Permalink
Switch branches/tags
Nothing to show
Find file Copy path
ac46528 May 9, 2018
brian new Ioc
0 contributors

Users who have contributed to this file

executable file 167 lines (144 sloc) 6.53 KB
#!/bin/bash
# Developed by Brian Laskowski
# laskowski-tech.com
#create color vars
yell='\e[33m'
gre='\e[32m'
whi='\e[0m'
red='\e[1;31m'
div1="==========="
div2="==="
month=$(date | awk '{print$2}')
pmonth=$(date '+%b' --date '1 month ago')
ioccheck () {
if [[ $(egrep '103.53.197.172|normandysights.com' /tmp/drupalchk 2> /dev/null) ]]; then echo -e "$red $div2 positive IOC found $div2 $yell"
egrep '103.53.197.172' /tmp/drupalchk
echo -e "$gre $div2 crypo-jacking campaign $div2"
echo -e "$red $div2 https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/ $div2 $whi"
egrep 'normandysights.com' /tmp/drupalchk
echo -e "$gre $div2 Tech support scam $div2"
echo -e "$red $div2 https://laskowski-tech.com/2018/05/04/pwned-drupal-site-recruited-for-tech-support-scams/ $div2"
fi
}
ioccheck2 () {
if [[ $(egrep '103.53.197.172|normandysights.com' /tmp/drupalchk2 2> /dev/null) ]]; then echo -e "$red $div2 positive IOC found $div2 $yell"
grep 103.53.197.172 /tmp/drupalchk2
echo -e "$gre $div2 crypo-jacking campaign $div2"
echo -e "$red $div2 https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/ $div2 $whi"
egrep 'normandysights.com' /tmp/drupalchk2
echo -e "$gre $div2 Tech support scam $div2"
echo -e "$red $div2 https://laskowski-tech.com/2018/05/04/pwned-drupal-site-recruited-for-tech-support-scams/ $div2"
fi
}
#Check for Environment
if [[ -x $(which whmapi1) ]]; then #Cpanel
sleep 1
echo "$div2 Cpanel Detected $div2"
sleep 1
#start menu
while true
do
clear
echo $div1$div1$div1$div1
echo $div2 Drupalgedon Log Scanner $div2
echo Tool to help analyst find compromises
echo of Drupal sites vunerable to CVE-2018-7600
echo $div1$div1$div1$div1
echo
echo "Enter 1 to Scan current logs"
echo
echo "Enter 2 to Scan Current Montly Logs"
echo
echo "Enter 3 to Scan Prior Month Logs"
echo
echo "Enter 4 to exit"
read answer
#start options
case "$answer" in
1) echo -e "$gre $div2 Scanning Current Apache logs $div2 $yell"
echo
grep -R 'system&name' /usr/local/apache/domlogs/ 1> /tmp/drupalchk 2> /dev/null
grep -R 'q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name' /usr/local/apache/domlogs/ 1>> /tmp/drupalchk 2> /dev/null
grep -R '?q=file%2Fajax%2Fname%2F%23value%2Fform-' /usr/local/apache/domlogs/ 1>> /tmp/drupalchk 2> /dev/null
cat /tmp/drupalchk | awk '$9 ~ 200 && $6 ~ /POST/ { print }'
echo -e "$gre $div2 IP's possibly involved in exploting Drupal sites $div2 $yell"
cat /tmp/drupalchk | cut -d : -f 2 | sort | uniq -c | sort
#Testing Purposes#cat /tmp/drupalchk | cut -d : -f 3 | sort | uniq -c | sort
echo -e "$gre $div2 Sites thst may have been compromised $div2 $yell"
cat /tmp/drupalchk | cut -d '/' -f 6 | sort | uniq | cut -d : -f1 | uniq
ioccheck
#Testing Purpsoes#cat /tmp/drupalchk | cut -d '/' -f 11 | sort | uniq | cut -d : -f1 | uniq
;;
2) echo -e "$yell $div2 Scanning Current Month logs $div2"
zgrep 'system&name' /home/*/logs/*-$month-2018.gz 1> /tmp/drupalchk2 2> /dev/null
