-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathfindCommonBackdoors.go
123 lines (116 loc) · 3 KB
/
findCommonBackdoors.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
package internal
import (
"github.com/javanzato/crackdown/internal/helpers"
"github.com/rs/zerolog"
"io/fs"
"os"
"path/filepath"
"strings"
)
var commonBackdoorFiles = make([]string, 10)
func CheckCommonBackdoors(logger zerolog.Logger, detections chan<- Detection, waitGroup *WaitGroupCount) {
defer waitGroup.Done()
logger.Info().Msg("Checking Common Backdoor Locations...")
getBackdoorFiles(logger)
for _, file := range commonBackdoorFiles {
if file == "" {
continue
}
if CheckFileIsScanned(file) {
continue
}
fileStat, err := os.Stat(file)
fileModificationTime := "NA"
if err != nil {
logger.Error().Err(err)
} else {
fileModificationTime = fileStat.ModTime().UTC().String()
}
tmp_ := map[string]interface{}{
"File": strings.TrimSpace(file),
"LastModified": fileModificationTime,
}
detection := Detection{
Name: "",
Severity: 0,
Tip: "Verify validity of script file.",
Technique: "T1543.002",
Metadata: tmp_,
}
fileSlice := helpers.ReadFileToSlice(file, logger)
result := false
lineCheck:
for _, line := range fileSlice {
detection.Metadata["Line"] = line
detection.Name = "Webshell Pattern in Script File"
result = checkWebshellContent(detection, detections, line)
if result {
break lineCheck
}
detection.Name = "Suspicious Pattern in Script File"
result = checkSuspiciousContent(detection, detections, line)
if result {
break lineCheck
}
detection.Name = "IP Address Pattern in Script File"
result = checkIPContent(detection, detections, line)
if result {
break lineCheck
}
detection.Name = "Domain Pattern in Script File"
result = checkDomainContent(detection, detections, line)
if result {
break lineCheck
}
}
if result == false && fileModificationTime != "NA" {
// No detection yet on this file - check for recent modification
dayDiff := int(timestampNow.Sub(fileStat.ModTime().UTC()).Hours() / 24)
if dayDiff <= 30 {
// File modified within last 30 days
detection.Name = "Script File modified within last 30 days."
detection.Metadata["DaysAgo"] = dayDiff
detection.Severity = 1
detections <- detection
}
}
}
}
func getBackdoorFiles(logger zerolog.Logger) {
backDoorFiles := []string{
"/etc/at.allow",
"/etc/at.deny",
"/etc/doas.conf",
"/etc/yum.conf",
}
backdoorDirs := []string{
"/etc/update-motd.d",
"/var/run/motd",
"/etc/init.d",
"/etc/rc.d",
"/sbin/init.d",
"/etc/rc.local",
"/etc/apt/apt.conf.d",
"/usr/share/unattended-upgrades",
"/etc/yum.repos.d",
}
f1, err := filepath.Glob("/home/*/.gitconfig")
if err != nil {
logger.Error().Err(err)
} else {
backdoorDirs = append(backdoorDirs, f1...)
}
for _, path := range backdoorDirs {
filepath.WalkDir(path, walkf)
}
commonBackdoorFiles = append(commonBackdoorFiles, backDoorFiles...)
}
func walkf(s string, d fs.DirEntry, err error) error {
if err != nil {
return err
}
if !d.IsDir() {
commonBackdoorFiles = append(commonBackdoorFiles, s)
}
return nil
}