code_bug

grayddq · May 9, 2019 · d1aca09 · d1aca09
1 parent aba424c
commit d1aca09
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 219 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # GScan v0.1
 
-本程序旨在为安全应急响应人员对Linux主机排查时提供便利，实现主机侧Checklist的自动全面化检测，尽可能的发现入侵痕迹，包括但不限于进程、历史操作、恶意文件、后门rootkit等方式。
+本程序旨在为安全应急响应人员对Linux主机排查时提供便利，实现主机侧Checklist的自动全面化检测，根据检测结果自动数据聚合，进行黑客攻击路径溯源。
 
 ## 作者 ##
 
@@ -153,6 +153,8 @@
 >2、程序包括10W+的恶意特征信息，用于恶意文件的比对和查杀。
 >
 >3、WebShell的检测采用目前比较流行的Yara库进行查杀。
+>
+>4、结果自动化分析，进行黑客攻击溯源
 
 
 
@@ -162,7 +164,7 @@
 >
 >注：对比内容为程序的实际检测输出结果，其仅代表个人的观点，不代表产品说明。
 
-    GScan      程序定位为安全人员提供的一项入侵检测工具，旨在尽可能的发现入侵痕迹，包括历史操作、恶意文件、后门rootkit等不同的方式。
+    GScan      程序定位为安全人员提供的一项入侵检测工具，旨在尽可能的发现入侵痕迹，溯源出黑客攻击的整个路径。
 	chkrootkit 程序定位为安全人员提供的一项入侵检测工具，旨在发现被植入的后门或者rootkit。
 	rkhunter   程序定位为安全人员提供的一项入侵检测工具，旨在发现被植入的后门或者rootkit。
 	lynis      程序定位为安全人员日常使用的一款用于主机基线和审计的工具，可辅助漏洞扫描和配置管理，也可部分用于入侵检测。
@@ -245,7 +247,7 @@
 | 【WEBShell检测】Jenkins服务WebShell检测 | √ |  |  |  |
 | 【WEBShell检测】其他默认web目录WebShell检测 | √ |  |  |  |
 | 【漏洞类检查】服务漏洞或配置错误检查 |  |  |  | √ |
-| 【自动攻击路径追溯】攻击路径追溯 |  |  |  |  |
+| 【自动攻击路径追溯】攻击路径追溯 | √ |  |  |  |
 
 
 

diff --git a/lib/.DS_Store b/lib/.DS_Store
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -128,9 +128,9 @@ def get_process_start_time(pid):
                 stime = info.split(' ', 2)[2].strip()
                 sstime = os.popen("date -d " + stime + " '+%Y-%m-%d %H:%M:%S' 2>/dev/null").read().splitlines()
                 return user, sstime[0]
-        return "",""
+        return "", ""
     except:
-        return "",""
+        return "", ""
 
 
 # 检测风险结果，进行全局变量结果录入
@@ -154,7 +154,7 @@ def malice_result(checkname, vulname, file, pid, info, consult, level, mtime='',
     if not mtime: mtime = mtime_temp
     if not user: user = user_temp
     malice_info = {u'检测项': checkname, u'风险名称': vulname, u'异常文件': file, u'进程PID': pid, u'异常时间': mtime, u'所属用户': user,
-                   u'异常信息': info, u'手工排查确认': consult, u'风险级别': level}
+                   u'异常信息': info.strip().replace('\n', ''), u'手工排查确认': consult, u'风险级别': level}
     result_info = get_value('RESULT_INFO')
     result_info.append(malice_info)
     set_value('RESULT_INFO', result_info)

diff --git a/lib/core/data_aggregation.py b/lib/core/data_aggregation.py
@@ -25,39 +25,42 @@ def cmp_datetime(self, a, b):
         except:
             return 1
 
