41 lines
1.6 KiB
Bash
41 lines
1.6 KiB
Bash
#!/bin/bash
|
|
# AWOOOI - javae Mining Trojan Monitor
|
|
# This script monitors the current-fifa2026-web-1 container for suspicious processes.
|
|
# It looks for 'javae', 'npm start', and 'entrypoint.sh' running as unexpected users or with high CPU.
|
|
|
|
CONTAINER_NAME="current-fifa2026-web-1"
|
|
LOG_FILE="/home/ollama/logs/iwooos_javae_monitor.log"
|
|
TELEGRAM_BOT_TOKEN="YOUR_BOT_TOKEN" # Can be injected or ignored if Wazuh is used
|
|
CHAT_ID="YOUR_CHAT_ID"
|
|
|
|
mkdir -p /home/ollama/logs
|
|
|
|
# Check if container is running
|
|
if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
|
|
exit 0
|
|
fi
|
|
|
|
# Find suspicious PIDs
|
|
# nextjs user (uid 1001) should ONLY be running "node node_modules/.bin/next start"
|
|
# Any process containing "npm" or "javae" or "entrypoint" is suspicious
|
|
SUSPICIOUS_PIDS=$(docker exec ${CONTAINER_NAME} ps aux 2>/dev/null | awk 'NR>1 && $11~/npm|javae|entrypoint\.sh/ {print $2}')
|
|
|
|
if [ ! -z "$SUSPICIOUS_PIDS" ]; then
|
|
DATE=$(date '+%Y-%m-%d %H:%M:%S')
|
|
echo "[$DATE] 🚨 SUSPICIOUS PROCESS DETECTED in $CONTAINER_NAME!" >> $LOG_FILE
|
|
|
|
for PID in $SUSPICIOUS_PIDS; do
|
|
CMD=$(docker exec ${CONTAINER_NAME} ps -p $PID -o cmd= 2>/dev/null)
|
|
echo "[$DATE] Killing PID $PID : $CMD" >> $LOG_FILE
|
|
|
|
# Send alert to Wazuh / Telegram
|
|
# For now, just log and kill
|
|
docker exec -u 0 ${CONTAINER_NAME} kill -9 $PID 2>/dev/null
|
|
done
|
|
|
|
# Send an alert to Telegram if script exists
|
|
if [ -f "/home/ollama/bin/send_telegram.py" ]; then
|
|
/usr/bin/python3 /home/ollama/bin/send_telegram.py "🚨 警告:在 $CONTAINER_NAME 容器內偵測到挖礦木馬 (javae/npm start)!已經自動將其阻斷。"
|
|
fi
|
|
fi
|