To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

Commit 21d40660 authored by Axel Beckert's avatar Axel Beckert

Local script finds file-based IOCs

parents
#!/usr/bin/env perl
use strict;
use warnings;
use 5.010;
# IOCs from https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/
my %ioc = qw(
/home/*/.mozilla/xdm EGI20200421
/tmp/.dbs* EGI20200421
/tmp/.lock EGI20200421
/tmp/aes.tgz EGI20200421
/tmp/db.tgz EGI20200421
/tmp/dbsyn* EGI20200421
/tmp/reserved EGI20200421
/tmp/systemdb EGI20200421
/tmp/updatedb EGI20200421
/tmp/check_power EGI20200421
/tmp/hdshare EGI20200421
/tmp/readps EGI20200421
/usr/bin/on_ac_power EGI20200421
/usr/lib/libocs.so EGI20200421
/usr/lib64/.lib/l64 EGI20200421
/usr/share/aldi.so EGI20200421
/usr/share/sos/ EGI20200421
/usr/share/sos/rh.pub EGI20200421
/usr/share/sos/rh.pub EGI20200421
/var/tmp/.lock EGI20200421
/var/tmp/.lock/clogs EGI20200421
/var/tmp/.lock/cpa.h EGI20200421
/var/tmp/.lock/ologs EGI20200421
/wlcg/arc-ce1/cache/.cache EGI20200421
/apps/.ior/read/.terma EGI2020512
/apps/.ior/read/.termb EGI2020512
/etc/fonts/.fonts EGI2020512
/etc/fonts/.low EGI2020512
/etc/terminfo/.terma EGI2020512
/etc/terminfo/.termb EGI2020512
$HOME/.mozilla/plugins/.fonts EGI2020512
$HOME/.mozilla/plugins/.low EGI2020512
$HOME/.mozilla/plugins/.aa EGI2020512
$HOME/.mozilla/plugins/test EGI2020512
/usr/lib64/.lib/l64 EGI2020512
/var/games/.terma EGI2020512
/var/games/.termb EGI2020512
/tmp/ DEBUG
/run/udev.pid DEBUG
/run/lock/* DEBUG
);
# Hostname for reporting
my $hostname = `hostname`;
chomp($hostname);
# Commandline parsing
my $debug = 0;
if ($ARGV[0] and ($ARGV[0] eq '-d' or $ARGV[0] eq '-debug')) {
$debug = 1;
}
foreach my $glob (sort keys %ioc) {
my $incident = $ioc{$glob};
my @files = glob($glob);
foreach my $file (@files) {
if (-e $file) {
print "$hostname $incident: ".`ls -ld '$file'`
unless ($incident eq 'DEBUG' and $debug != 1);
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment