UmbreallSecEmergencyResponseTools



  • UmbreallSecEmergencyResponseTools

    项目地址

    https://github.com/CooChristmas/UmbreallSec

    使用及生产环境

    git clone https://github.com/CooChristmas/UmbreallSec.git
    
    ➜  python UbSec.py                                            127 ↵  16:08:14
    
      _    _           _                      _   _    _____
     | |  | |         | |                    | | | |  / ____|
     | |  | |_ __ ___ | |__  _ __ ___  __ _  | | | | | (___   ___  ___
     | |  | | '_ ` _ \| '_ \| '__/ _ \/ _` | | | | |  \___ \ / _ \/ __|
     | |__| | | | | | | |_) | | |  __/ (_| | | | | |  ____) |  __/ (__
      \____/|_| |_| |_|_.__/|_|  \___|\__,_| |_| |_| |_____/ \___|\___|
    
    
    
        {version:v0.1}
        {author:圣诞}
    
    # 开始扫描当前系统安全状态...
    
    ## 实例信息获取
    主机名:shengdans-MacBook-Air.local
     实例IP:192.168.8.113
    系统版本:Darwin-18.6.0-x86_64-i386-64bit
    扫描时间:2019-06-05 16:08:20
    
    检测系统初始化扫描
    
     [1]alias检查                          [ OK  ]
    
    开始文件类安全扫描
    
     [1]系统重要文件hash对比               [ OK  ]
    
      [2]系统可执行文件安全扫描            [ OK  ]
    
      [3]系统临时目录安全扫描              [ OK  ]
    
      [4]各用户目录安全扫描                [ OK  ]
    
      [5]可疑隐藏文件扫描                  [ OK  ]
    
    ## 开始主机历史操作类安全扫描
      [1]所有历史操作的可疑记录             [ OK  ]
    
    ## 开始进程类安全扫描
    
     [1]CUP和内存类异常进程排查            [ OK  ]
    
     [2]隐藏进程安全扫描                   [ OK  ]
    
     [3]反弹shell类进程扫描                [ OK  ]
    
     [4]恶意进程信息安全扫描               [ OK  ]
    
     [5]exe程序安全扫描                    [ OK  ]
    
    ## 开始网络链接类安全扫描
    
     [1]当前网络对外连接扫描               [ OK  ]
    
     [2]恶意特征类链接扫描                 [ OK  ]
     [3]网卡混杂模式扫描                    [ 警告  ]
    
    开始恶意后门类安全扫描
    
     [1]LD_PRELOAD 后门检测                [ OK  ]
    
      [2]LD_AOUT_PRELOAD 后门检测          [ OK  ]
    
      [3]LD_ELF_PRELOAD 后门检测           [ OK  ]
    
      [4]LD_LIBRARY_PATH 后门检测          [ OK  ]
    
      [5]ld.so.preload 后门检测            [ OK  ]
    
      [6]PROMPT_COMMAND 后门检测           [ OK  ]
    
      [7]cron定时任务后门检测              [ OK  ]
    
      [8]未知环境变量 后门检测             [ OK  ]
    
      [9]ssh 后门检测                      [ OK  ]
    
      [10]SSH wrapper 后门检测             [ OK  ]
    
      [11]inetd.conf 后门检测              [ OK  ]
    
      [12]xinetd.conf 后门检测             [ OK  ]
    
      [13]setuid 后门检测                  [ 警告  ]
    
      [14]系统启动项后门检测               [ OK  ]
    
    开始账户类安全扫描
    
     [1]root权限账户安全扫描               [ OK  ]
    
     [2]空口令账户安全扫描                 [ OK  ]
    
     [3]sudoers权限安全扫描                [ OK  ]
    
     [4]账户免密码证书安全扫描             [ OK  ]
    
     [5]账户密码文件扫描                   [ OK  ]
    
    开始日志类安全扫描
    
     [1]secure日志安全扫描                 [ OK  ]
    
     [2]wtmp日志日志安全扫描               [ OK  ]
    
     [3]utmp日志日志安全扫描               [ OK  ]
    
     [4]lastlog日志日志安全扫描            [ OK  ]
    
    开始配置类安全扫描
    
     [1]DNS设置扫描                        [ 警告  ]
    
     [2]防火墙设置扫描                     [ OK  ]
    
     [3]hosts设置扫描                      [ OK  ]
    
    开始Rootkit类安全扫描
    
      [1]55808 Variant A                   [ OK  ]
    
      [2]Adore Rootkit                     [ OK  ]
    
      [3]AjaKit Rootkit                    [ OK  ]
    
      [4]aPa Kit Rootkit                   [ OK  ]
    
      [5]Apache Worm                       [ OK  ]
    
      [6]Ambient Rootkit                   [ OK  ]
    
      [7]Balaur Rootkit                    [ OK  ]
    
      [8]Beastkit Rootkit                  [ OK  ]
    
      [9]beX2 Rootkit                      [ OK  ]
    
      [10]BOBkit Rootkit                   [ OK  ]
    
      [11]OSX Boonana-A Trojan             [ OK  ]
    
      [12]cb Rootkit                       [ OK  ]
    
      [13]CiNIK Worm                       [ OK  ]
    
      [14]CX Rootkit                       [ OK  ]
    
      [15]Abuse Kit                        [ OK  ]
    
      [16]Devil Rootkit                    [ OK  ]
    
      [17]Diamorphine LKM                  [ OK  ]
    
      [18]Dica-Kit Rootkit                 [ OK  ]
    
      [19]Dreams Rootkit                   [ OK  ]
    
      [20]Duarawkz Rootkit                 [ OK  ]
    
      [21]Ebury sshd backdoor              [ OK  ]
    
