#!/opt/imh-python/bin/python3
from rads import send_email
from platform import node
KNOWN_MALICIOUS_CMDLINE_STRINGS = [
KNOWN_NONMALICOUS_CMDLINE_STRINGS = [
'usr/local/cpanel/bin/ftpput',
'/usr/local/cpanel/3rdparty/bin/awstats.pl',
def get_system_processes():
Use psutil to generate a list of all system processes
:return: list of all system processes
all_system_processes = []
for system_process in psutil.process_iter():
process_info = system_process.as_dict(
attrs=['username', 'pid', 'ppid', 'create_time', 'cmdline']
except psutil.NoSuchProcess:
all_system_processes.append(process_info)
return all_system_processes
def filter_processes(all_system_processes):
Use some criteria to filter out the malicious processes and create a list
- username is not root (non-root)
- process is older than 5 minutes
- process 'cmdline' string matches known malicious cmdline string
- process 'cmdline' string doesn't match known nonmalicious cmdline string
:param list of all system processes
:return: list of only malicious system processes
darkmailer_processes = []
for system_process in all_system_processes:
seconds = now - system_process['create_time']
system_process['ppid'] == 1
and system_process['username'] != "root"
and system_process["cmdline"][0] in KNOWN_MALICIOUS_CMDLINE_STRINGS
and system_process['cmdline'][0]
not in KNOWN_NONMALICOUS_CMDLINE_STRINGS
darkmailer_processes.append(system_process)
return darkmailer_processes
Function that manages flow of nagios check
- Find all system processes
- Filter the malicious processes
- Generate nagios exit status
all_system_processes = get_system_processes()
darkmailer_processes = filter_processes(all_system_processes)
# build email body message
darkmailer_processes_crit_data = []
for darkmailer_process in darkmailer_processes:
darkmailer_processes_crit_data.append(
(darkmailer_process['pid'], darkmailer_process['username'])
body = "{} CRITICAL: {} malicious scripts: {}".format(
len(darkmailer_processes_crit_data),
darkmailer_processes_crit_data,
if __name__ == "__main__":
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
