Merge pull request #10 from Neo23x0/log4shell-detection

Log4shell detection
Neo23x0 · Dec 13, 2021 · be14bef · be14bef
2 parents fcde372 + e864587
commit be14bef
Show file tree

Hide file tree

Showing 6 changed files with 159 additions and 265 deletions.
diff --git a/c2-iocs.txt b/c2-iocs.txt
@@ -1,125 +1,15 @@
-201.191.202.34
-216.58.192.68
-185.11.146.191
-185.11.146.151
-185.62.190.62
-185.62.190.82
-185.62.190.156
-185.62.190.222
-185.62.190.253
-188.209.49.163
-188.209.52.195
-188.209.49.131
-188.209.49.165
-185.130.5.165
-185.130.5.174
-185.130.5.200
-185.130.5.205
-185.130.5.246
-80.82.64.177
-80.82.78.12
-89.248.168.29
-89.248.172.201
-94.102.53.144
-89.248.162.167
-89.248.162.171
-89.248.166.131
-89.248.168.39
-89.248.172.166
-89.248.172.173
-94.102.49.197
-94.102.63.136
-46.165.251.153
-178.162.199.88
-178.162.205.4
-178.162.205.29
-178.162.205.30
-178.162.211.200
-178.162.211.211
-178.162.211.213
-178.162.211.214
-178.162.211.215
-178.162.211.216
-178.162.211.217
-149.202.153.56
-173.208.196.202
-188.0.236.27
-188.209.52.228
-192.210.220.3
-198.23.238.215
-198.23.238.251
-208.67.1.130
-208.67.1.33
-208.69.31.11
-5.152.206.162
-5.196.8.171
-89.248.162.167
-115.239.248.62
-117.27.158.104
-117.27.158.71
-117.27.158.78
-117.27.158.91
-122.225.103.118
-122.225.103.122
-122.225.103.125
-122.225.103.97
-122.225.109.102
-122.225.109.103
-122.225.109.108
-122.225.109.109
-122.225.109.114
-122.225.109.121
-122.225.109.125
-122.225.109.202
-122.225.109.214
-122.225.109.220
-122.225.109.99
-218.2.0.121
-218.2.0.132
-218.2.0.133
-218.2.0.137
-221.235.188.210
-222.186.34.121
-222.186.58.70
-60.169.77.228
-61.174.50.172
-61.174.50.177
-61.174.50.184
-61.174.50.216
-61.174.51.214
-61.174.51.226
-61.174.51.229
-61.174.51.230
-61.174.51.233
-61.174.51.235
-61.174.50.184
-122.225.103.118
-218.2.0.132
-122.225.103.125
-122.225.109.99
-122.225.103.97
-122.225.103.122
-61.174.51.226
-117.27.158.71
-61.174.51.233
-122.225.109.108
-122.225.109.109
-61.174.50.177
-61.174.51.214
-117.27.158.104
-61.174.50.172
-222.186.34.121
-117.27.158.91
-222.186.58.70
-61.174.51.229
-122.225.109.214
-61.174.50.216
-117.27.158.78
-221.235.188.210
-122.225.109.121
-167.114.153.55
-94.237.37.28
-82.118.242.171
-31.220.61.251
-128.199.199.187
-# END
+bingsearchlib.com
+34.198.182.201
+canarytokens.com
+52.18.63.80
+log4j.binaryedge.io
+134.209.163.248
+leakix.net
+167.71.13.196
+dnslog.cn
+47.244.138.18
+kryptoslogic-cve-2021-44228.com
+167.99.86.185
+interact.sh
+46.101.25.250
+# END
diff --git a/fenrir.sh b/fenrir.sh
@@ -4,7 +4,7 @@
 # Simple Bash IOC Checker
 # Florian Roth
 
-VERSION="0.8.0"
+VERSION="0.9.0-log4shell"
 
 # Settings ------------------------------------------------------------
 SYSTEM_NAME=$(uname -n | tr -d "\n")
@@ -23,18 +23,20 @@ LOG_TO_SYSLOG=0 # Log to syslog is set to 'off' by default > false positives
 LOG_TO_CMDLINE=1
 SYSLOG_FACILITY=local4
 
