.

grayddq · Nov 29, 2019 · 126cd70 · 126cd70
1 parent 286fbc0
commit 126cd70
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 12 deletions.
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -240,11 +240,10 @@ def file_write(content):
 def check_shell(content):
     try:
         # 反弹shell类
-        if (('bash' in content) and (
-                ('/dev/tcp/' in content) or ('telnet ' in content) or ('nc ' in content) or (
-                ('exec ' in content) and ('socket' in content)) or ('curl ' in content) or (
-                        'wget ' in content) or (
-                        'lynx ' in content))) or (".decode('base64')" in content):
+        if (('bash' in content) and (('/dev/tcp/' in content) or ('telnet ' in content) or ('nc ' in content) or (
+                ('exec ' in content) and ('socket' in content)) or ('curl ' in content) or ('wget ' in content) or (
+                                             'lynx ' in content) or ('bash -i' in content))) or (
+                ".decode('base64')" in content) or ("exec(base64.b64decode" in content):
             return content
         elif ('/dev/tcp/' in content) and (('exec ' in content) or ('ksh -c' in content)):
             return content

diff --git a/lib/plugins/SSHAnalysis.py b/lib/plugins/SSHAnalysis.py
@@ -84,9 +84,15 @@ def attack_detect(self, log):
 
         for i in f:
             if (username_error in i) and ('from' in i) and ('sshd' in i):
-                failed_ip.append(i.split(': ')[1].split()[4])
+                try:
+                    failed_ip.append(i.split(': ')[1].split()[4])
+                except:
+                    continue
             elif (username_correct in i) and ('from' in i) and ('sshd' in i):
-                failed_ip.append(i.split(': ')[1].rsplit()[-4])
+                try:
+                    failed_ip.append(i.split(': ')[1].rsplit()[-4])
+                except:
+                    continue
             elif username_password_correct in i and ('sshd' in i):
                 ip = i.split(': ')[1].split()[5]
                 user = i.split(': ')[1].split()[3]

diff --git a/lib/plugins/Sys_Init.py b/lib/plugins/Sys_Init.py
@@ -45,7 +45,7 @@ def alias_file_analysis(self, file):
         suspicious, malice = False, False
         try:
             # 程序需要用到的系统命令
-            syscmds = ['ps', 'strings', 'netstat', 'find', 'echo', 'iptables', 'lastlog', 'who', 'ifconfig']
+            syscmds = ['ps', 'strings', 'netstat', 'find', 'echo', 'iptables', 'lastlog', 'who', 'ifconfig', 'ssh']
             if not os.path.exists(file): return suspicious, malice
             with open(file) as f:
                 for line in f:

diff --git a/lib/plugins/User_Analysis.py b/lib/plugins/User_Analysis.py
@@ -32,6 +32,21 @@ def check_user(self):
         except:
             return suspicious, malice
 
+    # 检测特权组用户
+    def check_gid(self):
+        suspicious, malice = False, False
+        try:
+            shell_process = os.popen("awk -F: '$4==0 {print $1}' /etc/passwd 2>/dev/null").read().splitlines()
+            for user in shell_process:
+                if user.replace("\n", "") != 'root':
+                    malice_result(self.name, u'特权组账户安全扫描', '/etc/passwd', '',
+                                  u'存在特权组用户%s' % user.replace("\n", ""),
+                                  u'[1]cat /etc/passwd', u'可疑', programme=u'vi /etc/passwd #删除用户root特权组或删除用户')
+                    suspicious = False
+            return suspicious, malice
+        except:
+            return suspicious, malice
+
     # 检测空口令账户
     def check_empty(self):
         suspicious, malice = False, False
@@ -127,19 +142,23 @@ def run(self):
         suspicious, malice = self.check_user()
         result_output_tag(suspicious, malice)
 
-        string_output(u' [2]空口令账户安全扫描')
+        string_output(u' [2]特权组账户安全扫描')
+        suspicious, malice = self.check_gid()
+        result_output_tag(suspicious, malice)
+
+        string_output(u' [3]空口令账户安全扫描')
         suspicious, malice = self.check_empty()
         result_output_tag(suspicious, malice)
 
-        string_output(u' [3]sudoers权限安全扫描')
+        string_output(u' [4]sudoers权限安全扫描')
         suspicious, malice = self.check_sudo()
         result_output_tag(suspicious, malice)
 
-        string_output(u' [4]账户免密码证书安全扫描')
+        string_output(u' [5]账户免密码证书安全扫描')
         suspicious, malice = self.check_authorized_keys()
         result_output_tag(suspicious, malice)
 
-        string_output(u' [5]账户密码文件扫描')
+        string_output(u' [6]账户密码文件扫描')
         suspicious, malice = self.passwd_file_analysis()
         result_output_tag(suspicious, malice)