Aggiunta sls x zabbox e sanitize salt#

Changes to be committed: new file: ZabbixSetup.bat new file: ZabbixWin.sls new file: sanitSalt.sh new file: sanitize.sls new file: ubuVpnSrv.sls
2020-05-09 14:58:33 +02:00
parent 19bb78b065
commit 1585f7d132
5 changed files with 82 additions and 0 deletions
@@ -0,0 +1 @@
+REM effettuo configurazione x Zabbix
@@ -0,0 +1,12 @@
+# INstall agent zabbix di base
+zabbix-agent-install:
+  chocolatey:
+    - installed
+    - name: zabbix-agent
+
+# Script setup zabbix con nostro server
+zabbix-agent-config:
+   cmd.script: 
+    - name: c:/Steamware/src/ZabbixSetup.bat
+    - source: salt://ZabbixSetup.bat
+
@@ -0,0 +1,58 @@
+#!/bin/bash
+## Executing this script is not a guarantee for a secure host!
+## This script is a collection of the junk I have found on my hosts and what
+## the SaltStack community gave as input. We have seen this attack evolve. 
+## Please have a very close look at your systems and consider reinstalling them 
+## to be absolutely sure you are free of malware.
+
+# 2020.05.05
+# script trovato dopo attacco su server salt e gestiti 
+# https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh
+
+# remove crontab persistence
+for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru; do
+	  crontab -l | sed "/$i/d" | crontab -
+done
+# warning! these IPs change! please manually verify your crontab with crontab -l 
+# to make sure there are no other malicious entries
+
+# remove ssh public key added by v5
+sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys
+
+# remove all the trash
+rm /tmp/salt-minions
+rm /tmp/salt-store
+rm /var/tmp/salt-store
+rm /etc/selinux/config
+rm -rf /tmp/.ICE*
+rm -rf /var/tmp/.ICE*
+rm /root/.wget-hsts
+
+# create apparmor profiles to prevent execution
+echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
+apparmor_parser -r -W /etc/apparmor.d/salt-store
+
+echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
+apparmor_parser -r -W /etc/apparmor.d/salt-minions
+
+# reenable nmi watchdog
+sysctl kernel.nmi_watchdog=1
+echo '1' >/proc/sys/kernel/nmi_watchdog
+sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf
+
+# disable hugepages
+sysctl -w vm.nr_hugepages=0
+
+# enable apparmor
+systemctl enable apparmor
+systemctl start apparmor
+
+# kill processes and reenabler
+kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
+ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9
+killall -9 salt-minions
+killall -9 salt-store
+
+# fix syslog
+touch /var/log/syslog
+service rsyslog restart
@@ -0,0 +1,6 @@
+# Script esecuzione sanitizzazione da attacco salt del 2020.05.05
+salt-sanitizer:
+   cmd.script: 
+    - name: /root/sanitSalt.sh
+    - source: salt://sanitSalt.sh
+
@@ -0,0 +1,5 @@
+# Script inizio update (copia conf + kill)
+#runPiVpnScript:
+#   cmd.run: 
+#    - name: curl -L https://install.pivpn.io | bash > /dev/null 2>&1
+