[SOLVED] Search text if some part sequence exists

pedropt · 10-18-2019, 05:04 PM

Quote:

better

<${loghttp} awk '/'$ip'/{print $7}'

Got it

, i just wrote it in a rush , the question i asked before was because the logfile related to a specific ip will change a bit because instead pointing to a single server file , i will point to a directory and look for ip on all files there .

Example for nginx access log files
Past = /var/log/nginx/access.log
Present = /var/log/nginx/*

This means that logfile will not be again :

ip - timestamp - date - string

will be now

filename that got string - ip - timestamp - date - string

witch means more stuff to be cleaned , and this is why that awk instruction in : ${loghttp} awk '/'$ip'/{print $7}'

I will grab all lines that contain a specific ip address from all logs in all services (mail,webservers,etc..) to 1 , and then i will run your code to search for patterns that match any of the lines in definitions.conf file .

The definitions.conf will not have only definitions that can be applied on webservers , it will also have patterns to identify intrusions on mail servers , pop3 or smtp services .

I need to do it this way (pick from everywhere to a single file) because it will happen a lot of occasions that something new was not yet added to definitions.conf and i will need to add it , and for that i will only need to look into 1 single file (ipres in last code) and choose a pattern to add it to definitions.conf .
Hope you all got +- the game here .

However , i am just commenting now .
Thanks for the tips above .

Firerat · 10-18-2019, 05:35 PM

faster but more difficult to maintain

Code:

#!/bin/bash
Pattern="(HNAP1/|(elrekt|(/?(TP|thinkphp)/html/public|phppma)/index)\.php|000000000000\.cfg|0015650000000\.cfg|\?routestring=ajax/render/widget_php|/UPnP/IGD.xml|/prov/y000000000007.cfg|mstshash=Administr|secure/ContactAdministrators\!default\.jspa|mnt/custom/ProductDefinition|/vtigercrm/vtigerservice.php|/etc/passwd\?/dana/html5acc/guacamole/|/osm/report/|routestring=profile/upload-profilepicture|module/action/param1/\\$\\{@die\(md5\(HelloThinkPHP\)\)\})"

while read -a LOG
do
  [[ ${LOG[@]} =~ ${Pattern} ]] && echo ${LOG[0]}
done < serverlog.tmp.txt

that Pattern is awful

but like I said, it is much faster

pedropt · 10-18-2019, 09:10 PM

yup but there is a problem with it , i just dont need also to identify the pattern , i also need to bring back the variable 1 from definitions.conf , what really matters is the 1st variable in definitions that will tell me what intrusion was detected .
This last code you wrote will only identify the pattern and will not bring back the intrusion name . Also , this last code can not be applied to the script because i dont want to edit the script every time i need to add a new pattern .
Your previous code is perfect and runs great , i will use that one .
I just need to do some adjustments to the script for now , and with time build a new one with user config settings to add it to github just in case anyone needs it too .
But that is a long story .

Firerat · 10-18-2019, 09:52 PM

yes

now we are getting somewhere

so, your def.conf

Code:

DLINK_HNAP_SEC HNAP1/

Code:

PHP_Exploitation elrekt.php
PHP_Exploitation TP/html/public/index.php
PHP_Exploitation /thinkphp/html/public/index.php
PHP_Exploitation phppma/index.php

teh above and the below interest me

Code:

Poly_voip_Info_Disclosure 000000000000.cfg
Poly_voip_Info_Disclosure 0015650000000.cfg

Code:

CVE-2019-11581 secure/ContactAdministrators!default.jspa
ThinkPHP_RCE module/action/param1/${@die(md5(HelloThinkPHP))}
UPNP_Info_Disclosure /UPnP/IGD.xml
CVE-2019-16759 ?routestring=ajax/render/widget_php
Fusion_PBX_Disclosure /prov/y000000000007.cfg
Hisilicon_DVDR mnt/custom/ProductDefinition
RDP_Probe mstshash=Administr
vTiger_CRM_CSS /vtigercrm/vtigerservice.php
CVE-2019-11510 /etc/passwd?/dana/html5acc/guacamole/
CVE-2019-17503/17504 /osm/report/
CVE-2019-17132 routestring=profile/upload-profilepicture

lets look at this one again

Code:

