Created
March 19, 2014 19:14
-
-
Save calib0rx/9649099 to your computer and use it in GitHub Desktop.
Windingo IOC Quick check Script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
if [ "$(whoami)" != "root" ]; then | |
echo "Must be run as root" | |
exit 255 | |
fi | |
echo "=====================================================" | |
echo "========= Windingo IOC Quick Check Utility =========" | |
echo "========= Author: Mike Lockhart =========" | |
echo "========= Email: mlockhart@lancope.com =========" | |
echo "========= =========" | |
echo "========= Research Credit: ESET, Inc =========" | |
echo "========= Whitepaper: http://bit.ly/1qCEQFi =========" | |
echo "=====================================================" | |
echo " " | |
echo "Hostname: $(hostname)" | |
echo "Type: $(uname -a)" | |
echo "Uptime: $(uptime)" | |
echo " " | |
SSH_STATUS=$(ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "PASSED" || echo "FAILED [sshd likely backdoored]") | |
echo "[+] Linux/Ebury Check 1 - sshd: $SSH_STATUS" | |
echo -n "[+] Linux/Ebury Check 2 - sshd: " | |
for PID in $(sudo ipcs -m -p | awk '{print $3}' | egrep "[0-9]" ); do | |
ps aux | grep $PID | grep "ssh" >/dev/null && echo "FAILED [sshd likely backdoored]" || echo "PASSED"; | |
done; | |
echo -n "[+] Linux/Cdorked Check 1 - http: " | |
OUTPUT=$(curl -s -i http://localhost/favicon.ico | grep Location:) | |
if [ "x$OUTPUT" == "x" ]; then | |
echo "PASSED" | |
else | |
echo "FAILED [webserver likely compromised]" | |
fi | |
echo -n "[+] Linux/Onimiki Check 1 - named: " | |
RUNNING_NAMED=$(ps auxw | grep named | grep -v grep | wc -l) | |
if [ $RUNNING_NAMED -gt 0 ]; then | |
echo "System is running BIND. Install Yara and run the rule contained in the ESET paper (pg 59)" | |
else | |
echo "System is not running BIND. Check skipped" | |
fi | |
echo "[+] Perl/Calfbot Check 1: $(flock --nb /tmp/... echo PASSED || echo FAILED, check pg 59 for further instructions)" | |
echo " " | |
echo "Basline checks completed at $(date +"%m/%d/%Y %H:%M:%S")" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've got an uncompleted version of this that includes the MD5 checks based on the known hashes included in ESET's paper. I'll put that out when its complete.