zgrep 'q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name' /home/*/logs/*-$month-2018.gz 1>> /tmp/drupalchk2 2> /dev/null
zgrep '?q=file%2Fajax%2Fname%2F%23value%2Fform-' /home/*/logs/*-$month-2018.gz 1>> /tmp/drupalchk2 2> /dev/null
cat /tmp/drupalchk2 | awk '$9 ~ 200 && $6 ~ /POST/ { print }'
echo -e "$gre $div2 IP's possibly involved in exploting Drupal sites $div2 $yell"
cat /tmp/drupalchk2 | cut -d : -f 2 | sort | uniq -c | sort
#Testing pursposes#cat /tmp/drupalchk2 | cut -d : -f 3 | sort | uniq -c | sort
echo -e "$gre $div2 Sites thst may have been compromised $div2 $yell"
cat /tmp/drupalchk2 | cut -d '/' -f 5 | sort | uniq | cut -d : -f1 | uniq
ioccheck2
#Testing purposes#cat /tmp/drupalchk2 | cut -d '/' -f 11 | sort | uniq | cut -d : -f1 | uniq
;;
3) echo -e "$yell $div2 Scanning Current Month logs $div2"
zgrep 'system&name' /home/*/logs/*-$pmonth-2018.gz 1> /tmp/drupalchk2 2> /dev/null
zgrep 'q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name' /home/*/logs/*-$pmonth-2018.gz 1>> /tmp/drupalchk2 2> /dev/null
zgrep '?q=file%2Fajax%2Fname%2F%23value%2Fform-' /home/*/logs/*-$pmonth-2018.gz 1>> /tmp/drupalchk2 2> /dev/null
cat /tmp/drupalchk2 | awk '$9 ~ 200 && $6 ~ /POST/ { print }'
echo -e "$gre $div2 IP's possibly involved in exploting Drupal sites $div2 $yell"
cat /tmp/drupalchk2 | cut -d : -f 2 | sort | uniq -c | sort
#Testing Purposes#cat /tmp/drupalchk2 | cut -d : -f 3 | sort | uniq -c | sort
echo -e "$gre $div2 Sites thst may have been compromised $div2 $yell"
cat /tmp/drupalchk2 | cut -d '/' -f 5 | sort | uniq | cut -d : -f1 | uniq
ioccheck2
#Testing purposes#cat /tmp/drupalchk2 | cut -d '/' -f 11 | sort | uniq | cut -d : -f1 | uniq
;;
4) rm /tmp/drupalchk 2> /dev/null
rm /tmp/drupalchk2 2> /dev/null
exit ;;
esac
printf "%b" $whi
echo "Enter to return to the menu"
read input
done
#Part 2 of Environment check goes to Apache Defaults if cpanel isn't there
else
sleep 1
echo "$div2 Not Cpanel Assuming Apache Defaults $div2"
sleep 1
while true
do
clear
echo $div1$div1$div1$div1
echo $div2 Drupalgedon Log Scanner $div2
echo Tool to help analyst find compromises
echo of Drupal sites vunerable to CVE-2018-7600
echo $div1$div1$div1$div1
echo
echo "Enter 1 to Scan current logs"
echo
echo "Enter 2 to exit"
read answer2
#start options
case "$answer2" in
1) echo -e "$gre $div2 Scanning Current Apache logs $div2 $yell"
echo
grep -R 'system&name' /var/log/apache2/access.log* 1> /tmp/drupalchk 2> /dev/null
grep -R 'q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=passthru&name' /var/log/apache2/access.log* 1>> /tmp/drupalchk 2> /dev/null
grep -R '?q=file%2Fajax%2Fname%2F%23value%2Fform-' /var/log/apache2/access.log* 1>> /tmp/drupalchk 2> /dev/null
cat /tmp/drupalchk | awk '$9 ~ 200 && $6 ~ /POST/ { print }'
echo -e "$gre $div2 IP's possibly involved in exploting Drupal sites $div2 $yell"
cat /tmp/drupalchk | cut -d : -f 2 | sort | uniq -c | sort
ioccheck
;;
2) rm /tmp/drupalchk 2> /dev/null
rm /tmp/drupalchk2 2> /dev/null
exit ;;
esac
printf "%b" $whi
echo "Enter to return to the menu"
read input
done
fi