "${UDEV_FILE}"
fi

### TOP
if which top >/dev/null 2>/dev/null; then
	top -b -d 1 -n 5 2>/dev/null >> "${TOP_FILE}"
fi

### PKGID
cp "${INSTALL_PATH}/etc/pkgid" "${TMP_DIR}"

### ARCHIVE
ARCHIVE_PATH="${PWD}/${PRODUCT}_logs.tar.gz"
( cd "${TMP_DIR}" && tar czf "${ARCHIVE_PATH}" ./* )

echo "Logs has been collected to: ${ARCHIVE_PATH}"

rm -rf "${TMP_DIR}"
Youez - 2016 - github.com/yon3zu
LinuXploit