Skip to content

@johnmcbride johnmcbride released this Feb 12, 2020

Mitigations for false positives:

  • removed detection of /etc/passwd from shell history
  • disabled scanning of binary files (i.e. .gif) for text artifacts
  • selective scanning of .xml files in the bookmarks folder

New detections:

  • added scanning for php webshells under /var/vpn/themes and subdirectories

Report format and content:

  • added a scan summary paragraph to the top of the output report
  • include full text of detected .xml files in the report


  • added a FAQ item on disk imaging and a sample script for imaging a remote NS device
Assets 3

@fjserna fjserna released this Jan 29, 2020 · 1 commit to master since this release


match post exploitation of /etc/passwd due to example in this scanner (thanks for reports by @t0i and @marcoklose!)

from git revision: 321d183

md5: 457ee3559409586edcd4c8c34fbe056c
sha256: d808928ccdb8a3f8705989fd28bb6d6b71c7edd1723bc6dfbbd8ad5e67f431d6

Assets 3

@fjserna fjserna released this Jan 24, 2020 · 2 commits to master since this release


FAQ document
/var/log/sh.log evidence source
/var/log/cron evidence source
new shell history terms contributed by the community

don't match legit bookmark files like bm_prefix_*
don't match in post exploitation
relaxed regex matching exploitation in access logs

from git revision: c7c6d63

md5: 12087dd6772ec09845f6f11971e93775
sha256: 195292335bc777359255af0af96ac8c8eccc83637fea1f1296dfc2ce02b9d354

Assets 3

@fjserna fjserna released this Jan 22, 2020 · 4 commits to master since this release

from git revision: d103124

md5: b719b84cacc80859a1779e501d57a380
sha256: 1f198b562573ba767430fa46796860276574e8c7add33389a1e9c9d3042520a2

recommend using the standalone .sh, download below

Assets 3
You can’t perform that action at this time.