-    def run(self):
-        self.result_infos = get_value('RESULT_INFO')
-        self.result_infos = reRepeat(self.result_infos)
-        print(u'-' * 30)
-        say_info = u'根据系统分析的情况，溯源后的行动轨迹为：'
-        print(u'\033[1;31m根据系统分析的情况，溯源后的行动轨迹为：\033[0m')
+    def agregation(self):
+        say_info, i = u'-' * 30 + u'\n', 1
+        say_info += u'根据系统分析的情况，溯源后的行动轨迹为：\n'
         self.result_infos.sort(cmp=self.cmp_datetime, key=operator.itemgetter(u'异常时间'))
-        i = 1
         for result_info in self.result_infos:
             if result_info[u'检测项'] == u'常规后门检测':
-                print(
-                    u"[%d] 黑客在%s时间，进行了%s植入,%s" % (i, result_info[u'异常时间'], result_info[u'风险名称'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，进行了%s植入,%s \n" % (
+                    i, result_info[u'异常时间'], result_info[u'风险名称'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'配置类安全检测':
-                print(u"[%d] 黑客在%s时间，进行了%s变更，%s" % (
-                    i, result_info[u'异常时间'], result_info[u'风险名称'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，进行了%s变更，%s\n" % (
+                    i, result_info[u'异常时间'], result_info[u'风险名称'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'文件类安全检测':
-                print(u"[%d] 黑客在%s时间，植入了恶意文件%s，%s" % (
-                    i, result_info[u'异常时间'], result_info[u'异常文件'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，植入了恶意文件%s，%s\n" % (
+                    i, result_info[u'异常时间'], result_info[u'异常文件'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'主机历史操作类安全检测':
-                print(u"[%d] 黑客在%s时间，进行了恶意操作，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，进行了恶意操作，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'日志类安全检测':
-                print(u"[%d] 黑客在%s时间，进行了主机登陆，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，进行了主机登陆，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'网络链接类安全检测':
-                print(u"[%d] 黑客在%s时间，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'进程类安全检测':
-                print(
-                    u"[%d] 黑客在%s时间，启动进程%s，%s" % (i, result_info[u'异常时间'], result_info[u'进程PID'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，启动进程%s，%s\n" % (
+                    i, result_info[u'异常时间'], result_info[u'进程PID'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'Rootkit类安全检测':
-                print(u"[%d] 黑客在%s时间，植入Rootkit后门，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，植入Rootkit后门，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'系统初始化检测':
-                print(u"[%d] 黑客在%s时间，设置了系统命令别名，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，设置了系统命令别名，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'账户类安全检测':
-                print(u"[%d] 黑客在%s时间，进行了账户修改设置，%s" % (i, result_info[u'异常时间'], result_info[u'异常信息']))
+                say_info += u"[%d] 黑客在%s时间，进行了账户修改设置，%s\n" % (i, result_info[u'异常时间'], result_info[u'异常信息'])
             if result_info[u'检测项'] == u'Webshell安全检测':
-                print(u"[%d] 黑客在%s时间，植入了webshell文件%s" % (i, result_info[u'异常时间'], result_info[u'异常文件']))
+                say_info += u"[%d] 黑客在%s时间，植入了webshell文件%s\n" % (i, result_info[u'异常时间'], result_info[u'异常文件'])
             i += 1
+        file_write(say_info)
