cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ET Open detection display in live monitor + add more webshell signatures

Browse Source 
Issues fixed:
1. ET detection was running but not displaying results
   - Detection was happening but only stored in intelligence DB
   - Display was showing old attack detection instead
   - Now shows ET detection with 🛡️ icon and attack types
   - Shows rate anomaly score with 🌊 icon when elevated

2. Added more webshell signatures:
   - alfa/alfa-rex/alfanew (Alfa Team shells)
   - mini.php, phpspy, antichat, idx, indoxploit
   - Suspicious PHP files in wrong locations (admin.php in wp-includes, etc.)

Display format changes:
- Old: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | 85 | /alfa-rex.php
- New: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | 🛡️ET:WEBSHELL,TRAVERSAL | /alfa-rex.php

Features:
- Uses ET score if higher than legacy score
- Shows both ET detection and legacy detection when appropriate
- Rate flooding adds to combined score
- Auto-blocks at combined score ≥90

Tested:
- alfa-rex.php: Score 100, WEBSHELL detected 
- admin.php: Score 100, WEBSHELL detected 
- ws.php7: Score 95, UPLOAD detected 
- All syntax validated
This commit is contained in:
cschantz
2025-12-13 02:18:54 -05:00
parent e8b3acb2f4
commit ad5587c89e
2 changed files with 39 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/attack-signatures.sh
+3
View File
@@ -164,6 +164,9 @@ ATTACK_INCLUSION["lfi_proc"]="/proc/self/environ|/proc/self/fd||85||Process file
ATTACK_WEBSHELL["known_shells"]="c99\\.php|r57\\.php|b374k|wso\\.php||95||Known webshell filename"
ATTACK_WEBSHELL["known_shells2"]="shell\\.php|cmd\\.php|backdoor\\.php|webshell\\.php||95||Generic webshell filename"
ATTACK_WEBSHELL["china_shells"]="caidao|chopper|godzilla|behinder||95||Chinese webshell"
ATTACK_WEBSHELL["alfa_shell"]="alfa|alfanew|alfa-rex|alfacgiapi||95||Alfa Team webshell"
ATTACK_WEBSHELL["common_shells"]="mini\\.php|phpspy|antichat|idx|indoxploit||95||Common webshells"
ATTACK_WEBSHELL["suspicious_php"]="admin\\.php|wp-config\\.php|configuration\\.php.*\\?|index\\.php\\?||85||Suspicious PHP in wrong location"
# Upload script abuse
ATTACK_WEBSHELL["upload_shell"]="upload\\.php|uploader\\.php|file_upload\\.php||85||Upload script abuse"
modules/security/live-attack-monitor.sh
+36 -13
View File
@@ -1705,34 +1705,39 @@ monitor_apache_logs() {
update_ip_intelligence "$ip" "$url" "$user_agent" "$method"
# Enhanced attack detection using ET Open signatures
local et_attack_score=0
local et_attack_types=""
local et_signatures=""
local et_rate_score=0
if type analyze_http_log_line &>/dev/null; then
local attack_result=$(analyze_http_log_line "$line" 2>/dev/null)
if [ -n "$attack_result" ]; then
local attack_score="${attack_result%%||*}"
if [ "$attack_score" -gt 0 ]; then
et_attack_score="${attack_result%%||*}"
if [ "$et_attack_score" -gt 0 ]; then
local temp="${attack_result#*||}"
local attack_types="${temp%%||*}"
et_attack_types="${temp%%||*}"
temp="${temp#*||}"
local signatures="${temp%%||*}"
et_signatures="${temp%%||*}"
# Record attack with higher score
update_ip_intelligence "$ip" "$url|ET:$attack_types|$signatures" "attack" "HTTP"
update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"
# Check rate anomaly
if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
record_request "$ip"
local rate_result=$(detect_rate_anomaly "$ip" 2>/dev/null)
local rate_score="${rate_result%%||*}"
et_rate_score="${rate_result%%||*}"
# Combine scores
local combined_score=$((attack_score + rate_score))
local combined_score=$((et_attack_score + et_rate_score))
[ "$combined_score" -gt 100 ] && combined_score=100
# Auto-block critical attacks
if [ "$combined_score" -ge 90 ]; then
echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $attack_types)" >> "$TEMP_DIR/recent_events"
echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $et_attack_types)" >> "$TEMP_DIR/recent_events"
if type quick_block_ip &>/dev/null; then
quick_block_ip "$ip" "ET:$attack_types" &
quick_block_ip "$ip" "ET:$et_attack_types" &
fi
fi
fi
@@ -1747,22 +1752,40 @@ monitor_apache_logs() {
# Determine if this is a threat
local level=$(get_threat_level "$score")
# Log all traffic with attacks, or score > 0, or suspicious bots
# Log all traffic with attacks, or score > 0, or suspicious bots, or ET detection
# This ensures we see everything interesting, not just high scores
if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then
if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ] || [ "$et_attack_score" -gt 0 ]; then
local color=$(get_threat_color "$level")
local time_str=$(date +"%H:%M:%S")
# Use ET score if higher than regular score
local display_score="$score"
if [ "$et_attack_score" -gt "$score" ]; then
display_score="$et_attack_score"
level=$(get_threat_level "$et_attack_score")
color=$(get_threat_color "$level")
fi
# Build log line
local log_line="${color}[${time_str}] $ip"
log_line+=" | Score:$score [$level]"
log_line+=" | Score:$display_score [$level]"
# Show ET detection if found
if [ "$et_attack_score" -gt 0 ]; then
log_line+=" | 🛡️ET:$et_attack_types"
# Show rate info if elevated
if [ "$et_rate_score" -gt 0 ]; then
log_line+=" | 🌊Rate:+$et_rate_score"
fi
fi
# Show bot type if interesting
if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then
log_line+=" | Bot:$bot_type"
fi
if [ -n "$attacks" ]; then
# Show legacy attacks if no ET detection
if [ -n "$attacks" ] && [ "$et_attack_score" -eq 0 ]; then
local first_attack=$(echo "$attacks" | cut -d',' -f1)
local icon=$(get_attack_icon "$first_attack")
log_line+=" | $icon$first_attack"