PHP_Exploitation elrekt.php
PHP_Exploitation TP/html/public/index.php
PHP_Exploitation /thinkphp/html/public/index.php
PHP_Exploitation phppma/index.php

can we squish them into one ( well yeah, I did that in the messy one )

Code:

Patterns=( "PHP_Exploitation¬(elrekt|(/?(TP|thinkphp)/html/public|phppma)/index)\.php" )

I don't really like using a space, so changed it to ¬

${Patterns[0]%¬*} is your "type"
${Patterns[0]#*¬} is the pattern

but it is 4 in 1

alternative is

Code:

declare -A Patterns[PHP_Exploitation]="(elrekt|(/?(TP|thinkphp)/html/public|phppma)/index)\.php"

getting the index ( PHP_Exploitation )
is a bit more complicated

Code:

for i in ${!Patterns[@]}
do
  echo $i
  echo ${Patterns[$i]}
done

A simpler RE would be

Code:

"elrekt.php|TP/html/public/index.php|/thinkphp/html/public/index.php|phppma/index.php"

you could probably hack something together to concat those strings

you will need to be careful, ?+*${ can do strange things

test your RE like this

Code:

<definition.conf grep --colour=always -C20 -E "elrekt|/?(TP|thinkphp)"

have fun painting it all red

ThinkPHP_RCE module/action/param1/${@die(md5(HelloThinkPHP))}
is the one you have to pay special attention to

how many entries do you expect in definition.conf ?

pedropt · 10-19-2019, 05:43 AM

Quote:

ThinkPHP_RCE module/action/param1/${@die(md5(HelloThinkPHP))}
is the one you have to pay special attention to

how many entries do you expect in definition.conf ?

To that Intrusion ThinkPHP_RCE is just that one for now , but definitions.conf will have hundreds of lines with multiple patterns .
I update definition.conf file every time some smart guy tries anything new on server to see if he/she can exploit the server and take over controls .
Or i personally try to exploit my own server using multiples new exploits , then i watch how web servers log that exploit code in their logs , and then i choose a common pattern to add it to the definition.conf .

the 18 lines you see now in definition.conf will be 1000 in an year the way i see things everyday on the web .

Firerat · 10-19-2019, 07:47 AM

you appear to have failed to understand my point about ThinkPHP_RCE

Code:

unset Patterns
while read -a foo
do
  declare -A Patterns[${foo[0]}]+="${foo[1]//[\$\?\{\}\(\)]/\.}|"
done < definition.conf

note //[\$\?\{\}]/\.}
it "fixes" ThinkPHP_RCE

Code:

for i in ${!Patterns[@]}
do
  echo  ==== ${i} ====
  <definition.conf grep --color=auto -10 -E "${Patterns[$i]%|}"
  echo
done

pedropt · 10-19-2019, 08:15 AM

ok , i get it now .
What you are speaking is that patterns like think php_rce that have special characters the code will not read it after that point , but if i change the code to understand it then i will have problems with all other patters that do not have those special characters .

Problems in : $,{,@

Quote:

module/action/param1/${@die(md5(HelloThinkPHP))}

dont worry , i will create 2 patterns for this exploit in definitions file .

Quote:

THINKPHP_RCE module/action/param1/
THINKPHP_RCE die(md5(HelloThinkPHP)

i believe this will fix the issue , unless () also contains an issue to the code ?

Firerat · 10-19-2019, 08:56 AM

it depends

you could follow @MadeInGermany's lead in #45 and have the patterns as simple strings
that is fine if you treat each one individually.

