#!/bin/bash
# Scan for compromised session files

SESSIONS_DIR="/var/cpanel/sessions"
COMPROMISED=0

echo "[*] Scanning session files for injection indicators..."

for session_file in "$SESSIONS_DIR"/raw/*; do
    [ -f "$session_file" ] || continue
    session_name=$(basename "$session_file")

    # Check if this session is/was pre-auth
    preauth_file="$SESSIONS_DIR/preauth/$session_name"

    # IOC 0: Session has both token_denied AND cp_security_token and method=badpass origin (strong indicator of exploitation)
    #
    # token_denied is set by do_token_denied() in cpsrvd when a request
    # supplies an incorrect security token. cp_security_token is the
    # attacker-injected token value. This combination indicates:
    #
    #   1. Attacker injected a cp_security_token via newline payload
    #   2. Attacker attempted to use the injected token
    #   3. cpsrvd recorded the token mismatch (token_denied counter)
    #      during the exploitation window before the session was
    #      fully promoted
    #
    # In a legitimate session:
    #   - token_denied is only present after a user-initiated
    #     security token failure (rare, typically from expired bookmarks)
    #   - It would never co-exist with a badpass origin AND an
    #     attacker-controlled cp_security_token
    #
    # This IOC catches BOTH successful and failed exploitation attempts.
    if grep -q '^token_denied=' "$session_file" && \
       grep -q '^cp_security_token=' "$session_file"; then

        # Extract values for triage context
        token_val=$(grep '^cp_security_token=' "$session_file" | head -1 | cut -d= -f2)
        denied_val=$(grep '^token_denied=' "$session_file" | head -1 | cut -d= -f2)
        origin=$(grep '^origin_as_string=' "$session_file" | head -1 | cut -d= -f2-)
        used=$(grep -a "$token_val" /usr/local/cpanel/logs/access_log | grep -m1 " 200 ")
        external_auth=$(grep '^successful_external_auth_with_timestamp=' "$session_file")

        # High confidence if origin is badpass (session was pre-auth)
        if grep -q '^origin_as_string=.*method=badpass' "$session_file"; then
                if [ -z "$external_auth" ] && [ -z "$used" ]; then
                        echo "Found possible injected session file: $session_file"
                        echo "  - No sign of usage"
                else
                    echo "[!] CRITICAL: Exploitation artifact - token_denied with injected cp_security_token: $session_file"
                    echo "    - cp_security_token=$token_val"
                    echo "    - token_denied=$denied_val"
                    echo "    - origin=$origin"
                    echo "    - Verdict: Session was pre-auth (badpass origin) with attacker-injected token"
                    echo "    - USED:  $used"
                    COMPROMISED=1
                fi
        # Medium confidence but still suspicious for any session
        else
            echo "[!] WARNING: Suspicious session with token_denied + cp_security_token: $session_file"
            echo "    - cp_security_token=$token_val"
            echo "    - token_denied=$denied_val"
            echo "    - origin=$origin"
            echo "    - Review manually: may be legitimate token expiration or exploitation attempt"
        fi
    fi

    # IOC 1: Pre-auth session with authenticated attributes
    if [ -f "$preauth_file" ]; then
        if grep -qE '^successful_external_auth_with_timestamp=' "$session_file"; then
            echo "[!] CRITICAL: Injected session detected: $session_file"
            echo "    - Contains 'successful_external_auth_with_timestamp' in pre-auth session"
            COMPROMISED=1
        fi
    fi

    # IOC 2: Any session with tfa_verified but no valid origin
    if grep -q '^tfa_verified=1' "$session_file" && \
       ! grep -q '^origin_as_string=.*method=handle_form_login' "$session_file" && \
       ! grep -q '^origin_as_string=.*method=create_user_session' "$session_file" && \
       ! grep -q '^origin_as_string=.*method=handle_auth_transfer' "$session_file"; then
        echo "[!] WARNING: Session with tfa_verified but suspicious origin: $session_file"
        COMPROMISED=1
    fi

    # IOC 3: Password field containing newlines (corrupted session file)
    if grep -qP '^pass=.*\n.' "$session_file" 2>/dev/null; then
        echo "[!] CRITICAL: Multi-line pass value detected: $session_file"
        COMPROMISED=1
    fi
done

if [ "$COMPROMISED" -eq 0 ]; then
    echo ""
    echo "[+] No indicators of compromise found."
else
    echo ""
    echo "[!] INDICATORS OF COMPROMISE DETECTED - IMMEDIATE ACTION REQUIRED"
    echo "    1. Purge all affected sessions"
    echo "    2. Force password reset for root and all WHM users"
    echo "    3. Audit /var/log/wtmp and WHM access logs for unauthorized access"
    echo "    4. Check for persistence mechanisms (cron, SSH keys, backdoors)"
fi