To receive notifications about scheduled maintenance, please subscribe to the mailing-list gitlab-operations@sympa.ethz.ch. You can subscribe to the mailing-list at https://sympa.ethz.ch

...
 
Commits (3)
IOC Check for EGI Incidents #EGI20200421 and #EGI2020512
========================================================
These scripts check for know indicators of compromise for the [EGI
These scripts check for known indicators of compromise for the [EGI
Incidents #EGI20200421 and
#EGI2020512](https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/)
on any Unix system you can reach by SSH.
......@@ -59,8 +59,7 @@ Requirements
`ioc-local-check.pl` uses only these standard POSIX commands and Perl:
* Perl 5.10 or newer (suffices for RHEL6 and any supported Debian or
derivative like Ubuntu), no modules required.
* Perl 5, no modules required.
* `sha256sum`
* `getent`
* `awk` (`mawk` suffices, no `gawk` needed.)
......
......@@ -2,7 +2,6 @@
use strict;
use warnings;
use 5.010;
# IOCs from https://csirt.egi.eu/academic-data-centers-abused-for-crypto-currency-mining/
#
......@@ -95,6 +94,18 @@ foreach my $glob (sort keys %ioc) {
}
}
# Check for the diamorphine Linux Kernel Module
# (https://github.com/m0nad/Diamorphine)
# Perl's "kill(63, $$);" kills the script, so let's put a /bin/sh inbetween.
system('kill -63 $$');
my @lsmod = `lsmod`;
my @suspicious = grep /\b(diamorphine|scsi|iscsi|readaps)\b/, @lsmod;
foreach my $lkm (@suspicious) {
print "$hostname: SUSPICIOUS KERNEL MODULE: $lkm";
$found++;
}
# Summary
if ($verbose) {
if ($found == 0) {
print "$hostname: CLEAN\n";
......