-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathshell-history.sh
99 lines (93 loc) · 4.23 KB
/
shell-history.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Copyright 2020 FireEye, Inc. and Citrix Systems, Inc.
# FreeBSD/NetScaler bash doesn't support array declaration shortcut
# so we create the array by hand... I'm sorry.
declare -a shell_history_blacklist;
shell_history_blacklist[0]="95.179.163.186";
# from: https://isc.sans.edu/diaryimages/images/20200112-235452(1).png
shell_history_blacklist[1]="/wp-content/uploads/"
shell_history_blacklist[2]="tee /netscaler/portal"
shell_history_blacklist[3]="185.178.45.221"
shell_history_blacklist[4]="ci.sh"
shell_history_blacklist[5]="ci2.sh"
shell_history_blacklist[6]="ci3.sh"
shell_history_blacklist[7]="159.69.37.196"
shell_history_blacklist[8]="cmd.pl"
# disable this because in 1.1 we provided this file as an example, which showed up in bash/notice.logs.
#shell_history_blacklist[9]="/etc/passwd"
shell_history_blacklist[10]="/etc/security/passwd"
shell_history_blacklist[11]="/etc/shadow"
shell_history_blacklist[12]="/flash/nsconfig/ns.conf"
shell_history_blacklist[13]="NSC_USER"
shell_history_blacklist[14]="nc -l"
shell_history_blacklist[15]="python -c '"
shell_history_blacklist[16]="www.jdjd.com"
# this script uses whoami,
# so we flag ourselves (facepalm)
#shell_history_blacklist[17]="whoami"
shell_history_blacklist[18]="61.218.225.74"
# IP of host serving EternalBlue scanner/exploiter
shell_history_blacklist[19]="45.120.53.214"
shell_history_blacklist[20]="eternalblue.replay"
shell_history_blacklist[21]="scan.py"
shell_history_blacklist[22]="x64.dll"
shell_history_blacklist[23]="x86.dll"
shell_history_blacklist[24]="xp_eternalblue.replay"
shell_history_blacklist[25]="ld.sh"
shell_history_blacklist[26]="piz.Lan"
# disabled due to #9
# shell_history_blacklist[27]="de.py"
shell_history_blacklist[28]=".new.zip"
shell_history_blacklist[29]="/tmp/rAgn"
shell_history_blacklist[30]="/tmp/.init/httpd"
# other activity
shell_history_blacklist[31]="198.44.227.126"
shell_history_blacklist[32]="/tmp/l.sh"
shell_history_blacklist[33]="23.234.10.122"
# reported by Slava Feige, Director, Cyber Analysis Western Digital
shell_history_blacklist[34]="46.45.15.56"
shell_history_blacklist[35]="157.157.87.22"
shell_history_blacklist[36]="193.187.174.104"
shell_history_blacklist[37]="62.113.112.33"
shell_history_blacklist[38]="217.12.221.12"
# from subsequent NOTROBIN and/or APT41 blog posts from FEYE
shell_history_blacklist[39]="/tmp/bsd";
shell_history_blacklist[40]="/tmp/un";
shell_history_blacklist[41]="66.42.98.220";
shell_history_blacklist[42]="/var/nstmp/.nscache/prev.sh";
shell_history_blacklist[43]="/var/nstmp/.nscache/httpd-nscache_clean";
shell_history_blacklist[44]="/vpn/themes/imgs/tiny.php";
shell_history_blacklist[45]="/vpn/themes/imgs/debug.php";
shell_history_blacklist[46]="/vpn/themes/imgs/conn.php";
declare -a shell_history_paths;
shell_history_paths[0]="/var/log/bash.log";
shell_history_paths[1]="/var/log/notice.log";
shell_history_paths[2]="/var/log/sh.log";
# addresses issue 24
readonly whitelist="declare -a notrobin_paths;";
scan_shell_history() {
for path in "${shell_history_paths[@]}"; do
if ! compgen -G "$root_directory/$path*" >/dev/null; then
debug "didn't find $path files";
continue;
fi
local found=false;
for re in "${shell_history_blacklist[@]}"; do
# /dev/null to ensure at least one of these files exists so zgrep doesn't fail
local entries=$(zgrep -F "$re" "$root_directory/$path"* /dev/null | grep -v "$whitelist");
if [ -n "$entries" ]; then
found=true;
report_match "blacklisted content '$re'";
report "matches for '$re':";
report "$entries";
report "Please review the above shell history entries for unexpected activity.";
report "They match signatures commonly associated with post-exploitation;"
report "however, this may overlap with legitimate system administration."
report "If you recognize the commands as something you typed, then you can probably ignore them."
report "For example, reviewing '/etc/passwd' to manage users may be valid in your environment."
fi
done
if [ "$found" != true ]; then
debug "did not find blacklisted content in $path";
fi
done
}