-# Disable Checks
-DO_C2_CHECK=1
+# Enable / Disable Checks
+ENABLE_C2_CHECK=1
+ENABLE_TYPE_CHECK=1
+ENABLE_HASH_CHECK=1
 
 # Exclusions
 MAX_FILE_SIZE=8000 # max file size to check in kilobyte, default 2 MB
 CHECK_ONLY_RELEVANT_EXTENSIONS=1 # ELF binaries get always checked
-declare -a RELEVANT_EXTENSIONS=('exe' 'jsp' 'dll' 'txt' 'js' 'vbs' 'bat' 'tmp' 'dat' 'sys' 'php' 'jspx' 'pl' 'war' 'sh' 'asp' 'aspx' 'jspx'); # use lower-case
+declare -a RELEVANT_EXTENSIONS=('jsp' 'jspx' 'txt' 'tmp' 'pl' 'war' 'sh' 'log' 'jar'); # use lower-case
 # files in these directories will be checked with string grep
 # regradless of their size and extension
 declare -a EXCLUDED_DIRS=('/proc/' '/initctl/' '/dev/' '/media/');
 # Force Checks
-declare -a FORCED_STRING_MATCH_DIRS=('/var/log/' '/etc/hosts');
+declare -a FORCED_STRING_MATCH_DIRS=('/var/log/' '/etc/hosts' '/etc/crontab');
 # Exclude all output lines that contain these strings
 declare -a EXCLUDE_STRINGS=('iocs.txt' 'fenrir');
 
@@ -105,7 +107,9 @@ function scan_dirs
             fi
 
             # Check if relevant type
-            relevant_type=$(file "$file_path" | grep -F "ELF")
+            if [ $ENABLE_TYPE_CHECK -eq 1 ]; then
+                relevant_type=$(file "$file_path" | grep -F "ELF")
+            fi
 
             # Exclude Extensions
             if [ $CHECK_ONLY_RELEVANT_EXTENSIONS -eq 1 ] && [ "$relevant_type" == "" ]; then
@@ -153,7 +157,7 @@ function scan_dirs
             fi
 
             # Hash Check
-            if [ $DO_HASH_CHECK -eq 1 ]; then
+            if [ $DO_HASH_CHECK -eq 1 ] && [ $ENABLE_HASH_CHECK -eq 1 ]; then
                 md5=$(md5sum "$file_path" 2> /dev/null | cut -f1 -d' ')
                 #md5tmp=$(md5sum "$file_path" 2> /dev/null)
                 #md5=${md5tmp%% *}
@@ -183,17 +187,17 @@ function check_pseudo_hashes
     local sha256=$3
     local filepath=$4
 
-	hashes=(${md5} ${sha1} ${sha256})
-	for hash in "${hashes[@]}";
-	do
-		pseudo_hash "$hash"
-		if [ -n "${pseudo_hash_iocs[$pseudo_h]}" ]; then
-			# TODO change to "log debug"
-			log warning "[+] Pseudo hash match on $file_path pseudo hash: $pseudo_h real hash will be checked now: $hash"
-
-			check_hashes "$hash" "$file_path"
-		fi
-	done
+    hashes=(${md5} ${sha1} ${sha256})
+    for hash in "${hashes[@]}";
+        do
+        pseudo_hash "$hash"
+        if [ -n "${pseudo_hash_iocs[$pseudo_h]}" ]; then
+            # TODO change to "log debug"
+            log debug "[+] Pseudo hash match on $file_path pseudo hash: $pseudo_h real hash will be checked now: $hash"
+
+            check_hashes "$hash" "$file_path"
+        fi
+    done
 }
 
 function check_hashes
@@ -207,7 +211,7 @@ function check_hashes
 
     for hash in "${hash_iocs[@]}";
     do
-        # echo "Comparing $hash with $md5"
+        #echo "Comparing $hash with $md5"
         if [ "$check_hash" == "$hash" ]; then
             description=${hash_ioc_description[$index]}
             log warning "[!] Hash match found FILE: $filepath HASH: $hash DESCRIPTION: $description"
@@ -451,14 +455,14 @@ function log {
 # READ IOCS -----------------------------------------------------------
 
 function pseudo_hash {
-	local hash=$1
-	#echo hash: $hash
+    local hash=$1
+    #echo hash: $hash
 
