mirror of
https://github.com/sqall01/LSMS.git
synced 2024-11-16 09:08:28 +01:00
added search for deleted binaries
This commit is contained in:
Andre Pawlowski
parent
224fa8185c
commit
6468ace0b8
3 changed files with 104 additions and 12 deletions
|
|
@ -23,11 +23,12 @@ Finally, you can run all configured scripts by executing `start_search.py` (whic
|
||||||
## List of Scripts
|
## List of Scripts
|
||||||
|
|
||||||
| Name | Script |
|
| Name | Script |
|
||||||
|---|---|
|
|---------------------------------------------|--------------------------------------------------------------------------|
|
||||||
| Monitoring /etc/hosts file | [monitor_hosts_file.py](scripts/monitor_hosts_file.py) |
|
| Monitoring /etc/hosts file | [monitor_hosts_file.py](scripts/monitor_hosts_file.py) |
|
||||||
| Monitoring /etc/ld.so.preload file | [monitor_ld_preload.py](scripts/monitor_ld_preload.py) |
|
| Monitoring /etc/ld.so.preload file | [monitor_ld_preload.py](scripts/monitor_ld_preload.py) |
|
||||||
| Monitoring /etc/passwd file | [monitor_passwd.py](scripts/monitor_passwd.py) |
|
| Monitoring /etc/passwd file | [monitor_passwd.py](scripts/monitor_passwd.py) |
|
||||||
| Monitoring SSH authorized_keys files | [monitor_ssh_authorized_keys.py](scripts/monitor_ssh_authorized_keys.py) |
|
| Monitoring SSH authorized_keys files | [monitor_ssh_authorized_keys.py](scripts/monitor_ssh_authorized_keys.py) |
|
||||||
|
| Search for running deleted programs | [search_deleted_exe.py](scripts/search_deleted_exe.py) |
|
||||||
| Search for executables in /dev/shm | [search_dev_shm.py](scripts/search_dev_shm.py) |
|
| Search for executables in /dev/shm | [search_dev_shm.py](scripts/search_dev_shm.py) |
|
||||||
| Search immutable files | [search_immutable_files.py](scripts/search_immutable_files.py) |
|
| Search immutable files | [search_immutable_files.py](scripts/search_immutable_files.py) |
|
||||||
| Search for fileless programs (memfd_create) | [search_memfd_create.py](scripts/search_memfd_create.py) |
|
| Search for fileless programs (memfd_create) | [search_memfd_create.py](scripts/search_memfd_create.py) |
|
||||||
|
|
|
||||||
2
scripts/config/search_deleted_exe.py
Normal file
2
scripts/config/search_deleted_exe.py
Normal file
|
|
@ -0,0 +1,2 @@
|
||||||
|
# Is the script allowed to run or not?
|
||||||
|
ACTIVATED = True
|
||||||
89
scripts/search_deleted_exe.py
Executable file
89
scripts/search_deleted_exe.py
Executable file
|
|
@ -0,0 +1,89 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
|
# written by sqall
|
||||||
|
# twitter: https://twitter.com/sqall01
|
||||||
|
# blog: https://h4des.org
|
||||||
|
# github: https://github.com/sqall01
|
||||||
|
#
|
||||||
|
# Licensed under the MIT License.
|
||||||
|
|
||||||
|
"""
|
||||||
|
Short summary:
|
||||||
|
Search running programs whose binary was deleted. Indicator of malicious programs.
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
None
|
||||||
|
"""
|
||||||
|
|
||||||
|
import os
|
||||||
|
import socket
|
||||||
|
|
||||||
|
# Read configuration and library functions.
|
||||||
|
try:
|
||||||
|
from config.config import ALERTR_FIFO, FROM_ADDR, TO_ADDR
|
||||||
|
from config.search_deleted_exe import ACTIVATED
|
||||||
|
from lib.alerts import raise_alert_alertr, raise_alert_mail
|
||||||
|
except:
|
||||||
|
ALERTR_FIFO = None
|
||||||
|
FROM_ADDR = None
|
||||||
|
TO_ADDR = None
|
||||||
|
ACTIVATED = True
|
||||||
|
|
||||||
|
|
||||||
|
def search_deleted_exe_files():
|
||||||
|
|
||||||
|
# Decide where to output results.
|
||||||
|
print_output = False
|
||||||
|
if ALERTR_FIFO is None and FROM_ADDR is None and TO_ADDR is None:
|
||||||
|
print_output = True
|
||||||
|
|
||||||
|
if not ACTIVATED:
|
||||||
|
if print_output:
|
||||||
|
print("Module deactivated.")
|
||||||
|
return
|
||||||
|
|
||||||
|
# Get all suspicious ELF files.
|
||||||
|
fd = os.popen("ls -laR /proc/*/exe 2> /dev/null | grep -v memfd: | grep \(deleted\)")
|
||||||
|
suspicious_exe_raw = fd.read().strip()
|
||||||
|
fd.close()
|
||||||
|
|
||||||
|
suspicious_exes = []
|
||||||
|
if suspicious_exe_raw.strip():
|
||||||
|
suspicious_exes.extend(suspicious_exe_raw.strip().split("\n"))
|
||||||
|
|
||||||
|
for suspicious_exe in suspicious_exes:
|
||||||
|
|
||||||
|
if print_output:
|
||||||
|
print("SUSPICIOUS")
|
||||||
|
print(suspicious_exe)
|
||||||
|
print("")
|
||||||
|
|
||||||
|
else:
|
||||||
|
if ALERTR_FIFO is not None:
|
||||||
|
|
||||||
|
hostname = socket.gethostname()
|
||||||
|
optional_data = dict()
|
||||||
|
optional_data["suspicious_exe"] = suspicious_exe
|
||||||
|
optional_data["hostname"] = hostname
|
||||||
|
message = "Deleted executable file on host '%s' found.\n\n" % hostname
|
||||||
|
message += suspicious_exe
|
||||||
|
optional_data["message"] = message
|
||||||
|
|
||||||
|
raise_alert_alertr(ALERTR_FIFO,
|
||||||
|
optional_data)
|
||||||
|
|
||||||
|
if FROM_ADDR is not None and TO_ADDR is not None:
|
||||||
|
|
||||||
|
hostname = socket.gethostname()
|
||||||
|
subject = "[Security] Deleted executable file on '%s'" % hostname
|
||||||
|
message = "Deleted executable file on host '%s' found.\n\n" % hostname
|
||||||
|
message += suspicious_exe
|
||||||
|
|
||||||
|
raise_alert_mail(FROM_ADDR,
|
||||||
|
TO_ADDR,
|
||||||
|
subject,
|
||||||
|
message)
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
search_deleted_exe_files()
|
||||||
Loading…
Reference in a new issue