calib0rx/windingo_ioc_qc.sh

## windingo_ioc_qc.sh
#!/bin/bash

if [ "$(whoami)" != "root" ]; then
  echo "Must be run as root"
  exit 255
fi

echo "====================================================="
echo "========= Windingo IOC Quick Check Utility  ========="
echo "========= Author: Mike Lockhart             ========="
echo "========= Email: mlockhart@lancope.com      ========="
echo "=========                                   ========="
echo "========= Research Credit: ESET, Inc        ========="
echo "========= Whitepaper: http://bit.ly/1qCEQFi ========="
echo "====================================================="

echo " "
echo "Hostname:   $(hostname)"
echo "Type:       $(uname -a)"
echo "Uptime:    $(uptime)"
echo " "

SSH_STATUS=$(ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "PASSED" || echo "FAILED [sshd likely backdoored]")
echo "[+] Linux/Ebury Check 1 - sshd: $SSH_STATUS"

echo -n "[+] Linux/Ebury Check 2 - sshd: "

for PID in $(sudo ipcs -m -p | awk '{print $3}' | egrep "[0-9]" ); do
  ps aux | grep $PID | grep "ssh" >/dev/null && echo "FAILED [sshd likely backdoored]" || echo "PASSED";
done;

echo -n "[+] Linux/Cdorked Check 1 - http: "
OUTPUT=$(curl -s -i http://localhost/favicon.ico | grep Location:)
if [ "x$OUTPUT" == "x" ]; then
  echo "PASSED"
else
  echo "FAILED [webserver likely compromised]"
fi

echo -n "[+] Linux/Onimiki Check 1 - named: "
RUNNING_NAMED=$(ps auxw | grep named | grep -v grep | wc -l)
if [ $RUNNING_NAMED -gt 0 ]; then
  echo "System is running BIND. Install Yara and run the rule contained in the ESET paper (pg 59)"
else
  echo "System is not running BIND. Check skipped"
fi

echo "[+] Perl/Calfbot Check 1: $(flock --nb /tmp/... echo PASSED || echo FAILED, check pg 59 for further instructions)"

echo " "
echo "Basline checks completed at $(date +"%m/%d/%Y %H:%M:%S")"
	#!/bin/bash

	if [ "$(whoami)" != "root" ]; then
	echo "Must be run as root"
	exit 255
	fi

	echo "====================================================="
	echo "========= Windingo IOC Quick Check Utility ========="
	echo "========= Author: Mike Lockhart ========="
	echo "========= Email: mlockhart@lancope.com ========="
	echo "========= ========="
	echo "========= Research Credit: ESET, Inc ========="
	echo "========= Whitepaper: http://bit.ly/1qCEQFi ========="
	echo "====================================================="

	echo " "
	echo "Hostname: $(hostname)"
	echo "Type: $(uname -a)"
	echo "Uptime: $(uptime)"
	echo " "

	SSH_STATUS=$(ssh -G 2>&1 \| grep -e illegal -e unknown > /dev/null && echo "PASSED" \|\| echo "FAILED [sshd likely backdoored]")
	echo "[+] Linux/Ebury Check 1 - sshd: $SSH_STATUS"

	echo -n "[+] Linux/Ebury Check 2 - sshd: "

	for PID in $(sudo ipcs -m -p \| awk '{print $3}' \| egrep "[0-9]" ); do
	ps aux \| grep $PID \| grep "ssh" >/dev/null && echo "FAILED [sshd likely backdoored]" \|\| echo "PASSED";
	done;

	echo -n "[+] Linux/Cdorked Check 1 - http: "
	OUTPUT=$(curl -s -i http://localhost/favicon.ico \| grep Location:)
	if [ "x$OUTPUT" == "x" ]; then
	echo "PASSED"
	else
	echo "FAILED [webserver likely compromised]"
	fi

	echo -n "[+] Linux/Onimiki Check 1 - named: "
	RUNNING_NAMED=$(ps auxw \| grep named \| grep -v grep \| wc -l)
	if [ $RUNNING_NAMED -gt 0 ]; then
	echo "System is running BIND. Install Yara and run the rule contained in the ESET paper (pg 59)"
	else
	echo "System is not running BIND. Check skipped"
	fi

	echo "[+] Perl/Calfbot Check 1: $(flock --nb /tmp/... echo PASSED \|\| echo FAILED, check pg 59 for further instructions)"

	echo " "
	echo "Basline checks completed at $(date +"%m/%d/%Y %H:%M:%S")"