Jump to content
Welcome to our new Citrix community!

CVE 2019-19781 Verification Tool


Recommended Posts

Hi All,

 

Just wondering if someone can quickly guide me on to best run this verification tool on our MPX 8200s. I've dowloaded the package from Github and also the python file. The python method gives me an error :

C:\WINDOWS\system32>python C:\Test\Check-CVE-2019-19781\check-cve-2019-19781.py --in_file in.txt --out_file out.txt
Traceback (most recent call last):
  File "C:\Test\Check-CVE-2019-19781\check-cve-2019-19781.py", line 89, in <module>
    get_ip_from_txt(ip_file)
  File "C:\Test\Check-CVE-2019-19781\check-cve-2019-19781.py", line 20, in get_ip_from_txt
    with open(filename, 'r') as f:
FileNotFoundError: [Errno 2] No such file or directory: 'in.txt'

 

As far as the bash file/IOC Scanner method, I'm not sure how to exactly run that on the Netscalers. Do I SSH in and then run the commands? 

$ sudo bash ./ioc-scanner-CVE-2019-19781-v1.0.sh > "/tmp/results-$(date).txt"

 

Any help/suggestions would be much appreciated!

Link to comment
Share on other sites

Hi,

 

I had a very similar error (but on Linux), that I fixed by running it with Python3.

Are you in the ability to run it from an actual Linux system? I spun up a free t2.nano with a CentOS AMI on AWS for this.

 

With regards to your other question:

Quote

 

As far as the bash file/IOC Scanner method, I'm not sure how to exactly run that on the Netscalers. Do I SSH in and then run the commands? 

$ sudo bash ./ioc-scanner-CVE-2019-19781-v1.0.sh > "/tmp/results-$(date).txt"

 

 

Yes, the procedure is to run that from the shell. Here's the steps:

  1. Upload the script with SFTP to the Netscaler, using the nsroot account details
  2. Connect to the Netscaler with SSH, using the nsroot account details
  3. Open a shell by executing the command "shell"
  4. CD to the folder where you put the ioc-scanner-CVE-2019-19781-v1.0.sh file
  5. Chmod 744 the ioc-scanner-CVE-2019-19781-v1.0.sh file
  6. Execute the file with the command ./ioc-scanner-CVE-2019-19781-v1.0.sh > "/tmp/results-$(date).txt 
  7. SFTP the result file back to your system if needed
  8. Clean up the script file

 

Best,

 

Koenraad

Link to comment
Share on other sites

22 minutes ago, Koenraad Willems said:

Hi,

 

I had a very similar error (but on Linux), that I fixed by running it with Python3.

Are you in the ability to run it from an actual Linux system? I spun up a free t2.nano with a CentOS AMI on AWS for this.

 

With regards to your other question:

 

Yes, the procedure is to run that from the shell. Here's the steps:

  1. Upload the script with SFTP to the Netscaler, using the nsroot account details
  2. Connect to the Netscaler with SSH, using the nsroot account details
  3. Open a shell by executing the command "shell"
  4. CD to the folder where you put the ioc-scanner-CVE-2019-19781-v1.0.sh file
  5. Chmod 744 the ioc-scanner-CVE-2019-19781-v1.0.sh file
  6. Execute the file with the command ./ioc-scanner-CVE-2019-19781-v1.0.sh > "/tmp/results-$(date).txt 
  7. SFTP the result file back to your system if needed
  8. Clean up the script file

 

Best,

 

Koenraad

 

Ah Sweet! That's exactly what I was looking for!

 

I was able to do the above however the Chmod 744 via Shell errored with "command not found".  I was able to run the script by skipping but the results file came back empty. I'm guessing it's because of permissions? Also do you know how long this scan should take?

Link to comment
Share on other sites

1 hour ago, Sukhwant Singh1709160818 said:

 

Ah Sweet! That's exactly what I was looking for!

 

I was able to do the above however the Chmod 744 via Shell errored with "command not found".  I was able to run the script by skipping but the results file came back empty. I'm guessing it's because of permissions? Also do you know how long this scan should take?

 

Did you type "Chmod 744"? Because it's actually "chmod 744", Linux is case sensitive. I had put it in the list with a capital C because it was the beginning of the sentence, sorry for the confusion.
You can run the command without the > /tmp/results-$(date).txt part and then it will display the results on the screen. Then if you want to save the result, just copy/paste it from the SSH session.

The scan takes about a minute, it's not doing a very deep inspection, but looking for high level stuff that would indicate a possible intrusion.

 

Best,

 

Koenraad

Link to comment
Share on other sites

Just now, Koenraad Willems said:

 

Did you type "Chmod 744"? Because it's actually "chmod 744", Linux is case sensitive. I had put it in the list with a capital C because it was the beginning of the sentence, sorry for the confusion.

The scan takes about a minute, it's not doing a very deep inspection, but looking for high level stuff that would indicate a possible intrusion.