+        print(say_info)
+
+    def run(self):
+        self.result_infos = get_value('RESULT_INFO')
+        self.result_infos = reRepeat(self.result_infos)
+        self.agregation()
diff --git a/lib/core/ip/.DS_Store b/lib/core/ip/.DS_Store
diff --git a/lib/plugins/.DS_Store b/lib/plugins/.DS_Store
diff --git a/log/gscan.log b/log/gscan.log
@@ -1,191 +1 @@
-开始扫描当前系统安全状态...
-主机信息获取
-主机名：grayddqdeMacBook-Pro.local
-主机IP：172.18.83.6
-系统版本：Darwin-17.3.0-x86_64-i386-64bit
-主机时间：2019-05-09 21:24:47
-
-检测系统初始化扫描
- [1]alias检查                           [ OK  ]
-
-开始文件类安全扫描
- [1]系统可执行文件安全扫描              [ OK  ]
- [2]系统临时目录安全扫描                [ 存在风险  ]
- [3]各用户目录安全扫描                  [ OK  ]
- [4]可疑隐藏文件扫描                    [ 警告  ]
-------------------------------
-文件类安全检测
-{"进程PID": "", "手工排查确认": "[1]rpm -qa /tmp/..abc [2]strings /tmp/..abc", "异常时间": "2019-05-09 14:01:32", "异常文件": "/tmp/..abc", "风险名称": "临时目录文件安全扫描", "异常信息": "境外ip操作类：http://8.8.8.8/asdfasdf.sh", "检测项": "文件类安全检测", "风险级别": "风险", "所属用户": "grayddq"}
-{"进程PID": "", "手工排查确认": "[1]ls -l /Users/grayddq/..abc [2]strings /Users/grayddq/..abc", "异常时间": "2019-05-09 14:01:02", "异常文件": "/Users/grayddq/..abc", "风险名称": "可疑隐藏文件安全扫描", "异常信息": "文件 /Users/grayddq/..abc 属于可疑隐藏文件", "检测项": "文件类安全检测", "风险级别": "可疑", "所属用户": "grayddq"}
-
-开始主机历史操作类安全扫描
- [1]所有历史操作的可疑记录              [ 存在风险  ]
-------------------------------
-主机历史操作类安全检测
-{"进程PID": "", "手工排查确认": "[1]cat /Users/grayddq/.bash_history", "异常时间": "2019-05-09 17:20:15", "异常文件": "/Users/grayddq/.bash_history", "风险名称": "history文件安全扫描", "异常信息": "境外ip操作类：wget http://8.8.8.8/111.sh", "检测项": "主机历史操作类安全检测", "风险级别": "风险", "所属用户": "grayddq"}
-
-开始进程类安全扫描
- [1]CUP和内存类异常进程排查             [ 警告  ]
- [2]隐藏进程安全扫描                    [ OK  ]
- [3]反弹shell类进程扫描                 [ OK  ]
- [4]恶意进程信息安全扫描                [ OK  ]
- [5]exe程序安全扫描                     [ OK  ]
-------------------------------
-进程类安全检测
-{"进程PID": "3637", "手工排查确认": "[1]ps -efwww", "异常时间": "", "异常文件": "", "风险名称": "CPU过载扫描", "异常信息": "进程使用CPU过大，对应进程信息：85022:10.91", "检测项": "进程类安全检测", "风险级别": "风险", "所属用户": ""}
-
-开始网络链接类安全扫描
- [1]当前网络对外连接扫描                [ OK  ]
- [2]恶意特征类链接扫描                  [ OK  ]
- [3]网卡混杂模式扫描                    [ 警告  ]
-------------------------------
-网络链接类安全检测
-{"进程PID": "", "手工排查确认": "ifconfig | grep PROMISC | grep RUNNING", "异常时间": "", "异常文件": "", "风险名称": "网卡混杂模式检测", "异常信息": "网卡开启混杂模式", "检测项": "网络链接类安全检测", "风险级别": "可疑", "所属用户": ""}
-
-开始后门类安全扫描
- [1]LD_PRELOAD 后门检测                 [ OK  ]
- [2]LD_AOUT_PRELOAD 后门检测            [ OK  ]
- [3]LD_ELF_PRELOAD 后门检测             [ OK  ]
- [4]LD_LIBRARY_PATH 后门检测            [ OK  ]
- [5]ld.so.preload 后门检测              [ OK  ]
- [6]PROMPT_COMMAND 后门检测             [ OK  ]
- [7]cron定时任务后门检测                [ OK  ]
- [8]未知环境变量 后门检测               [ OK  ]
- [9]ssh 后门检测                        [ OK  ]
- [10]SSH wrapper 后门检测               [ OK  ]
- [11]inetd.conf 后门检测                [ OK  ]
- [12]xinetd.conf 后门检测               [ OK  ]
- [13]setuid 后门检测                    [ 警告  ]
- [14]系统启动项后门检测                 [ OK  ]
-------------------------------
-常规后门检测
