#!/bin/bash
## Executing this script is not a guarantee for a secure host!
## This script is a collection of the junk I have found on my hosts and what
## the SaltStack community gave as input. We have seen this attack evolve. 
## Please have a very close look at your systems and consider reinstalling them 
## to be absolutely sure you are free of malware.

# 2020.05.05
# script trovato dopo attacco su server salt e gestiti 
# https://gist.github.com/itskenny0/df20bdb24a2f49b318a91195634ed3c6#file-cleanup-sh

# remove crontab persistence
for i in 54.36.185.99 217.8.117.137 176.31.60.91 217.12.210.192 54.36.185.99 54.36.185.99 89.223.121.139 torsocks anagima3 sa.sh$ c.sh$ selcdn.ru; do
	  crontab -l | sed "/$i/d" | crontab -
done
# warning! these IPs change! please manually verify your crontab with crontab -l 
# to make sure there are no other malicious entries

# remove ssh public key added by v5
sed -i '/PbNwmJNcFwSLF12fFBoF\/$/d' /root/.ssh/authorized_keys

# remove all the trash
rm /tmp/salt-minions
rm /tmp/salt-store
rm /var/tmp/salt-store
rm /etc/selinux/config
rm -rf /tmp/.ICE*
rm -rf /var/tmp/.ICE*
rm /root/.wget-hsts

# create apparmor profiles to prevent execution
echo 'profile salt-store /var/tmp/salt-store { }' | tee /etc/apparmor.d/salt-store
apparmor_parser -r -W /etc/apparmor.d/salt-store

echo 'profile salt-minions /tmp/salt-minions { }' | tee /etc/apparmor.d/salt-minions
apparmor_parser -r -W /etc/apparmor.d/salt-minions

# reenable nmi watchdog
sysctl kernel.nmi_watchdog=1
echo '1' >/proc/sys/kernel/nmi_watchdog
sed -i '/kernel.nmi_watchdog/d' /etc/sysctl.conf

# disable hugepages
sysctl -w vm.nr_hugepages=0

# enable apparmor
systemctl enable apparmor
systemctl start apparmor

# kill processes and reenabler
kill -9 $(ps faux | grep /tmp/.ICE | grep -v grep | awk '{print $2}')
ps aux | grep ICEd | grep -v grep | cut -c5-15 | xargs -n 1 kill -9
killall -9 salt-minions
killall -9 salt-store

# fix syslog
touch /var/log/syslog
service rsyslog restart