 

Best,

 

Koenraad

I was actually get it to work while SSH to Netscaler and using bash. I don't see anything else that pops up in the result file other than below. Not sure how else to interpret the results:

 

log file: //var/log/notice.log.0.gz
  first entry: Jan 28 19:00:00 newsyslog[4058]: logfile turned over due to size>100K
  last entry: Jan 28 20:00:00  newsyslog[5902]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   5.3k Jan 28 20:00 //var/log/notice.log.0.gz
  md5: MD5 (//var/log/notice.log.0.gz)
log file: //var/log/notice.log
  first entry: Jan 28 20:00:00  newsyslog[5902]: logfile turned over due to size>100K
  last entry: Jan 28 20:28:27 <local7.notice> bash[6808]: (null) on /dev/pts/0 shell_command="report "log file: $logfile""
  metadata: -rw-r--r--  1 root  wheel   150k Jan 28 20:28 //var/log/notice.log
  md5: MD5 (//var/log/notice.log)
 

Link to comment
Share on other sites

26 minutes ago, Koenraad Willems said:

No, I just uploaded the script, but I used this one:

https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/download/v1.2/ioc-scanner-CVE-2019-19781-v1.2.sh

 

I see you have v1.0, so that might be the issue.

 

I ran that one on multiple Netscalers and didn't get an error on any of them.

 

Best,

 

Koenraad

Thank you sir! This worked! Unfortunately looks like the appliances have been compromised. Would a factory default and then restore from clean backup be the best way to move forward in your opinion?

 

Thanks for all your help today! @Koenraad Willems

Link to comment
Share on other sites

Hi,

 

You're welcome, and sorry to hear about the possible compromise..

Wiping the Netscalers would eliminate the possible compromise on the the Netscalers itself, yes.

But, depending on what the actual compromise is/was, it is possible that the rest of your network, or whatever is reachable from the Netscaler, is at risk too. Especially if a backdoor was installed.

So it would make sense to look into that, or have a specialised company look into it.

 

Best,

 

Koenraad

Link to comment
Share on other sites

so this is expected output that its working?

 

Quote

[info]: here we go...
[info]: 
[info]: 
[info]: The tool will now look for unexpected cron history entries.
[info]: 
[info]: 
[info]: The tool will now look for known paths to malware files.
[info]: 
[info]: 
[info]: The tool will now scan for unexpected listening ports.
[info]: 
[info]: 
[info]: The tool will now scan for unexpected processes.
[info]: 
[info]: 
[info]: The tool will now scan for unexpected crontab entries.
[info]: 
[info]: 
[info]: The tool will now search web server logs for exploitation.
[info]: 
[info]: 
[info]: The tool will now search error logs for post-exploitation.
[info]: 
[info]: 
[info]: The tool will now scan NetScaler directories for unexpected content.
[info]: 
[info]: done.

 

 

Im assuming nothing means I'm good but I also am wondering if its working correctly

Link to comment
Share on other sites

  • 3 weeks later...

Hi,

 

I also ran the ioc tool (btw there's a 1.3 version available) and my VPX/network appears to be compromised too... Bad news.

But, as i've just installed and even not configured a brand new VPX v13.0.47.24 appliance, i've also run the tool on it to compare. And it states that i'm at risk also. So, i don't know what to think now.   :-(

 

Yan

Link to comment
Share on other sites

Hi Koenraad,

 

Here's the VPX's configuration which is in production. Upgraded to 13.0 a frew dayq ago. (i only replaced a few info):

<<<<<<<


**********************************************************************
SUMMARY:
Date                                  : Sat Feb 22 18:24:57 AST 2020
Hostname                              : NSVPX
IP                                    : 10.110.0.42
NS version                            : 13.0-47.24
Scanner version                       : v1.2-29-gac821c4
Scanner run mode                      : Default
Evidence of compromise found          : Yes
Evidence of scanning found            : N/A - Script Executed in Default Mode
Evidence of failed exploitation found : N/A - Script Executed in Default Mode
**********************************************************************

