def run(self): print(u'\n\033[1;33m%s\033[0m' % self.name) print(u' %s%s' % (align("[1]exe check"), printf(self.exe_check()))) print(u' %s%s' % (align("[2]shell check"), printf(self.shell_check()))) print(u' %s%s' % (align("[3]cpu mem check"), printf(self.cpu_mem_check()))) for detail in self.suspicious_proc: print(u' [*]File:%s[*]Detail:%s' % (align(detail[0]), detail[1]))
def run(self): print(u'\n\033[1;33m%s\033[0m' % self.name) print(u' %s%s' % (align("[1]wtmp check"), printf(self.wtmp_check()))) print(u' %s%s' % (align("[2]utmp check"), printf(self.utmp_check()))) print(u' %s%s' % (align("[3]lastlog check"), printf(self.lastlog_check()))) print(u' %s%s' % (align("[4]authlog check"), printf(self.authlog_check()))) for detail in self.suspicious_log: print(u' [*]File:%s[*]Detail:%s' % (align(detail[0], width=30), detail[1]))
def utmp_check(self): if os.path.exists("/var/run/utmp"): login_list = {} ini = len(self.suspicious_log) with open("/var/run/utmp", "rb") as fd: buf = fd.read() for entry in readlog(buf): if re.match(self.ip_regex, entry.host) and ( entry.type == UTmpRecordType.user_process): identity = (entry.host, entry.user) if (identity in login_list): if (entry.sec) > (login_list[identity]): login_list[identity] = entry.sec else: login_list[identity] = entry.sec #When more than one online,it will warn if len(login_list) < 2: return True for key, value in login_list.items(): value = datetime.datetime.utcfromtimestamp( int(value)).strftime("%Y-%m-%d %H:%M:%S") self.suspicious_log.append([ "/var/log/utmp", "User,addr:%sTime:%s" % (align(",".join(key), width=30), value) ]) end = len(self.suspicious_log) return True if ini == end else False else: return True
def wtmp_check(self): login_list = {} if os.path.exists("/var/log/wtmp"): ini = len(self.suspicious_log) with open('/var/log/wtmp', 'rb') as fd: buf = fd.read() for entry in readlog(buf): if re.match(self.ip_regex, entry.host): #I don't check the internal ip,But u can change this if re.match(self.ip_internal, entry.host): continue identity = (entry.host, entry.user) if (identity in login_list): if (entry.sec) > (login_list[identity]): login_list[identity] = entry.sec else: login_list[identity] = entry.sec if len(login_list) < 2: return True for key, value in login_list.items(): value = datetime.datetime.utcfromtimestamp( int(value)).strftime("%Y-%m-%d %H:%M:%S") self.suspicious_log.append([ "/var/log/wtmp", "User,addr:%sTime:%s" % (align(",".join(key), width=30), value) ]) end = len(self.suspicious_log) return True if ini == end else False else: return True
def run(self): print(u"\n\033[1;33m%s\033[0m" % self.name) print(u" %s%s" % (align("[1]root user check"), printf(self.root_check()))) print(u" %s%s" % (align("[2]empty passwd check"), printf(self.empty_check()))) print(u" %s%s" % (align("[3]sudoer check"), printf(self.sudo_check()))) print(u" %s%s" % (align("[4]authorized check"), printf(self.authorized_check()))) print(u" %s%s" % (align("[5]passwd file check"), printf(self.permission_check()))) for detail in self.suspicious_user: print(u" [*]File:%sDetail:%s" % (align(detail[0]), detail[1]))
def run(self): print(u'\n\033[1;33m%s\033[0m' % self.name) print(u" %s%s" % (align("[1]History file check"), printf(self.history_files()))) for detail in self.suspicious_history: print(" [*]File:%sDetail:%s" % (align(detail[0]), detail[1]))
def run(self): print(u'\n\033[1;33m%s\033[0m' % self.name) print(u' %s%s' % (align("[1]LD_PRELOAD check"),printf(self.LD_PRELOAD_check()))) print(u' %s%s' % (align("[2]LD_AOUT_PRELOAD check"), printf(self.LD_AOUT_PRELOAD_check()))) print(u' %s%s' % (align("[3]LD_ELF_PRELOAD check"),printf(self.LD_ELF_PRELOAD_check()))) print(u' %s%s' % (align("[4]LD_LIBRARY_PATH check"),printf(self.LD_LIBRARY_PATH_check()))) print(u' %s%s' % (align("[5]PROMPT_COMMAND check"),printf(self.PROMPT_COMMAND_check()))) print(u' %s%s' % (align("[6]Export check"),printf(self.export_check()))) print(u' %s%s' % (align("[7]LD_SO_PRELOAD check"),printf(self.ld_so_preload()))) print(u' %s%s' % (align("[8]Cron check"),printf(self.cron_check()))) print(u' %s%s' % (align("[9]SSH backdoor check"),printf(self.SSH_check()))) print(u' %s%s' % (align("[10]SSH_softlink check"),printf(self.SSH_softlink()))) print(u' %s%s' % (align("[11]SSH wrapper check"),printf(self.SSH_wrapper_check()))) print(u' %s%s' % (align("[12]Inted check"), printf(self.inted_check()))) print(u' %s%s' % (align("[13]Xinted check"),printf(self.xinetd_check()))) print(u' %s%s' % (align("[14]Setuid check"),printf(self.setuid_check()))) print(u' %s%s' % (align("[15]Startup check"),printf(self.startup_check()))) print(u' %s%s' % (align("[16]Alias check"),printf(self.alias_check()))) print(u' %s%s' % (align("[17]Openssh check"),printf(self.openssh_check()))) print(u' %s%s' % (align("[18]Fstab check"),printf(self.fstab_check()))) print(u' %s%s' % (align("[19]Setgid check"),printf(self.setgid_check()))) print(u' %s%s' % (align("[20]PAM check"),printf(self.pam_check()))) for detail in self.suspicious_backdoor: print(u' [*]File:%s[*]Detail:%s'%(align(detail[0]),detail[1]))