#!/bin/bash # Real-time Malicious Traffic Monitor # Monitors traffic from 192.168.50.81 for malicious activity TARGET_IP="192.168.50.81" LOG_FILE="malicious_traffic_$(date +%Y%m%d_%H%M%S).log" PCAP_FILE="captured_traffic_$(date +%Y%m%d_%H%M%S).pcap" echo "🚨 MALICIOUS TRAFFIC MONITOR STARTED" | tee $LOG_FILE echo "Monitoring device: $TARGET_IP" | tee -a $LOG_FILE echo "Timestamp: $(date)" | tee -a $LOG_FILE echo "Press Ctrl+C to stop monitoring" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Function to capture traffic capture_traffic() { echo "Starting traffic capture..." | tee -a $LOG_FILE echo "Saving to: $PCAP_FILE" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Capture all traffic from/to the suspicious device sudo tcpdump -i any host $TARGET_IP -w $PCAP_FILE -v } # Function to monitor DNS queries in real-time monitor_dns() { echo "Monitoring DNS queries..." | tee -a $LOG_FILE # Monitor DNS queries for suspicious domains sudo tcpdump -i any -n -l "host $TARGET_IP and port 53" | while read line; do echo "[$(date)] DNS Query: $line" | tee -a $LOG_FILE # Check for suspicious domains if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then echo "🚨 SUSPICIOUS DOMAIN DETECTED: $line" | tee -a $LOG_FILE echo "🚨 ALERT: Malicious activity detected!" | tee -a $LOG_FILE fi done } # Function to monitor HTTP/HTTPS traffic monitor_web_traffic() { echo "Monitoring web traffic..." | tee -a $LOG_FILE # Monitor HTTP/HTTPS traffic sudo tcpdump -i any -n -l "host $TARGET_IP and (port 80 or port 443)" | while read line; do echo "[$(date)] Web Traffic: $line" | tee -a $LOG_FILE # Check for suspicious patterns if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then echo "🚨 SUSPICIOUS WEB TRAFFIC DETECTED: $line" | tee -a $LOG_FILE echo "🚨 ALERT: Malicious web activity detected!" | tee -a $LOG_FILE fi done } # Function to monitor all traffic for patterns monitor_all_traffic() { echo "Monitoring all traffic patterns..." | tee -a $LOG_FILE # Monitor all traffic and look for suspicious patterns sudo tcpdump -i any -n -l "host $TARGET_IP" | while read line; do timestamp=$(date '+%Y-%m-%d %H:%M:%S') echo "[$timestamp] Traffic: $line" | tee -a $LOG_FILE # Check for various suspicious patterns if echo "$line" | grep -i -E "(porn|malware|virus|trojan|phishing|spam|botnet|crypto|mining|ransomware|ddos|exploit|hack|crack|warez|adult|xxx|sex|malicious|suspicious)"; then echo "🚨 SUSPICIOUS PATTERN DETECTED: $line" | tee -a $LOG_FILE echo "🚨 ALERT: Malicious activity detected!" | tee -a $LOG_FILE fi # Check for unusual ports if echo "$line" | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443|4444|31337)"; then echo "🚨 UNUSUAL PORT DETECTED: $line" | tee -a $LOG_FILE fi # Check for large data transfers if echo "$line" | grep -E "length [0-9]{4,}"; then echo "🚨 LARGE DATA TRANSFER: $line" | tee -a $LOG_FILE fi done } # Function to provide immediate blocking block_device() { echo "" | tee -a $LOG_FILE echo "🚨 BLOCKING DEVICE $TARGET_IP..." | tee -a $LOG_FILE # Add firewall rules to completely block the device sudo iptables -A INPUT -s $TARGET_IP -j DROP sudo iptables -A OUTPUT -d $TARGET_IP -j DROP sudo iptables -A FORWARD -s $TARGET_IP -j DROP sudo iptables -A FORWARD -d $TARGET_IP -j DROP echo "Device blocked at firewall level" | tee -a $LOG_FILE echo "Consider also blocking at router level" | tee -a $LOG_FILE } # Function to generate security report generate_report() { echo "" | tee -a $LOG_FILE echo "=== SECURITY REPORT ===" | tee -a $LOG_FILE echo "Device: $TARGET_IP" | tee -a $LOG_FILE echo "MAC: cc:f7:35:53:f5:fa" | tee -a $LOG_FILE echo "Vendor: Amazon Technologies Inc." | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🚨 CONFIRMED MALICIOUS ACTIVITY:" | tee -a $LOG_FILE echo "- Device attempting to access porn/malware sites" | tee -a $LOG_FILE echo "- Amazon device likely compromised" | tee -a $LOG_FILE echo "- Immediate action required" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "📋 IMMEDIATE ACTIONS TAKEN:" | tee -a $LOG_FILE echo "1. ✅ Firewall rules added to block device" | tee -a $LOG_FILE echo "2. ✅ Traffic monitoring started" | tee -a $LOG_FILE echo "3. ✅ Security investigation completed" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE echo "🔧 NEXT STEPS:" | tee -a $LOG_FILE echo "1. PHYSICALLY DISCONNECT the Amazon device" | tee -a $LOG_FILE echo "2. Factory reset the device" | tee -a $LOG_FILE echo "3. Check router logs for other suspicious activity" | tee -a $LOG_FILE echo "4. Scan all other devices on your network" | tee -a $LOG_FILE echo "5. Change your WiFi password" | tee -a $LOG_FILE echo "6. Enable MAC address filtering" | tee -a $LOG_FILE echo "7. Consider network segmentation for IoT devices" | tee -a $LOG_FILE } # Main execution main() { echo "🚨 MALICIOUS TRAFFIC DETECTED FROM $TARGET_IP" | tee -a $LOG_FILE echo "Starting comprehensive monitoring..." | tee -a $LOG_FILE # Block the device immediately block_device # Generate initial report generate_report echo "" | tee -a $LOG_FILE echo "Starting real-time monitoring..." | tee -a $LOG_FILE echo "Monitoring will continue until stopped (Ctrl+C)" | tee -a $LOG_FILE echo "" | tee -a $LOG_FILE # Start monitoring in background monitor_all_traffic & MONITOR_PID=$! # Wait for user to stop echo "Press Ctrl+C to stop monitoring..." | tee -a $LOG_FILE trap "echo 'Stopping monitoring...'; kill $MONITOR_PID; exit" INT wait $MONITOR_PID } # Run the main function main