this script: /tmp/1582410297/ioc-scanner-CVE-2019-19781.sh 4f4534a6c19410a210d02d542cdcd555
root_directory: /
whoami: root
uname: FreeBSD NSVPX 8.4-NETSCALER-13.0 FreeBSD 8.4-NETSCALER-13.0 #0: Mon Jan 20 06:12:19 PST 2020     root@sjc-bsd84-24:/usr/obj/home/build/rs_130_47_10_RTM/usr.src/sys/NS64  amd64
hostname: NSVPX
date: Sat Feb 22 18:24:57 AST 2020
log file: //var/log/bash.log.9.gz
  first entry: Feb 21 23:00:00 NSVPX newsyslog[1846]: logfile turned over due to size>100K
  last entry: Feb 22 00:00:01 NSVPX newsyslog[5004]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    15k Feb 22 00:00 //var/log/bash.log.9.gz
  md5: e4b63f76cae0270f1ae5d41e6dd9d34c:
log file: //var/log/bash.log.8.gz
  first entry: Feb 22 00:00:01 NSVPX newsyslog[5004]: logfile turned over due to size>100K
  last entry: Feb 22 02:00:00 NSVPX newsyslog[7931]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 02:00 //var/log/bash.log.8.gz
  md5: cd7d5a91fa78f9e6993c44d76edd2ba5:
log file: //var/log/bash.log.7.gz
  first entry: Feb 22 02:00:00 NSVPX newsyslog[7931]: logfile turned over due to size>100K
  last entry: Feb 22 04:00:00 NSVPX newsyslog[10852]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 04:00 //var/log/bash.log.7.gz
  md5: 2f16e77413b126e56fa5b2e0ca87fb77:
log file: //var/log/bash.log.6.gz
  first entry: Feb 22 04:00:00 NSVPX newsyslog[10852]: logfile turned over due to size>100K
  last entry: Feb 22 06:00:00 NSVPX newsyslog[13773]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 06:00 //var/log/bash.log.6.gz
  md5: 98d335b71f569d4841015404271f97e0:
log file: //var/log/bash.log.5.gz
  first entry: Feb 22 06:00:00 NSVPX newsyslog[13773]: logfile turned over due to size>100K
  last entry: Feb 22 08:00:00 NSVPX newsyslog[16686]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 08:00 //var/log/bash.log.5.gz
  md5: ea7df3b90a54cab5e3e3da10004abd30:
log file: //var/log/bash.log.4.gz
  first entry: Feb 22 08:00:00 NSVPX newsyslog[16686]: logfile turned over due to size>100K
  last entry: Feb 22 10:00:00 NSVPX newsyslog[19599]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 10:00 //var/log/bash.log.4.gz
  md5: bd9e4e9721a18dc61b7056c76b373545:
log file: //var/log/bash.log.3.gz
  first entry: Feb 22 10:00:00 NSVPX newsyslog[19599]: logfile turned over due to size>100K
  last entry: Feb 22 12:00:00 NSVPX newsyslog[22516]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 12:00 //var/log/bash.log.3.gz
  md5: 449fec8275efc9972bc4d5f5de2202e1:
log file: //var/log/bash.log.2.gz
  first entry: Feb 22 12:00:00 NSVPX newsyslog[22516]: logfile turned over due to size>100K
  last entry: Feb 22 14:00:00 NSVPX newsyslog[25432]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 14:00 //var/log/bash.log.2.gz
  md5: 48e4bc4344beb0ed371050e5f5652342:
log file: //var/log/bash.log.16.gz
  first entry: Feb 21 16:09:04 <local7.notice> NSVPX bash[1065]: root on /dev/console shell_command="exec 2>&1 >>/var/log/wicmd.log"
  last entry: Feb 21 17:00:00 NSVPX newsyslog[1581]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   7.4k Feb 21 17:00 //var/log/bash.log.16.gz
  md5: 0511f90c234ceb302033bdebfce3c39f:
log file: //var/log/bash.log.15.gz
  first entry: Feb 21 17:00:00 NSVPX newsyslog[1581]: logfile turned over due to size>100K
  last entry: Feb 21 18:00:00 NSVPX newsyslog[2147]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    10k Feb 21 18:00 //var/log/bash.log.15.gz
  md5: 38ed54d239b9114269fd67cab0fb5ca2:
log file: //var/log/bash.log.14.gz
  first entry: Feb 21 18:00:00 NSVPX newsyslog[2147]: logfile turned over due to size>100K
  last entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    43k Feb 21 19:00 //var/log/bash.log.14.gz
  md5: 7228ac157296abbe5e5beccab878527f:
log file: //var/log/bash.log.13.gz
  first entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  last entry: Feb 21 20:00:00 NSVPX newsyslog[2317]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    11k Feb 21 20:00 //var/log/bash.log.13.gz
  md5: a3eefa0ad7ea21c18c61a4dba9abae69:
log file: //var/log/bash.log.12.gz
  first entry: Feb 21 20:00:00 NSVPX newsyslog[2317]: logfile turned over due to size>100K
  last entry: Feb 21 21:00:00 NSVPX newsyslog[1687]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    11k Feb 21 21:00 //var/log/bash.log.12.gz
  md5: 784f587767c4127a88cb0b4450467172:
log file: //var/log/bash.log.11.gz
  first entry: Feb 21 21:00:00 NSVPX newsyslog[1687]: logfile turned over due to size>100K
  last entry: Feb 21 22:00:00 NSVPX newsyslog[1580]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    11k Feb 21 22:00 //var/log/bash.log.11.gz
  md5: d553e03269a7bc43d3adeb149a31bce5:
log file: //var/log/bash.log.10.gz
  first entry: Feb 21 22:00:00 NSVPX newsyslog[1580]: logfile turned over due to size>100K
  last entry: Feb 21 23:00:00 NSVPX newsyslog[1846]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    39k Feb 21 23:00 //var/log/bash.log.10.gz
  md5: ebeaeadd22347933efdc5c2e07fada74:
log file: //var/log/bash.log.1.gz
  first entry: Feb 22 14:00:00 NSVPX newsyslog[25432]: logfile turned over due to size>100K
  last entry: Feb 22 16:00:00 NSVPX newsyslog[28344]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 16:00 //var/log/bash.log.1.gz
