CrazyLlama

## Linux ##

## Check for common bad code in php shell files
# grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*

####################################

## Windows ##

## There aren't many ways to check for bad code across the solution - my best advice would be to look into tools which can be used by the client to find these automatically.

CrazyLlama

## Linux ## 

## Sort most recently modified PHP files by time modified
# find . -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

##############################

## Windows ## 

## It's quite difficult to do this on windows without the use of scripting/powershell - so I'd have a look around online for anything that may help. I have found the below

CrazyLlama

## Windows ##

## List out all processes running on the server
# Get-Process

## Get more details on a specific process (hint: replace "{process-name}" with the name of the process)
# Get-Process {process-name} | format-list *

###########################################

CrazyLlama

One of the following should find error logs within the server:

# updatedb
# locate error
# locate error_log
# locate error.log

# find /var/log/* -name "error*"

##################################################

CrazyLlama

One of the following should find access logs within the server:

# updatedb
# locate access
# locate access_log
# locate access.log

# find /var/log/* -name "access*"

##################################################

CrazyLlama

#!/usr/bin/env bash

echo "Enter the string you would like to search the process list for:"

read proc

# Stick processes output into array - prepending `/proc/` for later usage
proc_array=( $(ps faux | grep $proc | grep -v root | awk '{print $2}' | sed 's/^/\/proc\//g') )

# Stick processes output into array - specifically the names of the processes

CrazyLlama

## Sources: 
# https://www.dionach.com/blog/powershell-in-forensic-investigations
# https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352
# https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/28/use-powershell-to-aid-in-security-forensics/

# Lists out all established TCP connections, you can also use netstat to list all connections regardless of status. Make sure you decide whether this is TCP or UDP you want to see and remove the parentheses
Get-NetTCPConnection –State Established
netstat -ano -p (TCP/UDP)

# List out all processes running on the server

CrazyLlama

# Look for potentially bad stuff that's compressed to hide mysterious things - run this within documentroot's of web servers to find potential php shells (source: https://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/)
grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php*

# Print out processes in a nicer format to compare its shown source to actual source
ps -Ao pid,comm,cmd,lstart

# Deny those damn pesky processes their CPU time - this is based on all the bad processes being under a single user. Don't run this unless you're sure that 
pkill -U <user> -STOP || pkill -STOP -U <user> # Depeding on OS

# Deny processes CPU time - this is based on a process by process working order

CrazyLlama

Keybase proof

I hereby claim:

• I am crazyllama on github.
• I am approximatelybee (https://keybase.io/approximatelybee) on keybase.
• I have a public key ASCaK2pwQGnxKBWt0FNNl3DxohUhEJa2zABXyjM3QqPNQAo

To claim this, I am signing this object: