#!/bin/bash - 
#==========================================================================
#
#          FILE:  nagios-check-infections
# 
#         Usage:  ./nagios-check-infections
# 
#   Description:  Very simple nagios checker for rootkits not covered by 
#                 tools like rkhunter, chkrootkit etc.
# 
#       Options:  ---
#  Requirements:  ---
#          BUGS:  ---
#         Notes:  ---
#        Author: Bernhard Brunner, brb-nagios a-t it-transforms Dot ch
#       Company: epr.ch
#       Created: 2012/07/17 22:36
# Last modified: 2014-02-25 09:13
#      Revision:  ---
#==========================================================================
#  This program is free software; you can redistribute it and/or modify 
#  it under the terms of the GNU General Public License as published by 
#  the Free Software Foundation; either version 2 of the License, or    
#  (at your option) any later version.
#==========================================================================

BASEDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

STATUS_OK="OK"
STATUS_WARN="WARN"
STATUS_CRIT="CRITICAL"

status=$STATUS_OK
resp=""

function addresp
{
    resp="$resp $*"
}

function check_ebury
{
   addresp "Ebury:"
   ipcs -m | grep 666 | awk '
      BEGIN { ret=1; }
      { if ($5>3283128) ret=0;
        ret=1
      }
      END { exit ret}' 
   if [ $? == 0 ] ; then
       addresp "Possible infection"
       status=$STATUS_CRIT
   fi
}

function check_cdorked
{
    local prog="$BASEDIR/bin/cdorked-`uname -m`"
    if [ -e $prog ] ; then
        local cdork=`$prog`
        if [ $? == 1 ] ; then
            status=$STATUS_CRIT
        fi
    else
        local cdork="cdork: $prog not found"
        status=$STATUS_WARN
    fi

    addresp "$cdork"
}

function check_ebury
{
    addresp "Ebury:"
    ipcs -m | grep 666 | awk '
    BEGIN { ret=1; }
    { if ($5>3283128) ret=0;
        ret=1
    }
    END { exit ret}' 
    if [ $? == 0 ] ; then
        addresp "Possible infection"
        status=$STATUS_CRIT
    fi
}

function check_darkleech
{
    addresp "Darkleech:"
    ROOT=$(egrep -hR '^\s*ServerRoot' /etc/apache2/ | sed -e 's/\s*ServerRoot\s*//' -e 's/"//g')
    infected=

    for M in $(egrep -h -R '^\s*LoadModule' /etc/apache2/ | cut -d" " -f3-100); do
        FULL=""
        case "$M" in
            /*)
                FULL=$M
                ;;
            *)
                FULL=$ROOT/$M
                ;;
        esac
        #       echo "Checking module $FULL"
        if [ -f "$FULL" ]; then
            if $(strings "$FULL" | grep -q C_ARRAY_TAGS_FOR_INJECT); then
                status=$STATUS_CRIT
                addresp "$FULL infected!"
                #                        infected="$infected,$FULL"
            fi
        else
            echo "Module does not exists!"
        fi
    done
    #echo Infected modules: [$infected]
}
##################################################################

check_cdorked
check_ebury
check_darkleech

echo "$status -$resp"
#echo "$status -$resp" >> /tmp/smartout.txt
if [ "$status" == "OK" ] ; then
  exit 0
else
  exit 2
fi