-{"进程PID": "", "手工排查确认": "[1]ls -l /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent", "异常时间": "2017-12-02 03:40:20", "异常文件": "/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent", "风险名称": "setuid 后门", "异常信息": "文件/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 被设置setuid属性，通常此类被设置权限的文件执行后会给予普通用户root权限", "检测项": "常规后门检测", "风险级别": "风险", "所属用户": "root"}
-
-开始账户类安全扫描
- [1]root权限账户安全扫描                [ OK  ]
- [2]空口令账户安全扫描                  [ OK  ]
- [3]sudoers权限安全扫描                 [ OK  ]
- [4]账户免密码证书安全扫描              [ OK  ]
- [5]账户密码文件扫描                    [ OK  ]
-
-开始日志类安全扫描
- [1]secure日志安全扫描                  [ OK  ]
- [2]wtmp日志日志安全扫描                [ OK  ]
- [3]utmp日志日志安全扫描                [ OK  ]
- [4]lastlog日志日志安全扫描             [ OK  ]
-
-开始配置类安全扫描
- [1]DNS设置扫描                         [ 警告  ]
- [2]防火墙设置扫描                      [ OK  ]
- [3]hosts设置扫描                       [ OK  ]
-------------------------------
-配置类安全检测
-{"进程PID": "", "手工排查确认": "[1]cat /etc/resolv.conf", "异常时间": "2019-05-04 15:20:40", "异常文件": "/etc/resolv.conf", "风险名称": "DNS安全配置", "异常信息": "DNS设置为境外IP: 8.8.8.8", "检测项": "配置类安全检测", "风险级别": "可疑", "所属用户": "root"}
-
-开始Rootkit类安全扫描
- [1]55808 Variant A                     [ OK  ]
- [2]Adore Rootkit                       [ OK  ]
- [3]AjaKit Rootkit                      [ OK  ]
- [4]aPa Kit Rootkit                     [ OK  ]
- [5]Apache Worm                         [ OK  ]
- [6]Ambient Rootkit                     [ OK  ]
- [7]Balaur Rootkit                      [ OK  ]
- [8]Beastkit Rootkit                    [ OK  ]
- [9]beX2 Rootkit                        [ OK  ]
- [10]BOBkit Rootkit                     [ OK  ]
- [11]OSX Boonana-A Trojan               [ OK  ]
- [12]cb Rootkit                         [ OK  ]
- [13]CiNIK Worm                         [ OK  ]
- [14]CX Rootkit                         [ OK  ]
- [15]Abuse Kit                          [ OK  ]
- [16]Devil Rootkit                      [ OK  ]
- [17]Diamorphine LKM                    [ OK  ]
- [18]Dica-Kit Rootkit                   [ OK  ]
- [19]Dreams Rootkit                     [ OK  ]
- [20]Duarawkz Rootkit                   [ OK  ]
- [21]Ebury sshd backdoor                [ OK  ]
- [22]ENYE LKM                           [ OK  ]
- [23]Flea Rootkit                       [ OK  ]
- [24]FreeBSD Rootkit                    [ OK  ]
- [25]Fu Rootkit                         [ OK  ]
- [26]Fuckit Rootkit                     [ OK  ]
- [27]GasKit Rootkit                     [ OK  ]
- [28]Heroin LKM                         [ OK  ]
- [29]HjC Kit Rootkit                    [ OK  ]
- [30]ignoKit Rootkit                    [ OK  ]
- [31]iLLogiC Rootkit                    [ OK  ]
- [32]OSX Inqtana Variant A              [ OK  ]
- [33]OSX Inqtana Variant B              [ OK  ]
- [34]OSX Inqtana Variant C              [ OK  ]
- [35]IntoXonia-NG Rootkit               [ OK  ]
- [36]Irix Rootkit                       [ OK  ]
- [37]Jynx Rootkit                       [ OK  ]
- [38]Jynx2 Rootkit                      [ OK  ]
- [39]KBeast Rootkit                     [ OK  ]
- [40]OSX Keydnap backdoor               [ OK  ]
- [41]Kitko Rootkit                      [ OK  ]
- [42]Knark Rootkit                      [ OK  ]
- [43]OSX Komplex Trojan                 [ OK  ]
- [44]ld-linuxv rootkit                  [ OK  ]