  md5: 54b9a5673bdaac687a4bc7534e2ebf7a:
log file: //var/log/bash.log.0.gz
  first entry: Feb 22 16:00:00 NSVPX newsyslog[28344]: logfile turned over due to size>100K
  last entry: Feb 22 18:00:00 NSVPX newsyslog[31264]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   3.8k Feb 22 18:00 //var/log/bash.log.0.gz
  md5: 47e351f8420005cd8289352ee267ef04:
log file: //var/log/bash.log
  first entry: Feb 22 18:00:00 NSVPX newsyslog[31264]: logfile turned over due to size>100K
  last entry: Feb 22 18:24:57 <local7.notice> NSVPX bash[31877]: (null) on /dev/pts/0 shell_command="report "log file: $logfile""
  metadata: -rw-r--r--  1 root  wheel    70k Feb 22 18:24 //var/log/bash.log
  md5: e93b1f0ec31bbd69cd439b8af1f5797b:
log file: //var/log/notice.log.9.gz
  first entry: Feb 21 23:00:00 NSVPX newsyslog[1846]: logfile turned over due to size>100K
  last entry: Feb 22 00:00:01 NSVPX newsyslog[5004]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    16k Feb 22 00:00 //var/log/notice.log.9.gz
  md5: 86df2cd32a6a75e6345807510c2fe91f:
log file: //var/log/notice.log.8.gz
  first entry: Feb 22 00:00:01 NSVPX newsyslog[5004]: logfile turned over due to size>100K
  last entry: Feb 22 02:00:00 NSVPX newsyslog[7931]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   5.2k Feb 22 02:00 //var/log/notice.log.8.gz
  md5: 2fd2ed3b990551011c2ac1bb7377ccef:
log file: //var/log/notice.log.7.gz
  first entry: Feb 22 02:00:00 NSVPX newsyslog[7931]: logfile turned over due to size>100K
  last entry: Feb 22 04:00:00 NSVPX newsyslog[10852]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   4.8k Feb 22 04:00 //var/log/notice.log.7.gz
  md5: e61eea460507d55459fc67be60dbe3ac:
log file: //var/log/notice.log.6.gz
  first entry: Feb 22 04:00:00 NSVPX newsyslog[10852]: logfile turned over due to size>100K
  last entry: Feb 22 06:00:00 NSVPX newsyslog[13773]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   4.8k Feb 22 06:00 //var/log/notice.log.6.gz
  md5: ae73702f3621eca248dc2d540a32b53a:
log file: //var/log/notice.log.5.gz
  first entry: Feb 22 06:00:00 NSVPX newsyslog[13773]: logfile turned over due to size>100K
  last entry: Feb 22 08:00:00 NSVPX newsyslog[16686]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   4.8k Feb 22 08:00 //var/log/notice.log.5.gz
  md5: 2f472c90721d897d1bc3a3cdbb6e23f0:
log file: //var/log/notice.log.4.gz
  first entry: Feb 22 08:00:00 NSVPX newsyslog[16686]: logfile turned over due to size>100K
  last entry: Feb 22 10:00:00 NSVPX newsyslog[19599]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel     5k Feb 22 10:00 //var/log/notice.log.4.gz
  md5: bf0d0e381cac5a399c6e2618f5a7a998:
log file: //var/log/notice.log.3.gz
  first entry: Feb 22 10:00:00 NSVPX newsyslog[19599]: logfile turned over due to size>100K
  last entry: Feb 22 12:00:00 NSVPX newsyslog[22516]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   5.0k Feb 22 12:00 //var/log/notice.log.3.gz
  md5: d9aa60b57a5b2a1cbe6f14ea033cdf93:
log file: //var/log/notice.log.2.gz
  first entry: Feb 22 12:00:00 NSVPX newsyslog[22516]: logfile turned over due to size>100K
  last entry: Feb 22 14:00:00 NSVPX newsyslog[25432]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   4.8k Feb 22 14:00 //var/log/notice.log.2.gz
  md5: 8a302a0863bfe2b109d95c5d11060a50:
log file: //var/log/notice.log.16.gz
  first entry: Feb 21 16:08:50 <kern.crit> NSVPX kernel: reboot initiated by init with parent kernel
  last entry: Feb 21 17:00:00 NSVPX newsyslog[1581]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    15k Feb 21 17:00 //var/log/notice.log.16.gz
  md5: 5b08adf2ca8add2fcad1635751986984:
log file: //var/log/notice.log.15.gz
  first entry: Feb 21 17:00:00 NSVPX newsyslog[1581]: logfile turned over due to size>100K
  last entry: Feb 21 18:00:00 NSVPX newsyslog[2147]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    11k Feb 21 18:00 //var/log/notice.log.15.gz
  md5: 82ddcc106bb8b7accf6698011346d98f:
log file: //var/log/notice.log.14.gz
  first entry: Feb 21 18:00:00 NSVPX newsyslog[2147]: logfile turned over due to size>100K
  last entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    54k Feb 21 19:00 //var/log/notice.log.14.gz
  md5: cf291ea42719ca4598848b7e11567ba3:
log file: //var/log/notice.log.13.gz
  first entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  last entry: Feb 21 20:00:00 NSVPX newsyslog[2317]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    21k Feb 21 20:00 //var/log/notice.log.13.gz
  md5: 0b45651a64de1ce529571bf5dc89bfca:
log file: //var/log/notice.log.12.gz
  first entry: Feb 21 20:00:00 NSVPX newsyslog[2317]: logfile turned over due to size>100K
  last entry: Feb 21 21:00:00 NSVPX newsyslog[1687]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    22k Feb 21 21:00 //var/log/notice.log.12.gz
  md5: 1e1e7477c87847a7fd4a6bfd8ca71cc6:
log file: //var/log/notice.log.11.gz
  first entry: Feb 21 21:00:00 NSVPX newsyslog[1687]: logfile turned over due to size>100K
  last entry: Feb 21 22:00:00 NSVPX newsyslog[1580]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    22k Feb 21 22:00 //var/log/notice.log.11.gz
  md5: 5aea0dd1d6886087770f7e83f4d34d92:
log file: //var/log/notice.log.10.gz
  first entry: Feb 21 22:00:00 NSVPX newsyslog[1580]: logfile turned over due to size>100K
