v1.4

fixes:

#9
#20 thanks @cybgit
#24 thanks @evilsibling
adds:

additional artifacts, namely from upcoming blog posts
diff

v1.3

Mitigations for false positives:

• removed detection of /etc/passwd from shell history
• disabled scanning of binary files (i.e. .gif) for text artifacts
• selective scanning of .xml files in the bookmarks folder

New detections:

• added scanning for php webshells under /var/vpn/themes and subdirectories

Report format and content:

• added a scan summary paragraph to the top of the output report
• include full text of detected .xml files in the report

FAQ:

• added a FAQ item on disk imaging and a sample script for imaging a remote NS device

v1.2

fixes:

match post exploitation of /etc/passwd due to example in this scanner (thanks for reports by @t0i and @marcoklose!)

from git revision: 321d183

filename: ioc-scanner-CVE-2019-19781-v1.2.sh
md5: 457ee3559409586edcd4c8c34fbe056c
sha256: d808928ccdb8a3f8705989fd28bb6d6b71c7edd1723bc6dfbbd8ad5e67f431d6

v1.1

adds:

FAQ document
/var/log/sh.log evidence source
/var/log/cron evidence source
new shell history terms contributed by the community
fixes:

don't match legit bookmark files like bm_prefix_*
don't match build.sh in post exploitation
relaxed regex matching exploitation in access logs

from git revision: c7c6d63

filename: ioc-scanner-CVE-2019-19781-v1.1.sh
md5: 12087dd6772ec09845f6f11971e93775
sha256: 195292335bc777359255af0af96ac8c8eccc83637fea1f1296dfc2ce02b9d354

v1.0

from git revision: d103124

filename: ioc-scanner-CVE-2019-19781-v1.0.sh
md5: b719b84cacc80859a1779e501d57a380
sha256: 1f198b562573ba767430fa46796860276574e8c7add33389a1e9c9d3042520a2

recommend using the standalone .sh, download below