I was thinking ahead when I chose [[ ${LOG} =~ RE ]] , since crafting a regular expression to search multiple patterns is faster than searching each, one at a time.

maybe return to the RE once you are more comfortable with them ( I have to admit I do dislike working with RE ) and for now use one of the slow methods suggested by @MadeInGermany

RE is short for regular expression
https://en.wikipedia.org/wiki/Regular_expression

pedropt · 10-20-2019, 03:02 PM

we have a problem .
It was working but now is not .
It looks that when it is reading the patters from definition.conf file it is only reading the 1st variable and not the second as it should be .

what is happening is that in this line :

Quote:

PHP_Exploitation phppma/index.php

is reading PHP_Exploitation instead phppma/index.php

I am implementing the code in the final script now , and this problem poped up .
i run the script in bash -x and i found that .

Quote:

+ for P in "${Patterns[@]}"
+ [[ /sql/phpMyAdmin2/index.php?lang=en =~ PHP_Exploitation ]]
+ for P in "${Patterns[@]}"
+ [[ /sql/phpMyAdmin2/index.php?lang=en =~ PHP_Exploitation ]]
+ for P in "${Patterns[@]}"
+ [[ /sql/phpMyAdmin2/index.php?lang=en =~ PHP_Exploitation ]]
+ for P in "${Patterns[@]}"
+ [[ /sql/phpMyAdmin2/index.php?lang=en =~ PHP_Exploitation ]]

now , the code that matters was not changed :

Quote:

intdet () {
IP=$1
while read LOG
do
for P in "${Patterns[@]}"
do
[[ ${LOG} =~ "${P#* }" ]] && intr=${P% *}
done

# not greping for ip because the file to compare only contains all the requests from that ip
done < <(cat ipres )

return $?
}
# varsel is a variable containing an ip address from a file readed
varsel=$(sed -n ${opt}p iptemp.tmp)
grep "$varsel" $loghttp $loghttps | awk '{print$7}' > ipres
if [[ -s "ipres" ]]
then
Patterns=()
while read -a foo
do
Patterns+=("${foo}")
done < /def/definition.conf
while read IP
do
intdet $IP
done < <( echo $varsel )
fi
echo "Detectected $intr"

intdet = intrusion detection , i changed the function name .

the ipres file does not have any ip , only have the requests i grabbed out from all logs from that ip i selected

Quote:

mysql/sqlmanager/index.php?lang=en
/mysql/mysqlmanager/index.php?lang=en
/phpmyadmin/index.php?lang=en
/phpMyadmin/index.php?lang=en
/phpMyAdmin/index.php?lang=en
/phpmyAdmin/index.php?lang=en
/phpmyadmin1/index.php?lang=en
/phpmyadmin2/index.php?lang=en
/phpmyadmin3/index.php?lang=en
/phpmyadmin4/index.php?lang=en
/2phpmyadmin/index.php?lang=en
/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/index.php?lang=en
/phpmy/index.php?lang=en
/phppma/index.php?lang=en
/myadmin/index.php?lang=en
/shopdb/index.php?lang=en
/MyAdmin/index.php?lang=en
/program/index.php?lang=en
/PMA/index.php?lang=en
/dbadmin/index.php?lang=en
/pma/index.php?lang=en

The code is checking this file and see if any line matches with the descriptions in definition.conf

Firerat · 10-20-2019, 03:26 PM

probably my fault, but first let me rant about UUOC

http://porkmail.org/era/unix/award.html

Code:

# done < <(cat ipres )
# no !
done < ipres
# yes :D

ok, now why it was my fault

at some point I introduced you to having read set up an array

Code:

while read -a foo
do
  Patterns+=("${foo}")
done < /def/definition.conf

this means that foo is an array with two elements
${foo[0]} and ${foo[1]}
post #51 is probably the one which confused you..