  last entry: Feb 21 23:00:00 NSVPX newsyslog[1846]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel    50k Feb 21 23:00 //var/log/notice.log.10.gz
  md5: ecfdbde89516bfacf837b649d52bd153:
log file: //var/log/notice.log.1.gz
  first entry: Feb 22 14:00:00 NSVPX newsyslog[25432]: logfile turned over due to size>100K
  last entry: Feb 22 16:00:00 NSVPX newsyslog[28344]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel     5k Feb 22 16:00 //var/log/notice.log.1.gz
  md5: c41d8ee2e5685faf3412f6748945d23d:
log file: //var/log/notice.log.0.gz
  first entry: Feb 22 16:00:00 NSVPX newsyslog[28344]: logfile turned over due to size>100K
  last entry: Feb 22 18:00:00 NSVPX newsyslog[31264]: logfile turned over due to size>100K
  metadata: -rw-r--r--  1 root  wheel   4.8k Feb 22 18:00 //var/log/notice.log.0.gz
  md5: 471ad92de1da2b02eccf43e792153ccb:
log file: //var/log/notice.log
  first entry: Feb 22 18:00:00 NSVPX newsyslog[31264]: logfile turned over due to size>100K
  last entry: Feb 22 18:24:57 <local7.notice> NSVPX bash[31877]: (null) on /dev/pts/0 shell_command="report "log file: $logfile""
  metadata: -rw-r--r--  1 root  wheel    95k Feb 22 18:24 //var/log/notice.log
  md5: dc47042c7b2088d018cc9acdc49ee6eb:
log file: //var/log/httpaccess.log.3.gz
  first entry: x.x.x.x - - [21/Feb/2020:16:09:14 -0400] "GET / HTTP/1.1" 302 - "http://10.110.0.42/menu/neo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
  last entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  metadata: -rw-------  1 root  wheel    10k Feb 21 19:00 //var/log/httpaccess.log.3.gz
  md5: 09609fe199acb143647778a2e01bdb12:
log file: //var/log/httpaccess.log.2.gz
  first entry: Feb 21 19:00:00 NSVPX newsyslog[1412]: logfile turned over due to size>100K
  last entry: 127.0.0.2 - - [21/Feb/2020:20:59:27 -0400] "GET /admin_ui/rdx/core/images/save_alert.png HTTP/1.1" 200 1474 "http://10.110.0.42/menu/neo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
  metadata: -rw-------  1 root  wheel    10k Feb 21 21:00 //var/log/httpaccess.log.2.gz
  md5: 3b05e8339921bcc790e5f422a8162277:
log file: //var/log/httpaccess.log.1.gz
  first entry: 127.0.0.2 - - [21/Feb/2020:21:00:11 -0400] "GET /menu/neo HTTP/1.1" 200 19531 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0"
  last entry: 127.0.0.2 - - [21/Feb/2020:22:59:26 -0400] "GET /vpn/index.html HTTP/1.1" 200 3674 "-" "Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)" "Time: 663 microsecs"
  metadata: -rw-------  1 root  wheel   8.6k Feb 21 23:00 //var/log/httpaccess.log.1.gz
  md5: f6029f932b59bad3b5378c475c57ef37:
log file: //var/log/httpaccess.log.0.gz
  first entry: 127.0.0.2 - - [21/Feb/2020:23:00:03 -0400] "GET /vpn/index.html HTTP/1.1" 200 3674 "https://__exthostname__/Citrix/__deliveryGroup__/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0" "Time: 1169 microsecs"
  last entry: 127.0.0.2 - - [22/Feb/2020:15:59:26 -0400] "GET /vpn/index.html HTTP/1.1" 200 3674 "-" "Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)" "Time: 777 microsecs"
  metadata: -rw-------  1 root  wheel   5.2k Feb 22 16:00 //var/log/httpaccess.log.0.gz
  md5: dbbb29a1772bcb72e83e3a67ded3c841:
log file: //var/log/httpaccess.log
  first entry: 127.0.0.2 - - [22/Feb/2020:16:04:26 -0400] "GET /vpn/index.html HTTP/1.1" 200 3674 "-" "Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)" "Time: 1490 microsecs"
  last entry: 127.0.0.2 - - [22/Feb/2020:18:24:26 -0400] "GET /vpn/index.html HTTP/1.1" 200 3674 "-" "Mozilla/5.0 (compatible; PRTG Network Monitor (www.paessler.com); Windows)" "Time: 546 microsecs"
  metadata: -rw-------  1 root  wheel    12k Feb 22 18:24 //var/log/httpaccess.log
  md5: d421c74950f5684fa1063b081b19fe74:
log file: //var/log/httperror.log.0.gz
  first entry: [Fri Feb 21 16:08:51 2020] [info] PAM: mod_auth_pam/2.0-1.1
  last entry: [Fri Feb 21 21:00:01.938729 2020] [mpm_prefork:notice] [pid 974] AH00171: Graceful restart requested, doing restart
  metadata: -rw-------  1 root  wheel   3.7k Feb 21 21:00 //var/log/httperror.log.0.gz
  md5: af6e48919faf466ae28a8ce54f474ab4:
log file: //var/log/httperror.log
  first entry: [Fri Feb 21 21:00:02.983578 2020] [:info] [pid 974] PAM: mod_auth_pam/2.0-1.1
  last entry: [Sat Feb 22 16:00:02.112130 2020] [core:notice] [pid 974] AH00094: Command line: '/bin/httpd -f /etc/httpd.conf'
  metadata: -rw-------  1 root  wheel   3.6k Feb 22 16:00 //var/log/httperror.log
  md5: b5f7bb3fa770fcb9acd5984fd6a58502:
loading: scanners/fs-paths.sh (f5c5bfdb008a7b7603c22d3adfee83bb)
loading: scanners/ports.sh (7e2cc1ba013e12fecd17fa402a5a8550)
loading: scanners/processes.sh (73c8e5fda42bfa87d57b6d757d5039f1)
loading: scanners/crontab.sh (a3c8fce1f0c2b0109ca3911a095c6888)
loading: scanners/access-logs.sh (a8fe54ed6cca6a20adea04dbf1f518b3)
loading: scanners/error-logs.sh (ce24233668d12f28afaab2dd680b34c5)
loading: scanners/netscaler-content.sh (8dd394a499de767b2a22eb1b1a60e824)
loading: scanners/shell-history.sh (f2f66fd2c40edf8867bb2c5abbc81d00)
loading: scanners/cron-history.sh (408e0f43255f4ba984570f2e245dbcce)
loading: scanners/successful-scanning.sh (127df65be370ad3dfaa1408fb58494c1)
loading: scanners/failed-exploitation.sh (50283631654a4a2ab7c4a93710613600)

