Created

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Windingo IOC Quick check Script

View windingo_ioc_qc.sh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
#!/bin/bash
 
if [ "$(whoami)" != "root" ]; then
echo "Must be run as root"
exit 255
fi
 
echo "====================================================="
echo "========= Windingo IOC Quick Check Utility ========="
echo "========= Author: Mike Lockhart ========="
echo "========= Email: mlockhart@lancope.com ========="
echo "========= ========="
echo "========= Research Credit: ESET, Inc ========="
echo "========= Whitepaper: http://bit.ly/1qCEQFi ========="
echo "====================================================="
 
echo " "
echo "Hostname: $(hostname)"
echo "Type: $(uname -a)"
echo "Uptime: $(uptime)"
echo " "
 
SSH_STATUS=$(ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "PASSED" || echo "FAILED [sshd likely backdoored]")
echo "[+] Linux/Ebury Check 1 - sshd: $SSH_STATUS"
 
echo -n "[+] Linux/Ebury Check 2 - sshd: "
 
for PID in $(sudo ipcs -m -p | awk '{print $3}' | egrep "[0-9]" ); do
ps aux | grep $PID | grep "ssh" >/dev/null && echo "FAILED [sshd likely backdoored]" || echo "PASSED";
done;
 
echo -n "[+] Linux/Cdorked Check 1 - http: "
OUTPUT=$(curl -s -i http://localhost/favicon.ico | grep Location:)
if [ "x$OUTPUT" == "x" ]; then
echo "PASSED"
else
echo "FAILED [webserver likely compromised]"
fi
 
echo -n "[+] Linux/Onimiki Check 1 - named: "
RUNNING_NAMED=$(ps auxw | grep named | grep -v grep | wc -l)
if [ $RUNNING_NAMED -gt 0 ]; then
echo "System is running BIND. Install Yara and run the rule contained in the ESET paper (pg 59)"
else
echo "System is not running BIND. Check skipped"
fi
 
echo "[+] Perl/Calfbot Check 1: $(flock --nb /tmp/... echo PASSED || echo FAILED, check pg 59 for further instructions)"
echo " "
echo "Basline checks completed at $(date +"%m/%d/%Y %H:%M:%S")"
Owner

I've got an uncompleted version of this that includes the MD5 checks based on the known hashes included in ESET's paper. I'll put that out when its complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.