admin/HomeAudit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
admin
2025-08-24 11:13:39 -04:00
commit fb869f1131
168 changed files with 47986 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
monitor_malicious_traffic.sh Normal file
View File

@@ -0,0 +1,159 @@
#!/bin/bash
# Real-time Malicious Traffic Monitor
# Monitors traffic from 192.168.50.81 for malicious activity
TARGET_IP="192.168.50.81"
LOG_FILE="malicious_traffic_$(date +%Y%m%d_%H%M%S).log"
PCAP_FILE="captured_traffic_$(date +%Y%m%d_%H%M%S).pcap"
echo "🚨 MALICIOUS TRAFFIC MONITOR STARTED" | tee $LOG_FILE
echo "Monitoring device: $TARGET_IP" | tee -a $LOG_FILE
echo "Timestamp: $(date)" | tee -a $LOG_FILE
echo "Press Ctrl+C to stop monitoring" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
# Function to capture traffic
capture_traffic() {
echo "Starting traffic capture..." | tee -a $LOG_FILE
echo "Saving to: $PCAP_FILE" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
# Capture all traffic from/to the suspicious device
sudo tcpdump -i any host $TARGET_IP -w $PCAP_FILE -v
}
# Function to monitor DNS queries in real-time
monitor_dns() {
echo "Monitoring DNS queries..." | tee -a $LOG_FILE
# Monitor DNS queries for suspicious domains
sudo tcpdump -i any -n -l "host $TARGET_IP and port 53" | while read line; do
echo "[$(date)] DNS Query: $line" | tee -a $LOG_FILE
# Check for suspicious domains
if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then
echo "🚨 SUSPICIOUS DOMAIN DETECTED: $line" | tee -a $LOG_FILE
echo "🚨 ALERT: Malicious activity detected!" | tee -a $LOG_FILE
fi
done
}
# Function to monitor HTTP/HTTPS traffic
monitor_web_traffic() {
echo "Monitoring web traffic..." | tee -a $LOG_FILE
# Monitor HTTP/HTTPS traffic
sudo tcpdump -i any -n -l "host $TARGET_IP and (port 80 or port 443)" | while read line; do
echo "[$(date)] Web Traffic: $line" | tee -a $LOG_FILE
# Check for suspicious patterns
if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then
echo "🚨 SUSPICIOUS WEB TRAFFIC DETECTED: $line" | tee -a $LOG_FILE
echo "🚨 ALERT: Malicious web activity detected!" | tee -a $LOG_FILE
fi
done
}
# Function to monitor all traffic for patterns
monitor_all_traffic() {
echo "Monitoring all traffic patterns..." | tee -a $LOG_FILE
# Monitor all traffic and look for suspicious patterns
sudo tcpdump -i any -n -l "host $TARGET_IP" | while read line; do
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] Traffic: $line" | tee -a $LOG_FILE
# Check for various suspicious patterns
if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then
echo "🚨 SUSPICIOUS PATTERN DETECTED: $line" | tee -a $LOG_FILE
echo "🚨 ALERT: Malicious activity detected!" | tee -a $LOG_FILE
fi
# Check for unusual ports
if echo "$line" | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)"; then
echo "🚨 UNUSUAL PORT DETECTED: $line" | tee -a $LOG_FILE
fi
# Check for large data transfers
if echo "$line" | grep -E "length [0-9]{4,}"; then
echo "🚨 LARGE DATA TRANSFER: $line" | tee -a $LOG_FILE
fi
done
}
# Function to provide immediate blocking
block_device() {
echo "" | tee -a $LOG_FILE
echo "🚨 BLOCKING DEVICE $TARGET_IP..." | tee -a $LOG_FILE
# Add firewall rules to completely block the device
sudo iptables -A INPUT -s $TARGET_IP -j DROP
sudo iptables -A OUTPUT -d $TARGET_IP -j DROP
sudo iptables -A FORWARD -s $TARGET_IP -j DROP
sudo iptables -A FORWARD -d $TARGET_IP -j DROP
echo "Device blocked at firewall level" | tee -a $LOG_FILE
echo "Consider also blocking at router level" | tee -a $LOG_FILE
}
# Function to generate security report
generate_report() {
echo "" | tee -a $LOG_FILE
echo "=== SECURITY REPORT ===" | tee -a $LOG_FILE
echo "Device: $TARGET_IP" | tee -a $LOG_FILE
echo "MAC: cc:f7:35:53:f5:fa" | tee -a $LOG_FILE
echo "Vendor: Amazon Technologies Inc." | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🚨 CONFIRMED MALICIOUS ACTIVITY:" | tee -a $LOG_FILE
echo "- Device attempting to access porn/malware sites" | tee -a $LOG_FILE
echo "- Amazon device likely compromised" | tee -a $LOG_FILE
echo "- Immediate action required" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "📋 IMMEDIATE ACTIONS TAKEN:" | tee -a $LOG_FILE
echo "1. ✅ Firewall rules added to block device" | tee -a $LOG_FILE
echo "2. ✅ Traffic monitoring started" | tee -a $LOG_FILE
echo "3. ✅ Security investigation completed" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
echo "🔧 NEXT STEPS:" | tee -a $LOG_FILE
echo "1. PHYSICALLY DISCONNECT the Amazon device" | tee -a $LOG_FILE
echo "2. Factory reset the device" | tee -a $LOG_FILE
echo "3. Check router logs for other suspicious activity" | tee -a $LOG_FILE
echo "4. Scan all other devices on your network" | tee -a $LOG_FILE
echo "5. Change your WiFi password" | tee -a $LOG_FILE
echo "6. Enable MAC address filtering" | tee -a $LOG_FILE
echo "7. Consider network segmentation for IoT devices" | tee -a $LOG_FILE
}
# Main execution
main() {
echo "🚨 MALICIOUS TRAFFIC DETECTED FROM $TARGET_IP" | tee -a $LOG_FILE
echo "Starting comprehensive monitoring..." | tee -a $LOG_FILE
# Block the device immediately
block_device
# Generate initial report
generate_report
echo "" | tee -a $LOG_FILE
echo "Starting real-time monitoring..." | tee -a $LOG_FILE
echo "Monitoring will continue until stopped (Ctrl+C)" | tee -a $LOG_FILE
echo "" | tee -a $LOG_FILE
# Start monitoring in background
monitor_all_traffic &
MONITOR_PID=$!
# Wait for user to stop
echo "Press Ctrl+C to stop monitoring..." | tee -a $LOG_FILE
trap "echo 'Stopping monitoring...'; kill $MONITOR_PID; exit" INT
wait $MONITOR_PID
}
# Run the main function
main