**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/bash.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.

**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/notice.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.10.gz:Feb 21 22:19:44 <local7.notice> NSVPX bash[2158]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.10.gz:Feb 21 22:20:59 <local7.notice> NSVPX bash[3835]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.14.gz:Feb 21 18:01:52 <local7.notice> NSVPX bash[2164]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.14.gz:Feb 21 18:02:35 <local7.notice> NSVPX bash[2493]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.14.gz:Feb 21 18:11:29 <local7.notice> NSVPX bash[4029]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log.15.gz:Feb 21 17:51:11 <local7.notice> NSVPX bash[1806]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.

**********************************************************************
MATCH: crontab file for user 'nobody': /var/cron/tabs/nobody
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************

**********************************************************************
MATCH: incorrect file permissions
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
files with permissions 644:
///var/vpn/bookmark/nsroot.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="nsroot" />
///var/vpn/bookmark/PIHi6kgF.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="PIHi6kgF" />
///var/vpn/bookmark/hwcklcIx.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="hwcklcIx" />
///var/vpn/bookmark/dWWXOG74.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="dWWXOG74" />
///var/vpn/bookmark/pwnpzi1337.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="pwnpzi1337" />
///var/vpn/bookmark/lGbHoB3M.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="lGbHoB3M" />
///var/vpn/bookmark/R3UG0OBfH.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="R3UG0OBfH" />
///var/vpn/bookmark/K0Nfc5lsk.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="K0Nfc5lsk" />
///var/vpn/bookmark/iDZ6NWB9.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="iDZ6NWB9" />
///var/vpn/bookmark/MaE40HCN.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="MaE40HCN" />
///var/vpn/bookmark/ScNar9dw.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="ScNar9dw" />
///var/vpn/bookmark/Iz5II3Fm.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="Iz5II3Fm" />
///var/vpn/bookmark/G761c0BJ.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="G761c0BJ" />
///var/vpn/bookmark/we3Go3yR.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="we3Go3yR" />
///var/vpn/bookmark/Wc9qZ12t.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="Wc9qZ12t" />
///var/vpn/bookmark/kaCU9hxc.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="kaCU9hxc" />
///var/vpn/bookmark/ykjIGQrX.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="ykjIGQrX" />
///var/vpn/bookmark/PkqXf0Zm.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="PkqXf0Zm" />
///var/vpn/bookmark/48MnqTbD.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="48MnqTbD" />
///var/vpn/bookmark/p8XukZTXxh.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="p8XukZTXxh" />
///var/vpn/bookmark/X8Stkb9b.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="X8Stkb9b" />
///var/vpn/bookmark/x.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="x" />
///var/vpn/bookmark/0LNchFTh.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="0LNchFTh" />
///var/vpn/bookmark/vmm9gOIhD.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="vmm9gOIhD" />
///var/vpn/bookmark/ueyjrDdQ.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="ueyjrDdQ" />
///var/vpn/bookmark/uQL9NwkR.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="uQL9NwkR" />
///var/vpn/bookmark/SKCOplnt.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="SKCOplnt" />
///var/vpn/bookmark/fazWTbO6.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="fazWTbO6" />
///var/vpn/bookmark/oDOE1p1V.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="oDOE1p1V" />
///var/vpn/bookmark/BseP6WMy.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="BseP6WMy" />
///var/vpn/bookmark/0sq5z1Cs.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="0sq5z1Cs" />
///var/vpn/bookmark/GSaHr7t6.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="GSaHr7t6" />
///var/vpn/bookmark/cNqhX3L9.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="cNqhX3L9" />
///var/vpn/bookmark/I3lYUVvr.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="I3lYUVvr" />
///var/vpn/bookmark/f4chvB3GJZ.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="f4chvB3GJZ" />
///var/vpn/bookmark/tvQtqLWN.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="tvQtqLWN" />
///var/vpn/bookmark/pwnpzi133.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="pwnpzi133" />
///var/vpn/bookmark/zkCpx6BE.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="zkCpx6BE" />
///var/vpn/bookmark/Sc2m26S5.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="Sc2m26S5" />
///var/vpn/bookmark/BOvowFWt.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="BOvowFWt" />
///var/vpn/bookmark/NTNlmYN0.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="NTNlmYN0" />
///var/vpn/bookmark/Iw.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="Iw" />
///var/vpn/bookmark/6smpyLDd.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="6smpyLDd" />
///var/vpn/bookmark/5FBKVqFy.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="5FBKVqFy" />
///var/vpn/bookmark/AAxRwNYS.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="AAxRwNYS" />
///var/vpn/bookmark/YuCXSaHojF.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="YuCXSaHojF" />
///var/vpn/bookmark/DjqikdVI.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="DjqikdVI" />
///var/vpn/bookmark/citrix2019.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="citrix2019" />
///var/vpn/bookmark/pzHthmXu.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="pzHthmXu" />
///var/vpn/bookmark/66218b02.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="66218b02" />
