#!/usr/local/bin/bash
#
# process-check script
# kills any process that has too many socket connections, ie: mechs, bnc's, mirkforce, xdcc's, etc.
#
# crontab entry needed:
# */5 * * * * /usr/local/sbin/process-check >/dev/null 2>&1
#
# Zoidial, Inc.
# Eric Thern, 2001
#
# v0.1 11/03/2001 - initial release
# v0.2 11/04/2001 - added egrep, multiple entries
# v0.3 11/07/2001 - fixed second egrep checking connections - no more false positives
# v0.4 04/11/2002 - added logging to standard error syslog
#               --- completely redid awks and egreps to rule out killing the wrong processes due to username matches
# v0.5 04/16/2002 - added illegal process section
# v0.6 06/18/2002 - added a whole different section that protects the main IP address from 'other' processes
#               --- basically it only accepts daemons running as users: root, nobody, bind, shellsx or italguy

#
# checks for excessive IRC connections
#
for i in `sockstat | awk '{ print $2 "\t" $3 "\t" $7 }' | egrep '(bnc|psybnc|ezbnc|muh|ez|mech|emech|mirkforce|Mirkforce|
iroffer|xdcc|sc_serv)' |egrep '(:666|:7000|:8000|:8080)' | awk '{ print $1 "\t" $2 }' | uniq -c | awk '{ if ( $1 > 2 ) pr
int $3 }'`; do `kill -9 $i; echo "killed process $i -- process-check script" | logger`; done

#
# checks for illegal processes
#
for i in `sockstat | awk '{ print $2 "\t" $3 }' | egrep '(icecast|mirkforce|Mirkforce|iroffer|xdcc|sc_serv)' |uniq -c | a
wk '{print $3}'`; do `kill -9 $i; echo "killed illegal process $i -- process-check script" | logger`; done

#
# protects the main IP from rogue user daemons
#
#for i in `sockstat | awk '{print $1 "\t" $3 "\t" $6}' | grep 216.218.235.192 | awk '{if ($1 != "root") print $1 "\t" $2}
' | awk '{if ($1 != "nobody") print $1 "\t" $2}' | awk '{if ($1 != "bind") print $1 "\t" $2}' | awk '{if ($1 != "shellsx"
) print $1 "\t" $2}' | awk '{if ($1 != "italguy") print $2}' | uniq` ; do `kill -9 $i; echo "killed process $i -- user da
emon running on IP 216.218.235.192" | logger`; done

#for i in `sockstat | awk '{print $1 "\t" $3 "\t" $6}' | grep 216.218.235.193 | awk '{if ($1 != "root") print $1 "\t" $2}
' | awk '{if ($1 != "nobody") print $1 "\t" $2}' | awk '{if ($1 != "bind") print $1 "\t" $2}' | awk '{if ($1 != "shellsx"
) print $1 "\t" $2}' | awk '{if ($1 != "italguy") print $2}' | uniq` ; do `kill -9 $i; echo "killed process $i -- user da
emon running on IP 216.218.235.193" | logger`; done

#for i in `sockstat | awk '{print $1 "\t" $3 "\t" $6}' | grep 216.218.235.194 | awk '{if ($1 != "root") print $1 "\t" $2}
' | awk '{if ($1 != "nobody") print $1 "\t" $2}' | awk '{if ($1 != "bind") print $1 "\t" $2}' | awk '{if ($1 != "shellsx"
) print $1 "\t" $2}' | awk '{if ($1 != "italguy") print $2}' | uniq` ; do `kill -9 $i; echo "killed process $i -- user da
emon running on IP 216.218.235.194" | logger`; done