![A User Script Virus A User Script Virus](/uploads/1/2/5/8/125845607/567837633.png)
During the Ransomware webinar I mentioned that I use an interesting virus removal process. It was suggested that I do a write-up. I have a username on my work domain that uses a login script to nearly automate a virus-removal/cleanup of a pc. The programs used in this process are (and in this order): Rkill, tdsskiller, ccleaner, MBAM.
I need to create a Bash script to remove a user.
We use RHEL version 4, 5, & 6.
Lets say usernames are Ray4 & Ray6 & the script name is deal.
Specific tasks for this script are:
We use RHEL version 4, 5, & 6.
Lets say usernames are Ray4 & Ray6 & the script name is deal.
Specific tasks for this script are:
- Does the user exist ?
- If user exists, backup /homedirectory for this user, remove username and place in /root/DeletedUsers
- If /root/DeletedUsers directory doesn't exist, create it.
- If any firewall rules exist for this user, email me the results for those rules and on which nodes.
- If this user exists in sudoers, don't delete, but comment out.
This is what I have so far. I want to make sure this works, before I run it in RHN Satellite. After making the suggested changes. Here are the new errors I am getting now.
Michael Durrant17k4949 gold badges122122 silver badges191191 bronze badges
JakeJake
2 Answers
I would suggest you use
getent
to check for the existence of an user. This script should get you going.You can call the script as
./deal ray[4]
and then if you need to run for another user you can call it using ./deal ray[6]
. I have not tested the script in my system, but this should help you out as in case if you need to delete any other user in future, you need not modify the script but rather call the script with the username as an argument. EDIT
As per derobert's suggestion, you can omit directory testing if you use
RameshRamesh-p
flag. 24.7k3636 gold badges107107 silver badges190190 bronze badges
If
Ray[46]
is assuredly unique, pretty much every test in your script is redundant.The above will scan its input for any line containing the
/addressed/
string 2
, and, if found, will change only that line to contain everything but the addressed string. The following simply deletes only addressed lines:So
grep
then sed
is not necessary. True, grep
is faster than sed
, but in the time it takes to invoke grep
and[test]
its output then invoke sed
, sed
would likely already have finished clearing all concerned files of the offending string.Then again, if you do want to
grep
then sed
for whatever reason, the following would be much more to the point:Or with GNU
sed
:And as mentioned above,
mkdir -p
makes a target directory only if necessary, so this should suffice:You could even get a log of it all to review exactly what was done on only those machines something occurred:
That above assumes your target user has a
$HOME
in /home
named for the user's username. If the assumption is correct, it only takes action on any machine on which the target user's username is registered.To do the same without
grep
you can leave tee
out as well. Just change the sed
line to:That will overwrite
sed's
holdspace with each new line sed
finds containing the string '$remove'
. When sed's
through scanning and gets to the last line it switches to the holdspace, and, if it finds any references to $remove
it writes the filename to stderr
.If you run a script like the one I wrote above from your own machine and you
ssh
out to all of the targets then you don't have to open an ssh
connection from each of them back to your own machine - you're already there. You could remove the last |pipe
and everything following it and do this instead:![A User Script Virus A User Script Virus](/uploads/1/2/5/8/125845607/448638793.png)
46.5k66 gold badges6969 silver badges168168 bronze badges