[SOLVED] How-to background this bash command?

Linux_Kidd · 11-14-2012, 02:13 PM

env is rhel 5.8

how to run this one-liner from cli in the background ?

Code:

for i in `find / -exec file {} \; | grep "ELF" | cut -d ":" -f 1`; do md5sum $i >> all-ELF-md5.log; done; grep -P 'b3eb1ec8094fa10169dba7a8bd1a97f1|ab106d75a3b87641937d5a8891abc8ce|9794562db2792954b8c5c1ce84aae0f5' all-ELF-md5.log; echo $?

i need to renice this user once it kicks off.

acid_kewpie · 11-14-2012, 04:21 PM

Code:

# ( all_that_stuff ) &

Linux_Kidd · 11-14-2012, 06:50 PM

thanks a bunch.

Linux_Kidd · 11-15-2012, 09:02 AM

well, error on my centOS 6, w/ or w/o sudo

Code:

sudo ( for i in `find / -exec file {} \; | grep "ELF" | cut -d ":" -f 1`; do md5sum $i >> all-ELF-md5.log; done; grep -P 'b3eb1ec8094fa10169dba7a8bd1a97f1|ab106d75a3b87641937d5a8891abc8ce|9794562db2792954b8c5c1ce84aae0f5' all-ELF-md5.log; echo $? ) &

give me error
-bash: syntax error near unexpected token 'for'

the user running this is not root, but it needs to run as root so sudo will be used. then, after it runs the bg PID has to be reniced to +19

acid_kewpie · 11-15-2012, 09:12 AM

where did sudo come from? yeah that totally breaks it!

If you don't need to enter a password then just include the sudo as well, otherwise if gets tricky if you need to enter the password.

Linux_Kidd · 11-15-2012, 09:24 AM

well, i can deal with the sudo password issue, but the uid using sudo has NOPASSWD in sudoers

but even w/o sudo there i still get error.

and weird, its bash 4.1.2-9.el6_2 and i get a stdin prompt when running w/o sudo and w/o ()&

is the syntax wrong here?

unSpawn · 11-15-2012, 09:43 AM

Why don't you make it easier on yourself, save

Code:

find / -type f -exec file {} \; 2>/dev/null| awk -F':' '/ELF/ {print $1}" | while read ITEM; do 
md5sum "${ITEM}" 2>/dev/null| egrep "(b3eb1ec8094fa10169dba7a8bd1a97f1|ab106d75a3b87641937d5a8891abc8ce|9794562db2792954b8c5c1ce84aae0f5)"
done

to say "~/tmp/script.sh", set the executable bit and then execute it in the background?

I often use 'at':

Code:

sudo at -f ~/tmp/script.sh now

It's fire-and-forget, backgrounds jobs by default and I get the result (if any) by email.

Linux_Kidd · 11-15-2012, 10:02 AM

well, the command needs to run on many customer servers, and the sysadmin folks have to do the work, and, rather not have the sysadmins creating executable script on the customer systems. hosted environment, etc.

i was wanting to just have sysadmin copy/paste command into ssh window and then give me the output of $? for the system.

the command has to be reniced to +19 (customer request)

so basically its this:

1. md5 all ELF files on the system (hence sudo)
2. grep for matching MD5
3. get exit status of grep $? (if it finds a match exit will = 0)
4. this whole thing has to be reniced to +19
5, a command that is copy/paste for sysadmin is best, w/o the use of creating a script file on the system

is this correct awk -F':' '/ELF/ {print $1}"

unSpawn · 11-15-2012, 11:14 AM

Quote:

Originally Posted by Linux_Kidd

well, the command needs to run on many customer servers, and the sysadmin folks have to do the work, and, rather not have the sysadmins creating executable script on the customer systems. hosted environment, etc.

At LQ we like to think along to check proper use, point out blind spots or pitfalls, suggest improvements or alternatives, all in an attempt to make tasks easier and qualitatively better. That's one of the reasons why presenting the full picture in your OP (original post) always is a Good Thing.