      [22]ENYE LKM                         [ OK  ]
    
      [23]Flea Rootkit                     [ OK  ]
    
      [24]FreeBSD Rootkit                  [ OK  ]
    
      [25]Fu Rootkit                       [ OK  ]
    
      [26]Fuckit Rootkit                   [ OK  ]
    
      [27]GasKit Rootkit                   [ OK  ]
    
      [28]Heroin LKM                       [ OK  ]
    
      [29]HjC Kit Rootkit                  [ OK  ]
    
      [30]ignoKit Rootkit                  [ OK  ]
    
      [31]iLLogiC Rootkit                  [ OK  ]
    
      [32]OSX Inqtana Variant A            [ OK  ]
    
      [33]OSX Inqtana Variant B            [ OK  ]
    
      [34]OSX Inqtana Variant C            [ OK  ]
    
      [35]IntoXonia-NG Rootkit             [ OK  ]
    
      [36]Irix Rootkit                     [ OK  ]
    
      [37]Jynx Rootkit                     [ OK  ]
    
      [38]Jynx2 Rootkit                    [ OK  ]
    
      [39]KBeast Rootkit                   [ OK  ]
    
      [40]OSX Keydnap backdoor             [ OK  ]
    
      [41]Kitko Rootkit                    [ OK  ]
    
      [42]Knark Rootkit                    [ OK  ]
    
      [43]OSX Komplex Trojan               [ OK  ]
    
      [44]ld-linuxv rootkit                [ OK  ]
    
      [45]Lion Worm                        [ OK  ]
    
      [46]Lockit Rootkit                   [ OK  ]
    
      [47]Mokes backdoor                   [ OK  ]
    
      [48]MRK RootKit                      [ OK  ]
    
      [49]Mood-NT Rootkit                  [ OK  ]
    
      [50]Ni0 Rootkit                      [ OK  ]
    
      [51]Ohhara Rootkit                   [ OK  ]
    
      [52]Optic Kit Rootkit                [ OK  ]
    
      [53]OSXRK                            [ OK  ]
    
      [54]Oz Rootkit                       [ OK  ]
    
      [55]Phalanx Rootkit                  [ OK  ]
    
      [56]Phalanx2 Rootkit                 [ OK  ]
    
      [57]Portacelo Rootkit                [ OK  ]
    
      [58]OSX Proton backdoor              [ OK  ]
    
      [59]R3dstorm Toolkit                 [ OK  ]
    
      [60]RH-Sharpe Rootkit                [ OK  ]
    
      [61]RSHA Rootkit                     [ OK  ]
    
      [62]Shutdown Rootkit                 [ OK  ]
    
      [63]Scalper Worm                     [ OK  ]
    
      [64]SHV4 Rootkit                     [ OK  ]
    
      [65]SHV5 Rootkit                     [ OK  ]
    
      [66]Sin Rootkit                      [ OK  ]
    
      [67]Slapper Worm                     [ OK  ]
    
      [68]Sneakin Rootkit                  [ OK  ]
    
      [69]Solaris Wanuk backdoor           [ OK  ]
    
      [70]Solaris Wanuk Worm               [ OK  ]
    
      [71]Spanish Rootkit                  [ OK  ]
    
      [72]Suckit Rootkit                   [ OK  ]
    
      [73]NSDAP Rootkit                    [ OK  ]
    
      [74]SunOS Rootkit                    [ OK  ]
    
      [75]Superkit Rootkit                 [ OK  ]
    
      [76]TBD(Telnet Backdoor)             [ OK  ]
    
      [77]TeLeKiT Rootkit                  [ OK  ]
    
      [78]OSX Togroot Rootkit              [ OK  ]
    
      [79]T0rn Rootkit                     [ OK  ]
    
      [80]trNkit Rootkit                   [ OK  ]
    
      [81]Trojanit Kit Rootkit             [ OK  ]
    
      [82]Turtle Rootkit                   [ OK  ]
    
      [83]Tuxtendo Rootkit                 [ OK  ]
    
      [84]Universal Rootkit                [ OK  ]
    
      [85]VcKit Rootkit                    [ OK  ]
    
      [86]Vampire Rootkit                  [ OK  ]
    
      [87]Volc Rootkit                     [ OK  ]
    
      [88]weaponX                          [ OK  ]
    
      [89]Xzibit Rootkit                   [ OK  ]
    
      [90]X-Org SunOS Rootkit              [ OK  ]
    
      [91]zaRwT.KiT Rootkit                [ OK  ]
    
      [92]ZK Rootkit                       [ OK  ]
    
      [93]Miscellaneous login backdoors    [ OK  ]
    
      [94]Sniffer log                      [ OK  ]
    
      [95]Suspicious dir                   [ OK  ]
    
      [96]Apache backdoor                  [ OK  ]
    
     [97]检测LKM内核模块                   [ OK  ]
     开始Webshell安全扫描
    
    #### [1]Webshell安全扫描               [ 跳过  ]
    ------------------------------
    ## 根据系统分析的情况,溯源后的攻击行动轨迹为:
    [2][风险] 黑客在2019-05-04 13:28:56时间,进行了setuid 后门植入,文件/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent 被设置setuid属性,通常此类被设置权限的文件执行后会给予普通用户root权限
    
    ------------------------------
    扫描完毕,扫描结果已记入到 /Volumes/Data/EmergencyResponseTools/Linux/Ubsec/srp/UbSec.md 文件中,请及时查看
    

    报告输出路径,报告格式为Markdown

    /srp/UbSec.md
    

    生产环境下,检测状况

    251559629502_.pic_hd.jpg

    自用工具,不喜勿喷


Log in to reply