I hereby claim:
- I am crazyllama on github.
- I am approximatelybee (https://keybase.io/approximatelybee) on keybase.
- I have a public key ASCaK2pwQGnxKBWt0FNNl3DxohUhEJa2zABXyjM3QqPNQAo
To claim this, I am signing this object:
## Linux ## | |
## Check for common bad code in php shell files | |
# grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php* | |
#################################### | |
## Windows ## | |
## There aren't many ways to check for bad code across the solution - my best advice would be to look into tools which can be used by the client to find these automatically. |
## Linux ## | |
## Sort most recently modified PHP files by time modified | |
# find . -type f -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort | |
############################## | |
## Windows ## | |
## It's quite difficult to do this on windows without the use of scripting/powershell - so I'd have a look around online for anything that may help. I have found the below |
## Windows ## | |
## List out all processes running on the server | |
# Get-Process | |
## Get more details on a specific process (hint: replace "{process-name}" with the name of the process) | |
# Get-Process {process-name} | format-list * | |
########################################### |
One of the following should find error logs within the server: | |
# updatedb | |
# locate error | |
# locate error_log | |
# locate error.log | |
# find /var/log/* -name "error*" | |
################################################## |
One of the following should find access logs within the server: | |
# updatedb | |
# locate access | |
# locate access_log | |
# locate access.log | |
# find /var/log/* -name "access*" | |
################################################## |
#!/usr/bin/env bash | |
echo "Enter the string you would like to search the process list for:" | |
read proc | |
# Stick processes output into array - prepending `/proc/` for later usage | |
proc_array=( $(ps faux | grep $proc | grep -v root | awk '{print $2}' | sed 's/^/\/proc\//g') ) | |
# Stick processes output into array - specifically the names of the processes |
## Sources: | |
# https://www.dionach.com/blog/powershell-in-forensic-investigations | |
# https://www.sans.org/reading-room/whitepapers/critical/uncovering-indicators-compromise-ioc-powershell-event-logs-traditional-monitoring-tool-36352 | |
# https://blogs.technet.microsoft.com/heyscriptingguy/2012/05/28/use-powershell-to-aid-in-security-forensics/ | |
# Lists out all established TCP connections, you can also use netstat to list all connections regardless of status. Make sure you decide whether this is TCP or UDP you want to see and remove the parentheses | |
Get-NetTCPConnection –State Established | |
netstat -ano -p (TCP/UDP) | |
# List out all processes running on the server |
# Look for potentially bad stuff that's compressed to hide mysterious things - run this within documentroot's of web servers to find potential php shells (source: https://djlab.com/2010/09/finding-php-shell-scripts-and-php-exploits/) | |
grep '((eval.*(base64_decode|gzinflate|\$_))|\$[0O]{4,}|FilesMan|JGF1dGhfc|IIIl|die\(PHP_OS|posix_getpwuid|Array\(base64_decode|document\.write\("\\u00|sh(3(ll|11)))' . -lroE --include=*.php* | |
# Print out processes in a nicer format to compare its shown source to actual source | |
ps -Ao pid,comm,cmd,lstart | |
# Deny those damn pesky processes their CPU time - this is based on all the bad processes being under a single user. Don't run this unless you're sure that | |
pkill -U <user> -STOP || pkill -STOP -U <user> # Depeding on OS | |
# Deny processes CPU time - this is based on a process by process working order |
I hereby claim:
To claim this, I am signing this object: