forked from MurrayR0123/CVE-2024-3400-Compromise-Checker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2024-3400_checker.sh
69 lines (59 loc) · 2.69 KB
/
cve-2024-3400_checker.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/bin/bash
#checks for exploit attempts in web server logs
echo -e "\e[36m**----Checking web server logs for exploits----**\e[0m"
if awk '/\/api\// || /PAN-OS-Exploit/' /var/log/pan/*.log; then
echo -e "\e[31m !!! Possible exploit attempt found in web server logs !!!\e[0m"
else
echo -e "-- No exploit attempts found in web server logs -- \e[0m"
fi
echo ""
echo ""
echo "************************************************"
#Checks artefacts related to malicious payloads
echo -e "\e[36m**----Checking for evidence of malicious files----**\e[0m"
if grep -q "import base64;exec(base64.b64decode" /var/lib/python3.6/site-packages/system.pth; then
echo -e "\e[31m !!! suspicious code found in /var/lib/python3.6/site-packages/system.pth consider further analysis!!!\e[0m"
else
echo -e "\e[32m -- No matches in /var/lib/python3.6/site-packages/system.pth -- \e[0m"
fi
echo ""
echo ""
echo "************************************************"
echo -e "\e[36m**----Checking suspicious code in error logs----**\e[0m"
if grep -q "img/" /var/log/pan/sslvpn_ngx_error*.log; then
echo -e "\e[31m !!! possible malicious code found in web server error logs, consider further analysis !!!\e[0m"
else
echo -e "\e[32m -- No exploit attempts found in web server logs -- \e[0m"
fi
echo " "
echo ""
echo "************************************************"
echo -e "\e[36m**----Checking for comments appended to the end css file (possible command line output) ----**\e[0m"
if tail -n 1 /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css | grep -q -e '/\*' -e '\*/'; then
echo -e "\e[31m !!! Suspicious comments found in /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css consider further analysis!!!\e[0m"
else
echo -e "\e[32m -- No exploit attempts found in web server logs -- \e[0m"
fi
echo ""
echo ""
echo "************************************************"
#policy related artefacts
echo -e "\e[36m**----Checking for suspicious operations in /tmp----**\e[0m"
for file in /tmp/*; do
if awk '/\/var\/appweb\/sslvpndocs\/global-protect/ || /wget/ && /chmod \+x/ || (/import sys,socket,os/ && /pty.spawn/)' $file; then
echo -e "\e[31m !!! suspicious content in $file consider further analysis!!! \e[0m"
else
echo -e "\e[32m -- No matches in /tmp -- \e[0m"
fi
done
echo ""
echo ""
echo "************************************************"
#patch?
#cron related
echo -e "\e[36m**----Checking for persistence in cron task----** \e[0m"
if awk '/SHELL=\/bin/ && (/wget/ || /curl/||/http/)' /etc/cron.d/*; then
echo "\e[31m !!! potentially malicious commands found in cron logs, consider further analysis !!! \e[0m"
else
echo -e "\e[32m -- No matches found in cron --\e[0m"
fi