For now just drop the -a and it will work as you expect

grrr

Code:

#while read IP
#do
#  intdet $IP
#done < <( echo $varsel ) 
# UUOE !!

intdet $varsel

# that assumes $varsel is a single ip
# done <<<${varsel}
# is an alternative

pedropt · 10-20-2019, 05:23 PM

yup .
You`re good in this .
Also there was a problem here , i had to add one more line to php exploitation , i realized that in all 113 lines used by the intruser , not of then were similar to the ones i got in definitions .

Firerat · 10-20-2019, 05:52 PM

can you use
[code]
script here
[/code]
instead of
[quote]
script here
[/quote]

re-reading I notice some more things are creeping back in

Code:

varsel=$(sed -n ${opt}p iptemp.tmp)
grep "$varsel" $loghttp $loghttps | awk '{print$7}' > ipres

Code:

awk '/'$varsel'/ {print $7}' $loghttp $loghttps

I assume iptemp.tmp is just a list of ip address, and you are looping though each line number and using sed to grab that line

that was one of the first things we did

Code:

while read varsel
do
  awk '/'$varsel'/ {print $7}' $loghttp $loghttps > ipres
  #FIXME -----------------------------------------^ ^^^^^
  # that will overwrite existing file, is that what you want?
done < iptemp.tmp

do you even need to write it to a file?

Code:

#!/bin/bash
GetFieldSeven () { 
  awk '/'$varsel'/ {print $7}' $loghttp $loghttps
}

while read varsel
do
   ipres="$( GetFieldSeven )"
   action_ipres $ipres
done < iptemp.tmp

do you even need $ipres ?

Code:

while read varsel
do
  action_ipres "$( GetFieldSeven )"
done < iptemp.tmp

I am just making things up, I don't know what the actual workflow is

that iptemp.tmp file is also not needed ( I assume your script writes that file )

pedropt · 10-20-2019, 06:25 PM

Code is not definitive , those lines are already changed now , because last code got all ips even those who did not make any bad request to server , and i had to change that code .

Why this code :

Code:

Patterns=()
while read foo
do
    Patterns+=("${foo}")
done < /def/definition.conf
while read IP
do
    intdet $varsel
done <<< ${varsel}

can only read 24 lines in definition.conf if i have 25 in there ?

https://i.postimg.cc/yx48ykqP/script.png

Line 25 in definition.conf

Quote:

Apache_Continnum_Exploit continuum/saveInstallation.action

I moved the line to the beginning of definition.conf and now it can be identified .
But 25 is now a new one and is not in patterns , it looks it can only read 24 ?

Firerat · 10-20-2019, 06:48 PM

Quote:

Originally Posted by pedropt

Code is not definitive , those lines are already changed now , because last code got all ips even those who did not make any bad request to server , and i had to change that code .

I don't know what that means

Quote:

Originally Posted by pedropt

Why this code :

Code:

Patterns=()
while read foo
do
    Patterns+=("${foo}")
done < /def/definition.conf
while read IP
do
    intdet $varsel
done <<< ${varsel}

this is getting very confusing
you are copy and pasting chunks of code and getting everything mixed up

Code:

Patterns=()
while read foo
do
    Patterns+=("${foo}")
done < /def/definition.conf
# the above looks ok

# the below is not
while read IP
do
    intdet $varsel
done <<< ${varsel}

varsel is what? a single IP ?
if so you don't need to have the loop
if it is a a number of IPs then, strange things may happen
read will probably put them all into IP, basicly IP is a copy of varsel

Code:

varsel="11.11.11.11 22.22.22.22 33.33.33.33"

while read IP
do
  echo $IP
done <<< $varsel 

for IP in $varsel
do
  echo $IP
done

you need to understand all these bits of code you are mashing together

build up the script slowly, testing each bit does what you expect
avoid using all the "clever" sed cat echo grep | awk tricks you have been using
they are bad, at best just slow at worst will do odd things

Quote:

Originally Posted by pedropt

can only read 24 lines in definition.conf if i have 25 in there ?