-	short_hash="0x${hash:0:8}"
-	let pseudo_h=$(($short_hash))
+    short_hash="0x${hash:0:8}"
+    let pseudo_h=$(($short_hash))
 
-	# use global var to save the fork of /bin/echo
-	#echo $pseudo_h
+    # use global var to save the fork of /bin/echo
+    #echo $pseudo_h
 }		
 
 
@@ -471,7 +475,7 @@ function read_hashes_iocs
     while read -r line ; do
         #hash=$(echo "$line" | cut -f1 -d';')
         #description=$(echo "$line" | cut -f2 -d';')
-		hash=${line%;*}
+        hash=${line%;*}
         if [[ -z "${hash// }" ]] ; then
             continue
         fi
@@ -482,13 +486,14 @@ function read_hashes_iocs
         fi
         description=${line#*;}
 
-		hash_iocs[$index]="$hash"
-		hash_ioc_description[$index]="$description"
+        hash_iocs[$index]="$hash"
+        hash_ioc_description[$index]="$description"
 
-		# changes global var $pseudo_h
-		pseudo_hash "$hash"
-		# assigning the real hash value to the pseudo hash array. beware: there might be collisions so only the last one is in there!
-		pseudo_hash_iocs[$pseudo_h]=$hash
+        # changes global var $pseudo_h
+        pseudo_hash "$hash"
+        # assigning the real hash value to the pseudo hash array. beware: there might be collisions so only the last one is in there!
+        #echo $pseudo_h
+        pseudo_hash_iocs[$pseudo_h]=$hash
 
         # echo "$hash $description"
         index=$((index+1))
@@ -572,6 +577,27 @@ function prepare_check_stings
     )
 }
 
+function check_req 
+{
+    log info "Checking the required utilities ..."
+    file_avail=$(command -v file)
+    if [[ -z $file_avail ]]; then 
+        log error "The 'file' command can't be found (disabling file type checks)"
+        ENABLE_TYPE_CHECK=0
+    fi
+    lsof_avail=$(command -v lsof)
+    if [[ -z $lsof_avail ]]; then 
+        log error "The 'lsof' command can't be found (disabling C2 checks)"
+        ENABLE_C2_CHECK=0
+    fi
+    md5sum_avail=$(command -v md5sum)
+    if [[ -z $md5sum_avail ]]; then 
+        log error "The 'md5sum' command can't be found (disabling hash checks)"
+        ENABLE_HASH_CHECK=0
+    fi
+}
+
+
 # Program -------------------------------------------------------------
 
 echo "##############################################################"
@@ -582,7 +608,7 @@ echo " /_/  \__/_//_/_/ /_/_/    "
 echo " v$VERSION"
 echo " "
 echo " Simple Bash IOC Checker"
-echo " Florian Roth, May 2020"
+echo " Florian Roth, Dec 2021"
 echo "##############################################################"
 
 if [ "$#" -ne 1 ]; then
@@ -615,6 +641,9 @@ log info "KERNEL: $OS_KERNEL"
 # Evaluate which stat mode to use
 evaluate_stat_mode
 
+# Check requirements
+check_req
+
 # Read all IOCs
 log info "[+] Reading Hash IOCs ..."
 read_hashes_iocs
@@ -627,7 +656,7 @@ log info "[+] Reading C2 IOCs ..."
 read_c2_iocs
 
 # Now scan the given first parameter
-if [ $DO_C2_CHECK -eq 1 ]; then
+if [ $ENABLE_C2_CHECK -eq 1 ]; then
     log info "[+] Scanning for C2 servers in 'lsof' output ..."
     scan_c2
 fi

diff --git a/filename-iocs.txt b/filename-iocs.txt
@@ -1,2 +1,2 @@
-demo/evil.jsp
-# END - DO NOT REMOVE
+log4j-core
+# END - DO NOT REMOVE