You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 14, 2023. It is now read-only.
Ran ver1.3 against a Netscaler. The first time it ran it showed "Evidence of compromise found: No" and no other indications of compromise in the output.
However the second time I ran the scanner against the same system it returned "Evidence of compromise found: Yes" and the output showed signs of evidence of NOTROBIN.
The more times I ran ver1.3 against the system the more lines of evidence of NOTROBIN would appear.
All log entried showing evidence of NOTROBIN had a timestamp of the exact day and time I ran the scan, no log entries showing evidence of NOTROBIN prior to the day I ran the scan.
The "evidence" of compromise that it finds looks to be exactly the code of the function 'scan_fs_notrobin()' from the script file ./scanners/fs-paths.sh
Running ver1.2 against the same system showed no signs of compromise.
All of this leads me to the conclusion that ver 1.3 has a bug which is causing false positives.
**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do if [ -f "$root_directory/$notrobin_path" ]; then found=true; report_match "$notrobin_path, known path to NOTROBIN artifact."; fi; done"
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.
The text was updated successfully, but these errors were encountered:
Ran ver1.3 against a Netscaler. The first time it ran it showed "Evidence of compromise found: No" and no other indications of compromise in the output.
However the second time I ran the scanner against the same system it returned "Evidence of compromise found: Yes" and the output showed signs of evidence of NOTROBIN.
The more times I ran ver1.3 against the system the more lines of evidence of NOTROBIN would appear.
All log entried showing evidence of NOTROBIN had a timestamp of the exact day and time I ran the scan, no log entries showing evidence of NOTROBIN prior to the day I ran the scan.
The "evidence" of compromise that it finds looks to be exactly the code of the function 'scan_fs_notrobin()' from the script file ./scanners/fs-paths.sh
Running ver1.2 against the same system showed no signs of compromise.
All of this leads me to the conclusion that ver 1.3 has a bug which is causing false positives.
The text was updated successfully, but these errors were encountered: