Files
2026FIFAWorldCup/iwooos_javae_monitor.sh
QuantBot aa7e3bba76
Some checks failed
2026 World Cup Quant Platform - Production Deployment / Code Quality & Testing (push) Failing after 1m49s
2026 World Cup Quant Platform - Production Deployment / Deploy to Production VM via Rsync (push) Has been skipped
chore: migrate deployment to Gitea Actions with zero-trust rsync
2026-06-16 19:06:50 +08:00

41 lines
1.6 KiB
Bash

#!/bin/bash
# AWOOOI - javae Mining Trojan Monitor
# This script monitors the current-fifa2026-web-1 container for suspicious processes.
# It looks for 'javae', 'npm start', and 'entrypoint.sh' running as unexpected users or with high CPU.
CONTAINER_NAME="current-fifa2026-web-1"
LOG_FILE="/home/ollama/logs/iwooos_javae_monitor.log"
TELEGRAM_BOT_TOKEN="YOUR_BOT_TOKEN" # Can be injected or ignored if Wazuh is used
CHAT_ID="YOUR_CHAT_ID"
mkdir -p /home/ollama/logs
# Check if container is running
if ! docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
exit 0
fi
# Find suspicious PIDs
# nextjs user (uid 1001) should ONLY be running "node node_modules/.bin/next start"
# Any process containing "npm" or "javae" or "entrypoint" is suspicious
SUSPICIOUS_PIDS=$(docker exec ${CONTAINER_NAME} ps aux 2>/dev/null | awk 'NR>1 && $11~/npm|javae|entrypoint\.sh/ {print $2}')
if [ ! -z "$SUSPICIOUS_PIDS" ]; then
DATE=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$DATE] 🚨 SUSPICIOUS PROCESS DETECTED in $CONTAINER_NAME!" >> $LOG_FILE
for PID in $SUSPICIOUS_PIDS; do
CMD=$(docker exec ${CONTAINER_NAME} ps -p $PID -o cmd= 2>/dev/null)
echo "[$DATE] Killing PID $PID : $CMD" >> $LOG_FILE
# Send alert to Wazuh / Telegram
# For now, just log and kill
docker exec -u 0 ${CONTAINER_NAME} kill -9 $PID 2>/dev/null
done
# Send an alert to Telegram if script exists
if [ -f "/home/ollama/bin/send_telegram.py" ]; then
/usr/bin/python3 /home/ollama/bin/send_telegram.py "🚨 警告:在 $CONTAINER_NAME 容器內偵測到挖礦木馬 (javae/npm start)!已經自動將其阻斷。"
fi
fi