#!/bin/bash
# 挖矿病毒守护脚本 - 每 30 分钟扫描并清理
# 特征: xmrig, kdevtmpfsi, kinsing, minerd, stratum, libprocesshider, watchbog 等
# 用法: chmod +x miner_guard.sh && ./miner_guard.sh
# 或由 cron 每 30 分钟调用: */30 * * * * /path/to/miner_guard.sh >> /var/log/miner_guard.log 2>&1

LOG="/var/log/miner_guard.log"
LOCK="/var/run/miner_guard.lock"
TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')

# 挖矿病毒特征（进程名/路径关键词）
MINER_KEYWORDS="xmrig|xmr-stak|minerd|cpuminer|stratum|kdevtmpfsi|kinsing|libprocesshider|ddgs|watchbog|trace"
# 可疑路径
MINER_PATHS="/tmp/xmrig /tmp/config.json /tmp/.x /tmp/kdevtmpfsi /tmp/kinsing"

run_lock() {
    exec 200>"$LOCK"
    flock -n 200 || { echo "[$TIMESTAMP] 已有实例在运行，跳过" >> "$LOG"; exit 0; }
}

log() { echo "[$TIMESTAMP] $1" | tee -a "$LOG"; }

run_lock

# 1. 杀进程
for kw in xmrig kdevtmpfsi kinsing minerd xmr cpuminer; do
    pids=$(pgrep -f "$kw" 2>/dev/null)
    if [ -n "$pids" ]; then
        log "发现挖矿进程: $kw (PID: $pids)，执行 kill -9"
        echo "$pids" | xargs -r kill -9 2>/dev/null
    fi
done

# 2. 删除已知挖矿文件
deleted=0
for p in $MINER_PATHS; do
    if [ -e "$p" ]; then
        log "删除: $p"
        rm -rf "$p" 2>/dev/null && deleted=1
    fi
done

# 3. 扫描 /tmp 下含挖矿关键词的可执行文件
find /tmp /var/tmp /dev/shm -maxdepth 2 -type f -executable 2>/dev/null | while read f; do
    if echo "$f" | grep -qiE "xmrig|miner|xmr|stratum|kinsing|kdevtmpfsi"; then
        log "删除可疑可执行文件: $f"
        rm -f "$f" 2>/dev/null
    fi
done

# 4. 扫描 /www/wwwroot 下的 xmrig 目录
find /www/wwwroot -maxdepth 6 -type d -name "*xmrig*" 2>/dev/null | while read d; do
    log "删除挖矿目录: $d"
    rm -rf "$d" 2>/dev/null
done
find /www/wwwroot -maxdepth 6 -type f -name "xmrig" 2>/dev/null | while read f; do
    log "删除挖矿文件: $f"
    rm -f "$f" 2>/dev/null
done

# 5. 清理 www 用户 crontab 中的挖矿相关项
if crontab -u www -l 2>/dev/null | grep -qiE "xmrig|miner|curl.*tmp|wget.*tmp"; then
    log "发现 www 用户 crontab 可疑项，建议人工检查: crontab -u www -l"
fi

# 6. 若本次有清理动作，记录
if [ "$deleted" = "1" ]; then
    log "本次已清理挖矿病毒"
fi

exit 0