Bash

From wiki.kungfootek.net
Revision as of 19:03, 6 August 2019 by Daniel Baker (talk | contribs) (→‎My .bashrc)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Bash Envronment

My .bashrc 


export VISUAL=vim

function MyPrompt {

        EXITSTATUS="$?"
        BOLD="\[\033[1m\]"
        RED="\[\033[1;31m\]"
        GREEN="\[\e[32;1m\]"
        BLUE="\[\e[34;1m\]"
        OFF="\[\033[m\]"

        if [ ${UID} -eq 0 ];
        then
                UID_COLOR=${RED}
        else
                UID_COLOR=${OFF}
        fi

        PROMPT="\n \D{%d} |${UID_COLOR} \u@\h ${OFF}\n \D{%m} | Time: \@ \n \D{%g} | \w \n"

        if [ "${EXITSTATUS}" -eq 0 ]
        then
                PS1="${PROMPT} ${BOLD}${GREEN}] ${OFF}"
        else
                PS1="${PROMPT} ${BOLD}${RED}] ${OFF}"
        fi

    PS2="${BOLD}>${OFF} "
}

PROMPT_COMMAND=MyPrompt

Reload Bashrc

Reload your bash settings. 

source ~/.bashrc



syntax on
filetype indent on

Bash Scriptlets

Find the date RHEL / Centos System software was last updated or installed

rpm -qa --queryformat '%{installtime} (%{installtime:date}) %{name}\n' | sort -n | tail -n1

For a detailed report of what software was updated or what software was installed, remove the tail command.

It's important to note that the latest date displayed by the above command may not be the date the system was updated. Just the latest date software was installed. In the bottom example January 5th was actually the latest date something was updated with individual packages being installed as needed at later dates. 

1515190849 (Fri 05 Jan 2018 02:20:49 PM PST) iwl3945-firmware
1515190849 (Fri 05 Jan 2018 02:20:49 PM PST) iwl7260-firmware
1515190850 (Fri 05 Jan 2018 02:20:50 PM PST) glibc
1515190850 (Fri 05 Jan 2018 02:20:50 PM PST) libgcc
1515190850 (Fri 05 Jan 2018 02:20:50 PM PST) libstdc++
1521240335 (Fri 16 Mar 2018 03:45:35 PM PDT) b9notifier
1521240346 (Fri 16 Mar 2018 03:45:46 PM PDT) b9agent
1523291607 (Mon 09 Apr 2018 09:33:27 AM PDT) iftop
1527143320 (Wed 23 May 2018 11:28:40 PM PDT) swiagent
1534649977 (Sat 18 Aug 2018 08:39:37 PM PDT) mysql-community-common
1534649977 (Sat 18 Aug 2018 08:39:37 PM PDT) mysql-community-libs
1534649982 (Sat 18 Aug 2018 08:39:42 PM PDT) mysql-community-client
1534650010 (Sat 18 Aug 2018 08:40:10 PM PDT) mysql-community-libs-compat
1534650010 (Sat 18 Aug 2018 08:40:10 PM PDT) mysql-community-server
1534653516 (Sat 18 Aug 2018 09:38:36 PM PDT) mysql-shell



rpm -qa --queryformat '%{installtime} (%{installtime:date}) %{name}\n' | sort -n | grep -E "(swiagent|bit9|filebeat)"


Stolen and subsequently modified from : how-to-tell-when-redhat-was-last-updated


Drill down into specific package updates: 

yum history package-list <package-name-without-gt,lt>

] yum history package-list openssh-server
Loaded plugins: enabled_repos_upload, langpacks, package_upload, product-id, search-disabled-repos, subscription-manager
ID     | Action(s)      | Package
-------------------------------------------------------------------------------
    52 | Updated        | openssh-server-7.4p1-13.el7_4.x86_64               EE
    52 | Update         |                7.4p1-16.el7.x86_64                 EE
     3 | Updated        | openssh-server-6.6.1p1-31.el7.x86_64               EE
     3 | Update         |                7.4p1-13.el7_4.x86_64               EE
     1 | Install        | openssh-server-6.6.1p1-31.el7.x86_64
history package-list
Uploading Enabled Repositories Report
Loaded plugins: langpacks, product-id, subscription-manager

Use the ID to get more details on the history for this package. Warning, this may generate pages of information ! 

yum history info 52

Find Source Ports for specific port connections

This will identify Active Directory / LDAP connections from SSSD ( Or other Daemon ) to the AD server. 

netstat -an | grep '\:389 ' | gawk '{print $5}'
] 10.20.30.40:389


This will identify the outbound port being used from SSSD ( Or other daemon ) to the AD server. 

netstat -an | grep '\:389 ' | gawk '{print $4}' 
] 10.20.30.40:39684


Include the connection Status: 

netstat -an | grep '\:389 ' | gawk '{print $5, $6 }'
] 10.20.30.40:389 ESTABLISHED

Find Folder and File sizes recursively.

This is an overly complex way to perform 'du -h' 

find -maxdepth 1 -exec du -sk {} \;|sort -rn|head|while read size loc; do echo "scale=2; $size/1024" |bc|gawk '{ print $1"MB '"$loc"' " }';done|column -t

Find PHP Shells

PHP shells are usually placed by malcontents that have hacked your system and will use a shell to infect other parts of your system. Place the following contents into an executable bash script and let it go where you want to

find PHP Shells. 

 !/bin/bash
 find $1 -name "*.php" -o -name "*.sh" -o -name "*.txt" | xargs -i egrep -lr "back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|

Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|revengans" {} ;

Bash Expansion

Sometimes you need to create a list of IP address really fast. 

echo 10.245.10.{1..252} | tr ' ' '\012'

Kill off Lots of processes

If you find yourself with hundreds of similar or regex-able processes to kill: 

 killit=$(ps aux | grep wget | gawk '{print $2}') ; echo $killit ; kill -9 $killit


If you fillter by user and omit root references. Thanks to Wendre Vaughan for this one. 

 killit=$(ps aux | grep <user> |grep -v root | gawk '{print $2}') ; echo $killit
Retrieved from "https://wiki.kungfootek.net/index.php?title=Bash&oldid=317"