I'm not sure I understand what you are asking

the definition.conf file is processed line by line
it doesn't finish until the whole of the file is read
be it 24, 25 or 9001 lines

pedropt · 10-20-2019, 07:10 PM

$varsel is a single ip

Code is still changing , not all of it but some , depending on the problems i find ahead .
Yup , as you said it should read even if they were 9000 lines , but the fact is that is only reading 24 .

Stuff i did until now , and i still have to search the ip in firewall blocked ips and other stuff ahead , but since i found this problem then i stopped here .
Anyway here is the drop of that new function i am building .

Code:

# i tought it was important to drop these 2 new lines at the beginning to undestand the whole #logic of the code 
loghttps="/var/log/apache2/roundcube-access.*"
loghttp="/var/log/nginx/access.*"
intdet () {
IP=$1
while read LOG
do
    for P in "${Patterns[@]}"
    do  
        [[ ${LOG} =~ "${P#* }" ]] && intr=${P% *} 
    done
done < ipres 
return $?
}

srvlog() {
delf
echo -e "$green""Select one of the options"
echo ""
echo -e "$yellow""1$orange -$green Check Webservers logs"
echo -e "$yellow""2$orange -$green Check Mail logs"
echo -e "$yellow""3$orange -$green Check Streaming logs"
echo -e "$yellow""4$orange -$green Back To Menu"
echo ""
echo -ne "$green""Choose : "
read opt	
case $opt in
1)
rm -rf /var/log/nginx/*.gz >/dev/null 2>&1
rm -rf /var/log/apache2/*.gz >/dev/null 2>&1
rm -rf ipres >/dev/null 2>&1
shd=$(netstat -anp | grep "ESTABLISHED" | grep "sshd" | awk '{print$5}' | cut -f1 -d":")
rm -rf iptemp.tmp >/dev/null 2>&1
echo -e "$green"""
echo -n "* - Collecting Webservers ip logs...."
grep "404" $loghttp | cut -d ':' -f2- | awk '{print$1}' > iptemp.tmp 
grep "404" $loghttps | cut -d ':' -f2- | awk '{print$1}' >> iptemp.tmp 
if [[ -z "$shd" ]]
then
cat iptemp.tmp | sort -u > iptemp2.tmp
else
cat iptemp.tmp | sort -u | sed -e "/$shd/d" > iptemp2.tmp 
fi
rm -rf iptemp.tmp && mv iptemp2.tmp iptemp.tmp >/dev/null 2>&1
echo "Done"
cntfl=$(wc -l iptemp.tmp | awk '{print$1}')
echo ""
echo "Choose an ip to check its activity"
echo ""
for i in $(seq $cntfl)
do
var=$(sed -n ${i}p iptemp.tmp)
cnt=$(grep "$var" $loghttp $loghttps | wc -l | awk '{print$1}') 
if [[ "$cnt" -le "1" ]]
then 
cnt="1"
fi
if [[ $var =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
# temp file because i want to put the ips that hited more times in the # beginning , but i am still thinkinking in adding it , not sure
echo "$cnt  $var" >> newip
# END 
echo -e "$green""$i$white -$cyan $var $yellow ($orange$cnt$green times $yellow)"
fi
done
echo -ne "$green""Choose from 1 to $cntfl : "
read -r opt

# all these ifs are in case i am drunk or with my ahead in the moon
if [[ -z "$opt" ]]
then
echo "Invalid Input"
sleep 3
clear
srvlog
elif [[ "$opt" -lt "1" ]] 
then
echo "Invalid Input"
sleep 3
clear
srvlog
elif [[ "$opt" -gt "$cntfl" ]]
 then
echo "Invalid Input"
sleep 3
clear
srvlog
elif [[ "$opt" =~ [A-Za-z] ]]
 then
echo "Invalid Input"
sleep 3
clear
srvlog
fi
# end of drunk part