///var/vpn/bookmark/175a3164.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="175a3164" />
///var/vpn/bookmark/5e35e131.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="5e35e131" />
///var/vpn/bookmark/42f1e7c3.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="42f1e7c3" />
///var/vpn/bookmark/99827616.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="99827616" />
///var/vpn/bookmark/732d2099.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="732d2099" />
///var/vpn/bookmark/53c9daa9.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="53c9daa9" />
///var/vpn/bookmark/02235af2.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="02235af2" />
///var/vpn/bookmark/bf1f3ebf.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="bf1f3ebf" />
///var/vpn/bookmark/3e487671.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="3e487671" />
///var/vpn/bookmark/e87e64ef.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="e87e64ef" />
///var/vpn/bookmark/12802dcb.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="12802dcb" />
///var/vpn/bookmark/9a0b3b99.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="9a0b3b99" />
///var/vpn/bookmark/4d1454e9.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="4d1454e9" />
///var/vpn/bookmark/b4ff54e0.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="b4ff54e0" />
///var/vpn/bookmark/20457bb6.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="20457bb6" />
///var/vpn/bookmark/15d2add5.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="15d2add5" />
///var/vpn/bookmark/2478e2a0.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="2478e2a0" />
///var/vpn/bookmark/0c807c8f.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="0c807c8f" />
///var/vpn/bookmark/179c4d4d.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="179c4d4d" />
///var/vpn/bookmark/0dd57621.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="0dd57621" />
///var/vpn/bookmark/d510bfe8.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d510bfe8" />
///var/vpn/bookmark/7532f71d.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="7532f71d" />
///var/vpn/bookmark/255e2089.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="255e2089" />
///var/vpn/bookmark/f3cc43b0.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="f3cc43b0" />
///var/vpn/bookmark/8114717e.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="8114717e" />
///var/vpn/bookmark/1f4f5432.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="1f4f5432" />
///var/vpn/bookmark/0d2a8fc1.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="0d2a8fc1" />
///var/vpn/bookmark/c5abfaf4.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="c5abfaf4" />
///var/vpn/bookmark/fdb711c1.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="fdb711c1" />
///var/vpn/bookmark/98f9212f.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="98f9212f" />
///var/vpn/bookmark/837ac257.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="837ac257" />
///var/vpn/bookmark/f442cbc5.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="f442cbc5" />
///var/vpn/bookmark/8df59e65.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="8df59e65" />
///var/vpn/bookmark/moltebolt.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="moltebolt" />
///var/vpn/bookmark/fca9b0e9.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="fca9b0e9" />
///var/vpn/bookmark/cb2decbd.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="cb2decbd" />
///var/vpn/bookmark/79bbc3de.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="79bbc3de" />
///var/vpn/bookmark/396fc89b.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="396fc89b" />
///var/vpn/bookmark/56394bae.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="56394bae" />
///var/vpn/bookmark/61ba6eb4.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="61ba6eb4" />
///var/vpn/bookmark/a2d517d3.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="a2d517d3" />
///var/vpn/bookmark/87a1e406.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="87a1e406" />
///var/vpn/bookmark/bd2d9a7f.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="bd2d9a7f" />
///var/vpn/bookmark/d64684d7.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d64684d7" />
///var/vpn/bookmark/d51ebb4f.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d51ebb4f" />
///var/vpn/bookmark/9e45c439.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="9e45c439" />
///var/vpn/bookmark/36ffa380.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="36ffa380" />
///var/vpn/bookmark/d134e3ea.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d134e3ea" />
///var/vpn/bookmark/d2c34cbb.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d2c34cbb" />
///var/vpn/bookmark/e0dc3f9d.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="e0dc3f9d" />
///var/vpn/bookmark/d9ec9d6c.xml
contents:
<?xml version="1.0" encoding="UTF-8"?>
<user username="d9ec9d6c" />
Please review the above paths for any unexpected files.
Exploits commonly write to files with these permissions;
however, customization of a Citrix NetScaler environment may cause false positives in the above list.
For example, '/var/vpn/bookmark/[legitimate-username].xml' may be valid in your environment.

**********************************************************************
MATCH: blacklisted content 'eval([^h][^a][^n]'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for 'eval([^h][^a][^n]':
///var/vpn/themes/admin.php

**********************************************************************
MATCH: incorrect file permissions
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
files with permissions 644:
///var/vpn/themes/admin.php
Please review the above paths for any unexpected files.
Exploits commonly write to files with these permissions;
however, customization of a Citrix NetScaler environment may cause false positives in the above list.
For example, '/var/vpn/bookmark/[legitimate-username].xml' may be valid in your environment.

end of report.
 

