diff --git a/lib/attack-signatures.sh b/lib/attack-signatures.sh index b8dae77..b484de4 100644 --- a/lib/attack-signatures.sh +++ b/lib/attack-signatures.sh @@ -164,6 +164,9 @@ ATTACK_INCLUSION["lfi_proc"]="/proc/self/environ|/proc/self/fd||85||Process file ATTACK_WEBSHELL["known_shells"]="c99\\.php|r57\\.php|b374k|wso\\.php||95||Known webshell filename" ATTACK_WEBSHELL["known_shells2"]="shell\\.php|cmd\\.php|backdoor\\.php|webshell\\.php||95||Generic webshell filename" ATTACK_WEBSHELL["china_shells"]="caidao|chopper|godzilla|behinder||95||Chinese webshell" +ATTACK_WEBSHELL["alfa_shell"]="alfa|alfanew|alfa-rex|alfacgiapi||95||Alfa Team webshell" +ATTACK_WEBSHELL["common_shells"]="mini\\.php|phpspy|antichat|idx|indoxploit||95||Common webshells" +ATTACK_WEBSHELL["suspicious_php"]="admin\\.php|wp-config\\.php|configuration\\.php.*\\?|index\\.php\\?||85||Suspicious PHP in wrong location" # Upload script abuse ATTACK_WEBSHELL["upload_shell"]="upload\\.php|uploader\\.php|file_upload\\.php||85||Upload script abuse" diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 1e91007..cad2086 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1705,34 +1705,39 @@ monitor_apache_logs() { update_ip_intelligence "$ip" "$url" "$user_agent" "$method" # Enhanced attack detection using ET Open signatures + local et_attack_score=0 + local et_attack_types="" + local et_signatures="" + local et_rate_score=0 + if type analyze_http_log_line &>/dev/null; then local attack_result=$(analyze_http_log_line "$line" 2>/dev/null) if [ -n "$attack_result" ]; then - local attack_score="${attack_result%%||*}" - if [ "$attack_score" -gt 0 ]; then + et_attack_score="${attack_result%%||*}" + if [ "$et_attack_score" -gt 0 ]; then local temp="${attack_result#*||}" - local attack_types="${temp%%||*}" + et_attack_types="${temp%%||*}" temp="${temp#*||}" - local signatures="${temp%%||*}" + et_signatures="${temp%%||*}" # Record attack with higher score - update_ip_intelligence "$ip" "$url|ET:$attack_types|$signatures" "attack" "HTTP" + update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP" # Check rate anomaly if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then record_request "$ip" local rate_result=$(detect_rate_anomaly "$ip" 2>/dev/null) - local rate_score="${rate_result%%||*}" + et_rate_score="${rate_result%%||*}" # Combine scores - local combined_score=$((attack_score + rate_score)) + local combined_score=$((et_attack_score + et_rate_score)) [ "$combined_score" -gt 100 ] && combined_score=100 # Auto-block critical attacks if [ "$combined_score" -ge 90 ]; then - echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $attack_types)" >> "$TEMP_DIR/recent_events" + echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $et_attack_types)" >> "$TEMP_DIR/recent_events" if type quick_block_ip &>/dev/null; then - quick_block_ip "$ip" "ET:$attack_types" & + quick_block_ip "$ip" "ET:$et_attack_types" & fi fi fi @@ -1747,22 +1752,40 @@ monitor_apache_logs() { # Determine if this is a threat local level=$(get_threat_level "$score") - # Log all traffic with attacks, or score > 0, or suspicious bots + # Log all traffic with attacks, or score > 0, or suspicious bots, or ET detection # This ensures we see everything interesting, not just high scores - if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then + if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ] || [ "$et_attack_score" -gt 0 ]; then local color=$(get_threat_color "$level") local time_str=$(date +"%H:%M:%S") + # Use ET score if higher than regular score + local display_score="$score" + if [ "$et_attack_score" -gt "$score" ]; then + display_score="$et_attack_score" + level=$(get_threat_level "$et_attack_score") + color=$(get_threat_color "$level") + fi + # Build log line local log_line="${color}[${time_str}] $ip" - log_line+=" | Score:$score [$level]" + log_line+=" | Score:$display_score [$level]" + + # Show ET detection if found + if [ "$et_attack_score" -gt 0 ]; then + log_line+=" | 🛡️ET:$et_attack_types" + # Show rate info if elevated + if [ "$et_rate_score" -gt 0 ]; then + log_line+=" | 🌊Rate:+$et_rate_score" + fi + fi # Show bot type if interesting if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then log_line+=" | Bot:$bot_type" fi - if [ -n "$attacks" ]; then + # Show legacy attacks if no ET detection + if [ -n "$attacks" ] && [ "$et_attack_score" -eq 0 ]; then local first_attack=$(echo "$attacks" | cut -d',' -f1) local icon=$(get_attack_icon "$first_attack") log_line+=" | $icon$first_attack"