Skip to content

Commit

Permalink
action_start
Browse files Browse the repository at this point in the history
  • Loading branch information
@grayddq
grayddq committed May 13, 2019
1 parent 196f87c commit bf6717b
Show file tree
Hide file tree
Showing 4 changed files with 59 additions and 39 deletions.
11 changes: 6 additions & 5 deletions lib/core/common.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,18 +119,19 @@ def get_file_attribute(file):
# 获取进程的开始时间
# 返回:进程开始时间
def get_process_start_time(pid):
user, stime = '', ''
try:
pro_info = os.popen("ps -eo pid,user,lstart 2>/dev/null| grep -v 'grep'|grep " + pid).read().splitlines()
for infos in pro_info:
info = infos.strip()
if pid == info.split(' ')[0].strip():
user = info.split(' ', 2)[1].strip()
stime = info.split(' ', 2)[2].strip()
sstime = os.popen("date -d " + stime + " '+%Y-%m-%d %H:%M:%S' 2>/dev/null").read().splitlines()
return user, sstime[0]
return "", ""
sstime = info.split(' ', 2)[2].strip()
stime = os.popen("date -d " + sstime + " '+%Y-%m-%d %H:%M:%S' 2>/dev/null").read().splitlines()
return user, stime[0]
return user, stime
except:
return "", ""
return user, stime


# 检测风险结果,进行全局变量结果录入
Expand Down
80 changes: 49 additions & 31 deletions lib/core/data_aggregation.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,101 +9,119 @@

class Data_Aggregation:
def __init__(self):
# 可能存在的黑客入口点信息
self.begins = []
self.result_infos = []

def cmp_datetime(self, a, b):
# 黑客攻击可能存在的入口点
def attack_begins(self):
try:
a_datetime = datetime.datetime.strptime(a, '%Y-%m-%d %H:%M:%S')
b_datetime = datetime.datetime.strptime(b, '%Y-%m-%d %H:%M:%S')

if a_datetime > b_datetime:
return 1
elif a_datetime < b_datetime:
return -1
else:
return 0
attack_begins = os.popen(
"netstat -ntpl | grep -v '127.0.0.1' |awk '{if (NR>1){print $4\" \"$7}}'").read().splitlines()
for infors in attack_begins:
if not '/' in infors: continue
if not ':' in infors: continue
ip_port = infors.split(' ')[0] # 开放端口
pid_name = infors.split(' ')[1] # 钓鱼进程
self.begins.append({'ip_port': ip_port, 'pid_name': pid_name})
except:
return 1
return

def agregation(self):
suggestion = get_value('suggestion')
programme = get_value('programme')

say_info, i = u'-' * 30 + u'\n', 1
say_info += u'根据系统分析的情况,溯源后的攻击行动轨迹为:\n'
# 入口点信息
for begin_info in self.begins:
say_info += u'[起点信息] 进程服务%s 端口%s 对外部公开,可能会被作为入侵起点,属于排查参考方向\n' % (begin_info['pid_name'], begin_info['ip_port'])

programme_info = u'\n初步处理方案如下(请在信息核实后操作):\n'

self.result_infos.sort(cmp=self.cmp_datetime, key=operator.itemgetter(u'异常时间'))
programme_info = u'\n初步处理方案如下(请核实后操作):\n'
# 根据时间排序
self.result_infos.sort(key=operator.itemgetter(u'异常时间'))
for result_info in self.result_infos:
if result_info[u'检测项'] == u'常规后门检测':
say_info += u"[%d][%s] 黑客在%s时间,进行了%s植入,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'风险名称'],
result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'风险名称'],
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'配置类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,进行了%s变更,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'风险名称'],
result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'风险名称'],
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'文件类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,植入了恶意文件%s,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常文件'],
result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常文件'],
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'主机历史操作类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,进行了恶意操作,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'日志类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,通过用户%s进行了主机登陆,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'所属用户'],
result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'所属用户'],
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'网络链接类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'进程类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,启动进程%s,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'进程PID'],
result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'进程PID'],
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'Rootkit类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,植入Rootkit后门,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'系统初始化检测':
say_info += u"[%d][%s] 黑客在%s时间,设置了系统命令别名,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'账户类安全检测':
say_info += u"[%d][%s] 黑客在%s时间,进行了账户修改设置,%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常信息'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常信息'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
if result_info[u'检测项'] == u'Webshell安全检测':
say_info += u"[%d][%s] 黑客在%s时间,植入了webshell文件%s\n" % (
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知', result_info[u'异常文件'])
i, result_info[u'风险级别'], result_info[u'异常时间'] if result_info[u'异常时间'] else u'未知',
result_info[u'异常文件'])
if suggestion: say_info = say_info + u" 排查参考:%s\n" % result_info[u'手工排查确认']
if programme and result_info[u'处理方案']: programme_info += u"[%d] %s\n" % (i, result_info[u'处理方案'])
i += 1
if programme:
say_info += programme_info

file_write(say_info)
print(say_info.replace(u'[风险]', u'\033[1;31m[风险]\033[0m').replace(u'[可疑]', u'\033[1;33m[可疑]\033[0m'))
print(say_info.replace(u'[风险]', u'[\033[1;31m风险\033[0m]').replace(u'[可疑]', u'[\033[1;33m可疑\033[0m]').replace(
u'[起点信息]', u'[\033[1;32m起点信息\033[0m]'))

def run(self):
self.result_infos = get_value('RESULT_INFO')
self.result_infos = reRepeat(self.result_infos)
self.attack_begins()
self.agregation()
5 changes: 3 additions & 2 deletions lib/plugins/Proc_Analysis.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,9 +111,10 @@ def check_hide_pro(self):
if file.isdigit():
pid_pro_file.append(file)
hids_pid = list(set(pid_pro_file).difference(set(pid_process)))
if len(hids_pid) > 10: return suspicious, malice
for pid in hids_pid:
malice_result(self.name, u'隐藏进程扫描', '', pid, u'进程ID %s 了隐藏进程信息,未出现在进程列表中' % pid,
u"[1] cat /proc/$$/mountinfo|grep %s \n[2] umount /proc/%s" % (pid, pid), u'风险',
malice_result(self.name, u'隐藏进程扫描', '', pid, u'进程ID %s 隐藏了进程信息,未出现在进程列表中' % pid,
u"[1] cat /proc/$$/mountinfo [2] umount /proc/%s [3]ps -ef |grep %s" % (pid, pid), u'风险',
programme=u'umount /proc/%s & kill %s #关闭隐藏进程并结束进程' % (pid, pid))
malice = True
return suspicious, malice
Expand Down
2 changes: 1 addition & 1 deletion lib/plugins/Webshell_Analysis.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ def scan_web(self):
if len(matches):
self.webshell_list.append(file)
malice_result(self.name, u'webshell安全检测', file, '', u'文件匹配上webshell特征,规则:%s' % matches[0],
u'[1]cat %s' % file, u'可疑',programme=u'rm %s #删除webshell文件' % file)
u'[1]cat %s' % file, u'风险',programme=u'rm %s #删除webshell文件' % file)
except:
continue

Expand Down

0 comments on commit bf6717b

Please sign in to comment.