>>>>>>>

 

 

And here's the brand new VPX, only configured with LAN ip and NSIP ip. The log is shorter but still mentions that the device is at risk.

 

<<<<<<<<

 


**********************************************************************
SUMMARY:
Date                                  : Sat Feb 22 18:49:37 AST 2020
Hostname                              : NSVPXCSP
IP                                    : 10.110.0.110
NS version                            : 13.0-47.24
Scanner version                       : v1.2-29-gac821c4
Scanner run mode                      : Default
Evidence of compromise found          : Yes
Evidence of scanning found            : N/A - Script Executed in Default Mode
Evidence of failed exploitation found : N/A - Script Executed in Default Mode
**********************************************************************

this script: /tmp/1582411777/ioc-scanner-CVE-2019-19781.sh 4f4534a6c19410a210d02d542cdcd555
root_directory: /
whoami: root
uname: FreeBSD NSVPXCSP 8.4-NETSCALER-13.0 FreeBSD 8.4-NETSCALER-13.0 #0: Mon Jan 20 06:12:19 PST 2020     root@sjc-bsd84-24:/usr/obj/home/build/rs_130_47_10_RTM/usr.src/sys/NS64  amd64
hostname: NSVPXCSP
date: Sat Feb 22 18:49:37 AST 2020
log file: //var/log/bash.log
  first entry: Feb 22 22:13:25 <local7.notice> ns bash[1168]: root on /dev/console shell_command="if [ -z "$1" ]; then     echo "Please do not try to run this script manually!"; exit; fi"
  last entry: Feb 22 18:49:37 <local7.notice> NSVPXCSP bash[1588]: (null) on /dev/pts/0 shell_command="report "log file: $logfile""
  metadata: -rw-------  1 root  wheel   2.4M Feb 22 18:49 //var/log/bash.log
  md5: daac415d8f3ddefacaff4ef4638041e6:
log file: //var/log/notice.log
  first entry: Feb 22 22:11:52 <kern.crit> ns kernel: Copyright (c) 1992-2013 The FreeBSD Project.
  last entry: Feb 22 18:49:37 <local7.notice> NSVPXCSP bash[1588]: (null) on /dev/pts/0 shell_command="report "log file: $logfile""
  metadata: -rw-------  1 root  wheel   2.6M Feb 22 18:49 //var/log/notice.log
  md5: f364d6e895ed0c3b661668b763780be5:
log file: //var/log/httpaccess.log
  first entry: 10.110.8.1 - - [22/Feb/2020:22:15:30 +0000] "GET / HTTP/1.1" 200 19456 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" "Time: 35733 microsecs"
  last entry: 10.110.8.1 - - [22/Feb/2020:18:48:26 -0400] "GET /admin_ui/rdx/core/images/save_alert.png HTTP/1.1" 200 1474 "https://10.110.0.110/menu/neo" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0" "Time: 439 microsecs"
  metadata: -rw-r--r--  1 root  wheel    82k Feb 22 18:48 //var/log/httpaccess.log
  md5: 43991d298633b22f5adb1c46f4555014:
log file: //var/log/httperror.log
  first entry: [Sat Feb 22 22:11:53.040142 2020] [:info] [pid 982] PAM: mod_auth_pam/2.0-1.1
  last entry: [Sat Feb 22 18:47:42.321491 2020] [core:notice] [pid 973] AH00094: Command line: '/bin/httpd -f /etc/httpd.conf'
  metadata: -rw-r--r--  1 root  wheel   2.4k Feb 22 18:47 //var/log/httperror.log
  md5: 7413bed02b98356c0930fa01fb9f4231:
loading: scanners/fs-paths.sh (f5c5bfdb008a7b7603c22d3adfee83bb)
loading: scanners/ports.sh (7e2cc1ba013e12fecd17fa402a5a8550)
loading: scanners/processes.sh (73c8e5fda42bfa87d57b6d757d5039f1)
loading: scanners/crontab.sh (a3c8fce1f0c2b0109ca3911a095c6888)
loading: scanners/access-logs.sh (a8fe54ed6cca6a20adea04dbf1f518b3)
loading: scanners/error-logs.sh (ce24233668d12f28afaab2dd680b34c5)
loading: scanners/netscaler-content.sh (8dd394a499de767b2a22eb1b1a60e824)
loading: scanners/shell-history.sh (f2f66fd2c40edf8867bb2c5abbc81d00)
loading: scanners/cron-history.sh (408e0f43255f4ba984570f2e245dbcce)
loading: scanners/successful-scanning.sh (127df65be370ad3dfaa1408fb58494c1)
loading: scanners/failed-exploitation.sh (50283631654a4a2ab7c4a93710613600)

**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/bash.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/bash.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.

**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/notice.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log:Feb 22 22:19:11 <local7.notice> ns bash[1744]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log:Feb 22 22:20:08 <local7.notice> ns bash[2500]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log:Feb 22 22:20:40 <local7.notice> ns bash[3241]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log:Feb 22 22:36:16 <local7.notice> ns bash[4373]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
///var/log/notice.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/notice.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/notice.log:Feb 22 22:36:23 <local7.notice> ns bash[5108]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.

end of report.
 

>>>>>>>>>>>

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...