netstat -an | grep 2049 | grep "ESTABLISHED"
showmount -a
NFS Monitoring ScriptÂ
#!/bin/bash
#NFS Mount Monitoring
HOSTIP="$(ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')"
NFS=($(netstat -an | grep 2049 | grep "ESTABLISHED" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | grep -v "$HOSTIP"))
echo "#####################" >> /tmp/hacker.info
echo "NFS Mount(s) Mounted!" >> /tmp/hacker.info
echo "#####################" >> /tmp/hacker.info
for i in "${NFS[@]}"
do
echo "#####################" >> /tmp/hacker.info
echo "HACKER DETECTED W/ IP $i" >> /tmp/hacker.info
echo >> /tmp/hacker.info
nbtscan "$i" >> /tmp/hacker.info
nslookup "$i" >> /tmp/hacker.info
arp -a "$i" >> /tmp/hacker.info
echo >> /tmp/hacker.info
done
echo "#####################" >> /tmp/hacker.info
echo "NFS General Information" >> /tmp/hacker.info
echo >> /tmp/hacker.info
echo "netstat" >> /tmp/hacker.info
netstat -an | grep 2049 | grep "ESTABLISHED" >> /tmp/hacker.info
echo >> /tmp/hacker.info
echo "showmount -a" >> /tmp/hacker.info
showmount -a >> /tmp/hacker.info
echo "" >> /tmp/hacker.info
echo "End NFS Information" >> /tmp/hacker.info
echo "#####################" >> /tmp/hacker.info