varsel=$(sed -n ${opt}p iptemp.tmp)
grep "$varsel" $loghttp $loghttps | awk '{print$7}' > ipres
if [[ -s "ipres" ]]
then
Patterns=()
while read foo
do
    Patterns+=("${foo}")
done < /def/definition.conf
while read IP
do
    intdet $varsel
done <<< ${varsel} 
fi
if [[ -z "$intr" ]]
then
echo "Database did not identified $varsel requests to server"
echo ""
cntfl=$(wc -l ipres | awk '{print$1}')
echo "....Displaying webserver logs for this IP...."
echo "---------------------------------------------"
for i in $(seq $cntfl)
do
rdinp=$(sed -n ${i}p ipres)
echo "$i - $rdinp"
done
echo "---------------------------------------------"
echo ""
echo "Do You want to add a new reference to Definition database?"
echo -ne "$green""Choose (y/n) : "
read -r opt
if [[ "$opt" == "y" ]] || [[ "$opt" == "Y" ]] || [[ "$opt" == "yes" ]] || [[ "$opt" == "Yes" ]] || [[ "$opt" == "YES" ]] 
then
echo ""
echo -n "Choose a number between 1 & $cntfl to add :"
read -r opt1
echo -n "Write a name to identify this intrusion : "
read -r opt2

fi
if [[ "$opt" == "n" ]] || [[ "$opt" == "N" ]] || [[ "$opt" == "no" ]] || [[ "$opt" == "NO" ]] || [[ "$opt" == "No" ]] 
then
echo "you choose no"
fi
else
echo "It was detected $intr by $varsel"
fi
;;
2)
echo ""
;;
3)
echo ""
;;
4)
clear 
menu
;;
*)
clear
srvlog
;;
esac
}

Anyway , it should be simple for you to test the 25 line issue .
just write 24 lines with anything like "aaaa vhfjtrorooo" not equal to line 24 , and then in line 25 Write :

Quote:

Apache_Continuum_Exploit continuum/saveInstallation.action

Since i an picking all the data from server log , you can add this data to a file anywhere with the name access.log

Quote:

1.1.1.1- - [19/Oct/2019:21:44:55 +0100] "GET / HTTP/1.1" 200 5765 "-" "HTTP Banner Detection (https://security.ipip.net)"
2.2.2.2 - - [19/Oct/2019:21:56:37 +0100] "\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr" 400 173 "-" "-"
3.3.3.3 - - [19/Oct/2019:22:16:55 +0100] "GET / HTTP/1.1" 200 5765 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
4.4.4.4 - - [19/Oct/2019:22:24:23 +0100] "GET /.well-known/keybase.txt HTTP/1.1" 200 2054 "-" "keybase-proofs/2.3.9"
5.5.5.5 - - [19/Oct/2019:22:27:58 +0100] "GET / HTTP/1.1" 200 5765 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
6.6.6.6 - - [19/Oct/2019:22:59:08 +0100] "GET /news/wp-login.php HTTP/1.1" 404 142 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
7.7.7.7 - - [19/Oct/2019:23:58:00 +0100] "GET / HTTP/1.1" 200 5765 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
8.8.8.8 - - [20/Oct/2019:00:08:11 +0100] "GET /cms/wp-login.php HTTP/1.1" 404 142 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
9.9.9.9 - - [20/Oct/2019:00:57:52 +0100] "GET /continuum/saveInstallation.action HTTP/1.1" 200 5765 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"

then change the variable in last code from :

Quote:

loghttp="/var/log/nginx/access.*"

to the directory where you are going to place this access file .

you also must edit the loghttps variable , change it to same location of loghttp .

then
at the end of last code write after the end of the function srvlog
and of course write

Quote:

#!/bin/bash

at the beginning of file .
after execution permissions and deffile in /def/definition.conf , everything will work fine with a minor issue of the colour code error in the bash script , but to avoid that just remove the -e switches from echo and the variables with the colour codes .