<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>215</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>216</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>217</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>218</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>219</b><br />
<br />
<b>Warning</b>:  Cannot modify header information - headers already sent by (output started at /home/destefa1/public_html/nf/function.php:1) in <b>/home/destefa1/public_html/nf/function.php</b> on line <b>220</b><br />
#!/bin/bash
#########################################################################
#                                                               	#
# Plugin name:	check_slash_tmp_php_proc				#
# Description:	Plugin to check for rogue processes either running	#
#	      	in /tmp, executed with "./", or with a masked name.	#
# Author:	William Overko                                        	#
# Version:	20180423                                                #
#                                                               	#
#########################################################################


procUsers=`ps auwx | grep -vE '^root' | grep -E '[0-9]{1,4}:[0-9]{1,2}\ (\.\/|\/tmp\/php[a-zA-Z0-9]*_[a-zA-Z0-9]*|\/var\/tmp|perl \/tmp|(sh\ \-c){0,1}\ \.\/[a-zA-Z0-9]*|(bash|proc))' | awk '{print $1}' | sort | uniq`
procCount=`ps auwx | grep -vE '^root' | grep -E '[0-9]{1,4}:[0-9]{1,2}\ (\.\/|\/tmp\/php[a-zA-Z0-9]*_[a-zA-Z0-9]*|\/var\/tmp|perl \/tmp|(sh\ \-c){0,1}\ \.\/[a-zA-Z0-9]*|(bash|proc))' | awk '{print $1}' | sort | uniq | wc -l`

if [ ${procCount} -eq 0 ]
then
    echo -e "OK: No processes found."
    exit 0
elif [ ${procCount} -gt 0 ]
then
    declare userOutput='Processes running under the following usernames: '
    for user in "${procUsers[@]}"
    do
        user=`getent passwd $user | cut -d: -f1`
        userOutput="$userOutput $user"
    done
    echo -e "CRITICAL: $userOutput."
    exit 2
fi