|
|
@@ -2,13 +2,13 @@
|
|
|
#########################################################################
|
|
|
# Script for hunting malware #
|
|
|
# Created by PM-DoIT #
|
|
|
-# ver 0.1 #
|
|
|
+# ver 0.2 #
|
|
|
#########################################################################
|
|
|
|
|
|
#------------------------------- VARIABLE ------------------------------#
|
|
|
clear
|
|
|
score=0
|
|
|
-IGNORE="apache|apparmor|chrony|cron|mariadb|networking|fpm|postfix|snmpd|ssh|certbot|logrotate|rsyslog|clamav|php|redis|supervisor|getty|apt-daily|chkrootkit|monit|qemu-guest|systemd-journald|maldet"
|
|
|
+IGNORE="apache|apparmor|chrony|cron|mariadb|networking|fpm|postfix|snmpd|ssh|certbot|logrotate|rsyslog|clamav|php|redis|supervisor|getty|apt-daily|chkrootkit|monit|qemu-guest|systemd-journald|maldet|wazuh|filebea"
|
|
|
echo -e "\e[1;37m-------------------------------------\e[0m"
|
|
|
echo -e "\e[1;33mSTARTED host COMPROMISE assessment:\e[0m"
|
|
|
echo -e "\e[1;37m-------------------------------------\e[0m"
|
|
|
@@ -31,27 +31,27 @@ fi
|
|
|
|
|
|
#---------------------- Suspicious listening ports ---------------------#
|
|
|
echo -e "- \e[1;32mChecking suspicious listening ports\e[0m"
|
|
|
-listeners=$(ss -tulpn | grep -E 'bash|sh|python|nc|perl' | wc -l)
|
|
|
+listeners=$(ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh" | wc -l)
|
|
|
if [ "$listeners" -gt 0 ]; then
|
|
|
echo -e "\e[1;31m- ! Suspicious listeners detected\e[0m"
|
|
|
- ss -tulpn | grep -E 'bash|sh|python|nc|perl'
|
|
|
- score=$((score+25))
|
|
|
+ ss -tulpn | grep -E 'bash|sh|python|nc|perl' | grep -v "ssh"
|
|
|
+ score=$((score+15))
|
|
|
fi
|
|
|
|
|
|
#--------------------------- Cron persistence --------------------------#
|
|
|
echo -e "- \e[1;32mChecking cron persistence\e[0m"
|
|
|
cron_count=$(find /etc/cron* /var/spool/cron -type f 2>/dev/null | wc -l)
|
|
|
-if [ "$cron_count" -gt 10 ]; then
|
|
|
+if [ "$cron_count" -gt 20 ]; then
|
|
|
echo -e "\e[1;31m- ! High number of cron jobs: [$cron_count]\e[0m"
|
|
|
find /etc/cron* /var/spool/cron -type f
|
|
|
- score=$((score+10))
|
|
|
+ score=$((score+5))
|
|
|
fi
|
|
|
|
|
|
#--------------------------- Executable TMP ----------------------------#
|
|
|
-exec_count=$(find /tmp /var/tmp /dev/shm -type f -executable -ls | wc -l)
|
|
|
-if [ "$cron_count" -ge 1 ]; then
|
|
|
+exec_count=$(find /tmp /var/tmp /dev/shm -type f -executable -ls | grep -v "hunter.sh" | wc -l)
|
|
|
+if [ "$exec_count" -ge 1 ]; then
|
|
|
echo -e "\e[1;31m- ! High number of executable temporary detected: [$exec_count]\e[0m"
|
|
|
- find /tmp /var/tmp /dev/shm -type f -executable -ls | awk '{print $NF}'
|
|
|
+ find /tmp /var/tmp /dev/shm -type f -executable -ls | awk '{print $NF}' | grep -v "hunter.sh"
|
|
|
score=$((score+10))
|
|
|
fi
|
|
|
|
|
|
@@ -65,10 +65,10 @@ fi
|
|
|
|
|
|
#------------------------ Suspicious processes -------------------------#
|
|
|
echo -e "- \e[1;32mChecking suspicious processes\e[0m"
|
|
|
-proc=$(ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter" | wc -l)
|
|
|
+proc=$(ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh" | wc -l)
|
|
|
if [ "$proc" -gt 0 ]; then
|
|
|
echo -e "\e[1;31m- ! Suspicious processes detected\e[0m"
|
|
|
- ps aux | grep -E '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter"
|
|
|
+ ps aux | grep -iE '/tmp|/dev/shm|nc -l|python -c|bash -i' | egrep -v "grep|hunter|wazuh"
|
|
|
score=$((score+30))
|
|
|
fi
|
|
|
|
|
|
@@ -87,7 +87,7 @@ lastb -a | head -10
|
|
|
|
|
|
#---------------------- Suspicious connections -------------------------#
|
|
|
echo -e "- \e[1;32mChecking suspicious connections\e[0m"
|
|
|
-lsof -i -P -n | egrep -v "80|443|161|2812|323|LISTEN"
|
|
|
+lsof -i -P -n | egrep -v "80|443|161|2812|323|3306|9200|6379|LISTEN"
|
|
|
|
|
|
#----------------------- Suspicious services ---------------------------#
|
|
|
echo -e "- \e[1;32mChecking suspicious services\e[0m"
|
|
|
@@ -99,9 +99,9 @@ if [ "$score" -gt 100 ]; then score=100; fi
|
|
|
echo -e "\e[1;37m-------------------------------------\e[0m"
|
|
|
echo -e "\e[1;33mCOMPROMISE SCORE:\e[0m \e[1;36m$score / 100\e[0m"
|
|
|
echo -e "\e[1;37m-------------------------------------\e[0m"
|
|
|
-if [ "$score" -lt 20 ]; then
|
|
|
+if [ "$score" -lt 30 ]; then
|
|
|
echo -e "- Status: \e[1;32mLOW RISK\e[0m"
|
|
|
-elif [ "$score" -lt 50 ]; then
|
|
|
+elif [ "$score" -lt 60 ]; then
|
|
|
echo -e "- Status: \e[1;35mMEDIUM RISK\e[0m"
|
|
|
else
|
|
|
echo -e "- Status: \e[1;31mHIGH RISK\e[0m"
|
