#!/bin/bash # Security Investigation Script for Suspicious Device # This script will monitor network activity from 192.168.50.81 TARGET_IP="192.168.50.81" LOG_FILE="security_investigation_$(date +%Y%m%d_%H%M%S).log" SUSPICIOUS_DOMAINS_FILE="suspicious_domains.txt" echo "=== Security Investigation for $TARGET_IP ===" | tee $LOG_FILE echo "Timestamp: $(date)" | tee -a $LOG_FILE echo "WARNING: Device may be compromised!" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Create list of suspicious domains to watch for cat > $SUSPICIOUS_DOMAINS_FILE << 'EOF' # Malware/Phishing domains malware virus trojan phishing spam botnet crypto mining ransomware ddos exploit hack crack warez porn adult xxx sex malicious suspicious EOF # Function to check current network connections check_current_connections() { echo "1. Checking current network connections from $TARGET_IP..." | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Check established connections echo "Established connections:" | tee -a $LOG_FILE ss -tuln | grep $TARGET_IP | tee -a $LOG_FILE # Check routing table for any unusual routes echo "" | tee -a $LOG_FILE echo "Routing table entries involving $TARGET_IP:" | tee -a $LOG_FILE ip route | grep $TARGET_IP | tee -a $LOG_FILE # Check for any iptables rules targeting this IP echo "" | tee -a $LOG_FILE echo "Firewall rules for $TARGET_IP:" | tee -a $LOG_FILE sudo iptables -L -n | grep $TARGET_IP | tee -a $LOG_FILE } # Function to monitor network traffic monitor_traffic() { echo "" | tee -a $LOG_FILE echo "2. Monitoring network traffic from $TARGET_IP..." | tee -a $LOG_FILE echo "Press Ctrl+C to stop monitoring" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Use tcpdump to capture traffic from the suspicious device echo "Starting traffic capture (30 seconds)..." | tee -a $LOG_FILE timeout 30 sudo tcpdump -i any host $TARGET_IP -n | tee -a $LOG_FILE } # Function to check DNS queries check_dns_queries() { echo "" | tee -a $LOG_FILE echo "3. Checking DNS queries..." | tee -a $LOG_FILE # Check systemd-resolved logs for DNS queries echo "Recent DNS queries:" | tee -a $LOG_FILE journalctl -u systemd-resolved --since "1 hour ago" | grep -i "query\|dns" | tail -20 | tee -a $LOG_FILE # Check for any DNS cache poisoning echo "" | tee -a $LOG_FILE echo "DNS cache entries:" | tee -a $LOG_FILE systemd-resolve --statistics | tee -a $LOG_FILE } # Function to check for malware indicators check_malware_indicators() { echo "" | tee -a $LOG_FILE echo "4. Checking for malware indicators..." | tee -a $LOG_FILE # Check for unusual processes echo "Checking for unusual processes..." | tee -a $LOG_FILE ps aux | grep -E "(crypto|mining|malware|suspicious)" | grep -v grep | tee -a $LOG_FILE # Check for unusual network connections echo "" | tee -a $LOG_FILE echo "Checking for connections to suspicious ports..." | tee -a $LOG_FILE netstat -tuln | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443)" | tee -a $LOG_FILE # Check for unusual files echo "" | tee -a $LOG_FILE echo "Checking for recently modified suspicious files..." | tee -a $LOG_FILE find /tmp /var/tmp -name "*.exe" -o -name "*.bat" -o -name "*.sh" -mtime -1 2>/dev/null | tee -a $LOG_FILE } # Function to provide immediate security recommendations security_recommendations() { echo "" | tee -a $LOG_FILE echo "5. IMMEDIATE SECURITY RECOMMENDATIONS:" | tee -a $LOG_FILE echo "=========================================" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🚨 URGENT ACTIONS:" | tee -a $LOG_FILE echo "1. DISCONNECT the device from your network immediately" | tee -a $LOG_FILE echo "2. Block the device at your router level" | tee -a $LOG_FILE echo "3. Factory reset the Amazon device" | tee -a $LOG_FILE echo "4. Check all other devices on your network" | tee -a $LOG_FILE echo "5. Update your router's firmware" | tee -a $LOG_FILE echo "6. Change your WiFi password" | tee -a $LOG_FILE echo "7. Enable MAC address filtering on your router" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 TECHNICAL ACTIONS:" | tee -a $LOG_FILE echo "1. Add firewall rule to block $TARGET_IP:" | tee -a $LOG_FILE echo " sudo iptables -A INPUT -s $TARGET_IP -j DROP" | tee -a $LOG_FILE echo " sudo iptables -A OUTPUT -d $TARGET_IP -j DROP" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "2. Monitor your router's logs for suspicious activity" | tee -a $LOG_FILE echo "3. Check for unauthorized devices on your network" | tee -a $LOG_FILE echo "4. Consider using a separate IoT network" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "📋 LONG-TERM SECURITY:" | tee -a $LOG_FILE echo "1. Implement network segmentation" | tee -a $LOG_FILE echo "2. Use a firewall with intrusion detection" | tee -a $LOG_FILE echo "3. Regularly update all IoT devices" | tee -a $LOG_FILE echo "4. Monitor network traffic regularly" | tee -a $LOG_FILE echo "5. Consider using a security-focused router" | tee -a $LOG_FILE } # Function to create firewall rules create_firewall_rules() { echo "" | tee -a $LOG_FILE echo "6. Creating firewall rules to block $TARGET_IP..." | tee -a $LOG_FILE # Check if we can run sudo if sudo -n true 2>/dev/null; then echo "Adding iptables rules..." | tee -a $LOG_FILE sudo iptables -A INPUT -s $TARGET_IP -j DROP sudo iptables -A OUTPUT -d $TARGET_IP -j DROP echo "Firewall rules added successfully" | tee -a $LOG_FILE # Save iptables rules if command -v iptables-save > /dev/null 2>&1; then sudo iptables-save > /tmp/iptables_backup_$(date +%Y%m%d_%H%M%S).rules echo "Iptables rules backed up" | tee -a $LOG_FILE fi else echo "Cannot run sudo. Please manually add firewall rules:" | tee -a $LOG_FILE echo "sudo iptables -A INPUT -s $TARGET_IP -j DROP" | tee -a $LOG_FILE echo "sudo iptables -A OUTPUT -d $TARGET_IP -j DROP" | tee -a $LOG_FILE fi } # Main execution main() { echo "🚨 SECURITY ALERT: Device $TARGET_IP may be compromised!" | tee -a $LOG_FILE echo "Starting security investigation..." | tee -a $LOG_FILE check_current_connections check_dns_queries check_malware_indicators create_firewall_rules security_recommendations echo "" | tee -a $LOG_FILE echo "=== Investigation Complete ===" | tee -a $LOG_FILE echo "Full security report saved to: $LOG_FILE" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "⚠️ IMMEDIATE ACTION REQUIRED: Disconnect the device!" | tee -a $LOG_FILE } # Run the main function main