Merge pull request #25 from fireeye/2020-03-24

2020 03 24
mandiant · Mar 25, 2020 · c0b6d17 · c0b6d17
2 parents d5ecef8 + d13ddb4
commit c0b6d17
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 16 deletions.
diff --git a/build.sh b/build.sh
@@ -22,13 +22,14 @@ set -o errexit;
 # ref: https://stackoverflow.com/a/4774063/87207
 readonly current_directory="$( cd "$(dirname "$0")" ; pwd -P )"
 
-# generate a version file with GIT metadata
+# generate a version file with git metadata
 version_file="$current_directory/version.sh";
 if [ -f "$version_file" ]; then
     rm "$version_file";
 fi
-echo "git_tag=$(git describe --tags)" > $version_file;
-echo "git_hash=$(git rev-parse HEAD)" >> $version_file;
+echo "#!/usr/bin/bash" > $version_file;
+echo "git_tag=\"$(git describe --tags)\";" >> $version_file;
+echo "git_hash=\"$(git rev-parse HEAD)\";" >> $version_file;
 
 # not all FreeBSD/NetScaler devices have mktemp.
 readonly staging_directory="/tmp/$(date +%s)";

diff --git a/ioc-scanner-CVE-2019-19781.sh b/ioc-scanner-CVE-2019-19781.sh
@@ -377,16 +377,16 @@ report "";
 report "**********************************************************************";
 report "SUMMARY:"
 colwidth="37";
-report "$(fmt_key_val "Date" "$startdate" $colwidth)";
+report "$(fmt_key_val "Date" "$startdate" "$colwidth")";
 # Hostname
 if [ -f "$root_directory/nsconfig/ns.conf" ]; then
     readonly hostname=$(grep 'set ns hostName' "$root_directory/nsconfig/ns.conf" | awk -F ' ' '{print $4}');
-    report "$(fmt_key_val "Hostname" $hostname $colwidth)";
+    report "$(fmt_key_val "Hostname" "$hostname" "$colwidth")";
 fi
 # IP address
 if [ -f "$root_directory/nsconfig/ns.conf" ]; then
     readonly ipstr=$(grep 'ns config \-IPAddress' "$root_directory/nsconfig/ns.conf" | awk -F ' ' '{print $5}');
-    report "$(fmt_key_val "IP" $ipstr $colwidth)";
+    report "$(fmt_key_val "IP" "$ipstr" "$colwidth")";
 fi
 # NS version
 if [ -f "$root_directory/flash/boot/loader.conf" ]; then
@@ -396,18 +396,18 @@ if [ -f "$root_directory/flash/boot/loader.conf" ]; then
     if [[ $ns_verstr == "ns-"* ]]; then
         ns_verstr=${ns_verstr:3};
     fi
-    report "$(fmt_key_val "NS version" "$ns_verstr" $colwidth)";
+    report "$(fmt_key_val "NS version" "$ns_verstr" "$colwidth")";
 fi
-report "$(fmt_key_val "Scanner version" $git_tag $colwidth)";
+report "$(fmt_key_val "Scanner version" "$git_tag" "$colwidth")";
 if "$verbose"; then
     runmode="Verbose";
 else
     runmode="Default";
 fi
-report "$(fmt_key_val "Scanner run mode" $runmode $colwidth)";
-report "$(fmt_key_val "Evidence of compromise found" "$found_evidence_compromise" $colwidth)";
-report "$(fmt_key_val "Evidence of scanning found" "$found_evidence_scanning" $colwidth)";
-report "$(fmt_key_val "Evidence of failed exploitation found" "$found_evidence_failed_exploitation" $colwidth)";
+report "$(fmt_key_val "Scanner run mode" "$runmode" "$colwidth")";
+report "$(fmt_key_val "Evidence of compromise found" "$found_evidence_compromise" "$colwidth")";
+report "$(fmt_key_val "Evidence of scanning found" "$found_evidence_scanning" "$colwidth")";
+report "$(fmt_key_val "Evidence of failed exploitation found" "$found_evidence_failed_exploitation" "$colwidth")";
 report "**********************************************************************";
 report "";
 

diff --git a/scanners/error-logs.sh b/scanners/error-logs.sh
@@ -21,7 +21,7 @@ error_log_post_exploitation() {
 
     local results="";
     for regex in "${http_err_regexes[@]}"; do
-        hits=$(find "$root_directory/var/log/" -type f -iname "*httperr*" -exec grep -HEi "$regex" {} \;);
+        hits=$(find "$root_directory/var/log/" -type f -iname "*httperr*" -exec zgrep -HEi "$regex" {} \;);
         results="$results"$'\n'"$hits";
     done
 

diff --git a/scanners/netscaler-content.sh b/scanners/netscaler-content.sh
@@ -35,7 +35,9 @@ ns_content_blacklist[19]="xp_eternalblue.replay";
 # match filename `ld.sh` without matching `build.sh`
 ns_content_blacklist[20]="[^i]ld.sh";
 ns_content_blacklist[21]="piz.Lan";
-ns_content_blacklist[22]="de.py";
+# match filename `de.py` without matching `upgrade.py`
+# see #9
+ns_content_blacklist[22]="[^a]de.py";
 ns_content_blacklist[23]=".new.zip";
 ns_content_blacklist[24]="/tmp/rAgn";
 # other activity

diff --git a/scanners/shell-history.sh b/scanners/shell-history.sh
@@ -35,7 +35,8 @@ shell_history_blacklist[23]="x86.dll"
 shell_history_blacklist[24]="xp_eternalblue.replay"
 shell_history_blacklist[25]="ld.sh"
 shell_history_blacklist[26]="piz.Lan"
-shell_history_blacklist[27]="de.py"
+# disabled due to #9
+# shell_history_blacklist[27]="de.py"
 shell_history_blacklist[28]=".new.zip"
 shell_history_blacklist[29]="/tmp/rAgn"
 shell_history_blacklist[30]="/tmp/.init/httpd"
@@ -55,6 +56,9 @@ shell_history_paths[0]="/var/log/bash.log";
 shell_history_paths[1]="/var/log/notice.log";
 shell_history_paths[2]="/var/log/sh.log";
 
+# addresses issue 24
+readonly whitelist="declare -a notrobin_paths;";
+
 scan_shell_history() {
     for path in "${shell_history_paths[@]}"; do
         if  ! compgen -G "$root_directory/$path*" >/dev/null; then
@@ -65,7 +69,7 @@ scan_shell_history() {
         local found=false;
         for re in "${shell_history_blacklist[@]}"; do
             # /dev/null to ensure at least one of these files exists so zgrep doesn't fail
-            local entries=$(zgrep -F "$re" "$root_directory/$path"* /dev/null);
+            local entries=$(zgrep -F "$re" "$root_directory/$path"* /dev/null | grep -v "$whitelist");
             if [ -n "$entries" ]; then
                 found=true;
                 report_match "blacklisted content '$re'";