Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CVE-2019-19781 - Live Response First Steps from @darkQuassar

CVE-2019-19781 Response steps - Have I been compromised?

Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution

Credit: Suggested steps taken from twitter post by @darkQuassar

Just converted to copy/pastable gist for easy access

Check the root user command history

history

Check bash log files and sort by frequency, less frequent commands at the top

cat /var/log/bash.log | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -n && zcat /var/log/bash*.gz | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -n

Check for recently modified/written XML files, sort by date, most recent ones at the bottom

find / -name "*.xml" -exec ls -haltr {} \; | sed 's/  */ /g' | sort -k 8

Check logs files (mostly ns.log and httpaccess.log but no hurt in listing them all)

cat /var/log/* | grep -Ei "vpns|\.pl " && zcat /var/log/*.gz | grep -Ei "vpns|\.pl "

Check for recently modified/written XML files, since the Vuln was announced by Citrix

find / -name "*.xml"  -newermt "2020-01-10" && find / -name "*.pl" -newermt "2020-01-10" && find / -name "*.py"  -newermt "2020-01-10"

Check your crontab logs

cat /var/log/cron | sed 's/  */ /g' | cut -d" " -f 10 | sort | uniq -c && zcat /var/log/cron*gz | sed 's/  */ /g' | cut -d" " -f 10 | sort | uniq -c

Check for recently mod scripts, sort by date, most recent ones at the bottom (you should technically only see /var/ns_system_backup.pl)

find / -name "*.pl" -exec ls -haltr {} \; | grep -iv "local\/lib" | sed 's/  */ /g' | sort -k

Check for suspicious running processes and their connections - 1

lsof -RPni && lsof -PnP

Could be filtered further using grep

Check for suspicious running processes and their connections - 2

ps auxd | grep nobody

Check for suspicious running processes and their connections - 3

sockstat -c -4 | awk '{ if (substr($7,1,8) != "127.0.0.") print $0}'

(ref. Robert @x1sec tweet)

Check for suspicious running processes and their connections - 4

find /netscaler -mtime -4 -type f -print0 | xargs -0 /bin/ls -ltr 

(ref. Robert @x1sec tweet)

If you want a more targeted approach, grep for suspicious scripts in the logs

zgrep -Ei "http://newbm.pl|http://rmbm.pl|http://picktheme.pl" /var/log/*.gz

Background, Articles and references

@darkquasar
Copy link

darkquasar commented Jan 16, 2020

Hi mate, thanks again for wrapping this up in a gist! Do you think we can update it with two more suspicious process checks?

Check for suspicious running processes and their connections - 3

sockstat -c -4 | awk '{ if (substr($7,1,8) != "127.0.0.") print $0}' (ref. Robert @x1sec tweet)

Check for suspicious running processes and their connections - 4

find /netscaler -mtime -4 -type f -print0 | xargs -0 /bin/ls -ltr (ref. Robert @x1sec tweet)

And a new link:

@webframp
Copy link
Author

webframp commented Jan 16, 2020

@darkquasar updated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment