scamchecknode.sh

# Aim of this script is extract OpenVZ VPS IPs on the host server and check several antimalware webpages if such IP do not host any badware.
# If some domain is returned on the antimalware webpage, then admin is notiffied via email that the IP may host bad webpage.
#
# This script is using ramdisk in aim to reduce HDD iops. If mount is not supported, one need to replace "/tmpramdrive/" occurences by another working path
#
# Script can be made to work with fixed IP list, not OpenVZ VPS IP list. Just comment out or delete line "vzlist | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > $thisscriptdir/vmips" and populate vmips file by IPs one per line.
#
# Update your email address (adminmail variable)
#
# one may setup cronjob like daily:
# 0 0 * * * /bin/sh /root/scamcheck/scamcheck

adminmail=YOU@gmail.com
webpagestoextract=webpagestoextract
suspiciousdomains=$thisscriptdir/suspiciousdomains
suspiciousdomainshosted=$thisscriptdir/suspiciousdomainshosted
thisscriptdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
touch $suspiciousdomainshosted

# List of anti-malware sites / monitors. Add "/n" to the line end except last line.
# "IPHERE" will be replaced by actual IP.
echo -e "http://db.aa419.org/fakebankslist.php?psearch=IPHERE\n
http://support.clean-mx.de/clean-mx/portals.php?ip=IPHERE&sort=id%20DESC&response=alive\n
http://support.clean-mx.de/clean-mx/viruses.php?ip=IPHERE&sort=id%20DESC&response=alive" > $thisscriptdir/$webpagestoextract

# Empty suspiciousdomainshosted file if its not younger 4 months (is older)
# so if abuser start hosting same domain, im alerted again (number is in hours)
find $thisscriptdir -name "suspiciousdomainshosted" ! -ctime -2880 -delete

# setting IP list out of running OpenVZ VPS list
vzlist | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > $thisscriptdir/vmips

# mount temporary ramdrive to save disk iops later
mkdir /tmpramdrive 2>/dev/null && mount -t tmpfs -o size=1m tmpfs /tmpramdrive

####################################

while read ip;do
cp $thisscriptdir/$webpagestoextract /tmpramdrive/
# do replacing in the temporary ramdrive located file so the urls reflect current IP
find /tmpramdrive -name "$webpagestoextract" -type f -print0 | xargs -0 sed -i "s|IPHERE|$ip|g"

# report if server is open resolver
if [[ "$(dig +short @$ip dnsscan.shadowserver.org|grep -vE ";|," 2>/dev/null|wc -l)" == "1" && "$(grep $ip /tmp/openresolverips 2>/dev/null|wc -l)" == "0" ]];then
echo $ip >> /tmp/openresolverips
echo "Based on dig +short @$ip dnsscan.shadowserver.org, the $ip might be open resolver (can participate in DNS ampliffication attack) https://www.us-cert.gov/ncas/alerts/TA13-088A"|mail -s "$ip is open resolver" $adminmail
fi

while read webpage;do
curl --silent "$webpage" | grep -ahoP 'http[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?' | grep -v "419" | grep -v "w3." | awk -F/ '{print $3}' | sed -e "s/http:\/\/www.//g" | sed -e "s/www.//g" | sed -e "s/http:\/\///g" | sort -u > $suspiciousdomains
# > /dev/null 2>&1

for suspiciousdomain in $(cat $suspiciousdomains);do
# we already have it in suspiciousdomainshosted file (already been reported)?
if [[ "$(cat $thisscriptdir/$suspiciousdomainshosted)" != *"$suspiciousdomain"* ]];then
# "This suspicious domain was not on file so its new! Lets also check if its not on the whitelist:
if [[ "$(cat $thisscriptdir/whitelistdomains)" != *"$suspiciousdomain"* ]];then
# Domain is not in the whitelist and it is new, lets add it to the file and send an email alert"
echo "$suspiciousdomain" >> $thisscriptdir/$suspiciousdomainshosted

echo "New suspicious domain $suspiciousdomain hosted on $ip.

Source: $webpage

This email was sent from $(hostname), script $thisscriptdir" | mail -s "New suspicious domain at $ip" $adminmail
fi
fi
done

sleep 5
done < /tmpramdrive/$webpagestoextract
sleep 10
done < $thisscriptdir/vmips

# remove temporary ramdrive
umount /tmpramdrive && rm -rf /tmpramdrive
# complete