Quote:

Originally Posted by Linux_Kidd

is this correct awk -F':' '/ELF/ {print $1}"

No it is

Code:

awk -F':' '/ELF/ {print $1}'

The real problem however isn't even in who, where or how your commands will be executed (not that you've motivated why responsible personnel can run commands but aren't allowed to save a script to say /dev/shm and run it anyway) but what and how you are searching for (and I think I've got a pretty good idea):
- if the binaries have been changed involuntarily (prelinking?),
- if I change the ELF comment section (objcopy) or recompile it,
- if I obfuscate the ELF header (see Samhain source for an example), use a packer or encryption,
- if I piggyback the ELF onto another binary,
- if the binaries reside inside a compressed archive or
- if I place versions for a different arch or upload the source tarball (no use but still considered a hostile act)
your check will return a clean result and then you won't have catched anything.
And with only three hashes chances are you miss other foreign objects.

Please rethink if what you intend to do is done in the most efficient way.

Linux_Kidd · 11-15-2012, 02:38 PM

i am looking specifically for the presence of three MD5 hashes of infection files found on another system. that is what i was tasked to do. the semantics behind the what-if's and pitfalls are not in scope. i am not conducting a forensic investigation on other systems looking in hidden areas to find these files.

i was trying to keep the sysadmin task as simple as possible to avoid human error as they manage lots of systems for lots of customers (thousands of systems for hundreds of customers), etc.

as for my OP, it does the task i need on rhel (not sure why it failed on centOS6 yet), i was just wanting to know how to background that, and thus far i have a "write script" for it.

i can go the script route, but whats the best way to renice it, just "renice 19 $$" at the top of the script, or perhaps just "sudo nice 19 ~/tmp/script.sh &", how would you do it?

thanks.

Linux_Kidd · 11-16-2012, 11:22 AM

ok, this is what i have now

Code:

#!/bin/bash
renice -n +19 $$
OUTFILE=`date +%m-%d-%y`-$HOSTNAME.log
find / -type f -exec file {} \; 2>/dev/null| awk -F':' '/ELF/ {print $1}" | while read ITEM; do
 
md5sum "${ITEM}" 2>/dev/null| egrep "(b3eb1ec8094fa10169dba7a8bd1a97f1|ab106d75a3b87641937d5a8891abc8ce|9794562db2792954b8c5c1ce84aae0f5)" >> $OUTFILE 2>/dev/null

done
echo "finished" >> $OUTFILE
exit

and for some odd reason, my CentOS6 doesnt have the 'file' command
and thanks for the help

unSpawn · 11-16-2012, 11:52 AM

Quote:

Originally Posted by Linux_Kidd

that is what i was tasked to do.

OK.

Quote:

Originally Posted by Linux_Kidd

i can go the script route, but whats the best way to renice it, just "renice 19 $$" at the top of the script, or perhaps just "sudo nice 19 ~/tmp/script.sh &", how would you do it?

I'd use the first.

Quote:

Originally Posted by Linux_Kidd

and for some odd reason, my CentOS6 doesnt have the 'file' command

If the system doesn't have 'file' we could check for 'strings' or 'od' or whatever else or you could use something like:

Code:

grep -qam1 ELF "${ITEM}"

but why not try without:

Code:

#!/bin/sh
renice -n +19 $$; OUTFILE="$(/bin/date +'%Y%m%d')-${HOSTNAME}.log"
find / -xdev -type f -print0 2>/dev/null|xargs -0 -iX md5sum 'X' 2>/dev/null\
|egrep "(b3eb1ec8094fa10169dba7a8bd1a97f1|ab106d75a3b87641937d5a8891abc8ce|9794562db2792954b8c5c1ce84aae0f5)" > $OUTFILE
exit 0

Linux_Kidd · 11-16-2012, 12:31 PM

my lab system is centOS-6, thats where i was testing. the real systems are rhel 5.8

the script i have works ok and has been sent to the sysadmin folks to run on a bunch of systems.

thanks.