- [45]Lion Worm                          [ OK  ]
- [46]Lockit Rootkit                     [ OK  ]
- [47]Mokes backdoor                     [ OK  ]
- [48]MRK RootKit                        [ OK  ]
- [49]Mood-NT Rootkit                    [ OK  ]
- [50]Ni0 Rootkit                        [ OK  ]
- [51]Ohhara Rootkit                     [ OK  ]
- [52]Optic Kit Rootkit                  [ OK  ]
- [53]OSXRK                              [ OK  ]
- [54]Oz Rootkit                         [ OK  ]
- [55]Phalanx Rootkit                    [ OK  ]
- [56]Phalanx2 Rootkit                   [ OK  ]
- [57]Portacelo Rootkit                  [ OK  ]
- [58]OSX Proton backdoor                [ OK  ]
- [59]R3dstorm Toolkit                   [ OK  ]
- [60]RH-Sharpe Rootkit                  [ OK  ]
- [61]RSHA Rootkit                       [ OK  ]
- [62]Shutdown Rootkit                   [ OK  ]
- [63]Scalper Worm                       [ OK  ]
- [64]SHV4 Rootkit                       [ OK  ]
- [65]SHV5 Rootkit                       [ OK  ]
- [66]Sin Rootkit                        [ OK  ]
- [67]Slapper Worm                       [ OK  ]
- [68]Sneakin Rootkit                    [ OK  ]
- [69]Solaris Wanuk backdoor             [ OK  ]
- [70]Solaris Wanuk Worm                 [ OK  ]
- [71]Spanish Rootkit                    [ OK  ]
- [72]Suckit Rootkit                     [ OK  ]
- [73]NSDAP Rootkit                      [ OK  ]
- [74]SunOS Rootkit                      [ OK  ]
- [75]Superkit Rootkit                   [ OK  ]
- [76]TBD(Telnet Backdoor)               [ OK  ]
- [77]TeLeKiT Rootkit                    [ OK  ]
- [78]OSX Togroot Rootkit                [ OK  ]
- [79]T0rn Rootkit                       [ OK  ]
- [80]trNkit Rootkit                     [ OK  ]
- [81]Trojanit Kit Rootkit               [ OK  ]
- [82]Turtle Rootkit                     [ OK  ]
- [83]Tuxtendo Rootkit                   [ OK  ]
- [84]Universal Rootkit                  [ OK  ]
- [85]VcKit Rootkit                      [ OK  ]
- [86]Vampire Rootkit                    [ OK  ]
- [87]Volc Rootkit                       [ OK  ]
- [88]weaponX                            [ 存在风险  ]
- [89]Xzibit Rootkit                     [ OK  ]
- [90]X-Org SunOS Rootkit                [ OK  ]
- [91]zaRwT.KiT Rootkit                  [ OK  ]
- [92]ZK Rootkit                         [ OK  ]
- [93]Miscellaneous login backdoors      [ OK  ]
- [94]Sniffer log                        [ OK  ]
- [95]Suspicious dir                     [ OK  ]
- [96]Apache backdoor                    [ OK  ]
- [97]检测LKM内核模块                    [ OK  ]
-------------------------------
-Rootkit类安全检测
-{"进程PID": "", "手工排查确认": "[1]ls -a /tmp/...", "异常时间": "2019-05-07 13:52:04", "异常文件": "/tmp/...", "风险名称": "weaponX", "异常信息": "匹配到名为weaponX的rootkit目录规则 /tmp/...", "检测项": "Rootkit类安全检测", "风险级别": "风险", "所属用户": "grayddq"}
-
-开始Webshell安全扫描
- [1]Webshell安全扫描                    [ 存在风险  ]
-------------------------------
-Webshell安全检测
-{"进程PID": "", "手工排查确认": "[1]cat /tmp/123.php", "异常时间": "2019-05-09 19:55:47", "异常文件": "/tmp/123.php", "风险名称": "webshell安全检测", "异常信息": "文件匹配上webshell特征，规则：webshell_webshells_new_xxxx3", "检测项": "Webshell安全检测", "风险级别": "可疑", "所属用户": "grayddq"}
+