Skip to content

Commit e56505e

Browse files
joeavanzatojoeavanzato
committed
- Abstracting business logic
1 parent 058cd81 commit e56505e

File tree

1 file changed

+21
-28
lines changed

1 file changed

+21
-28
lines changed

internal/findCommonBackdoors.go

Lines changed: 21 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ import (
66
"io/fs"
77
"os"
88
"path/filepath"
9-
"regexp"
109
"strings"
1110
)
1211

@@ -43,7 +42,24 @@ func CheckCommonBackdoors(logger zerolog.Logger, detections chan<- Detection, wa
4342
result := false
4443
lineCheck:
4544
for _, line := range fileSlice {
46-
result = checkLineBackdoor(logger, detection, detections, line)
45+
detection.Metadata["Line"] = line
46+
detection.Name = "Webshell Pattern in Script File"
47+
result = checkWebshellContent(detection, detections, line)
48+
if result {
49+
break lineCheck
50+
}
51+
detection.Name = "Suspicious Pattern in Script File"
52+
result = checkSuspiciousContent(detection, detections, line)
53+
if result {
54+
break lineCheck
55+
}
56+
detection.Name = "IP Address Pattern in Script File"
57+
result = checkIPContent(detection, detections, line)
58+
if result {
59+
break lineCheck
60+
}
61+
detection.Name = "Domain Pattern in Script File"
62+
result = checkDomainContent(detection, detections, line)
4763
if result {
4864
break lineCheck
4965
}
@@ -63,31 +79,6 @@ func CheckCommonBackdoors(logger zerolog.Logger, detections chan<- Detection, wa
6379
}
6480
}
6581

66-
func checkLineBackdoor(logger zerolog.Logger, detection Detection, detections chan<- Detection, lineContent string) bool {
67-
detection.Metadata["Line"] = lineContent
68-
for _, pattern := range suspiciousPatterns {
69-
if helpers.SearchStringContains(lineContent, pattern) {
70-
detection.Name = "Suspicious Pattern in Script"
71-
detection.Metadata["Pattern"] = pattern
72-
detections <- detection
73-
return true
74-
}
75-
}
76-
ipv4Match, _ := regexp.MatchString(ipv4Regex+`|`+ipv6Regex, lineContent)
77-
if ipv4Match {
78-
detection.Name = "IP Address Pattern in Script"
79-
detections <- detection
80-
return true
81-
}
82-
domainMatch, _ := regexp.MatchString(domainRegex, lineContent)
83-
if domainMatch {
84-
detection.Name = "Domain Pattern in Script"
85-
detections <- detection
86-
return true
87-
}
88-
return false
89-
}
90-
9182
func getBackdoorFiles(logger zerolog.Logger) {
9283
backdoorDirs := []string{
9384
"/etc/update-motd.d",
@@ -105,10 +96,12 @@ func getBackdoorFiles(logger zerolog.Logger) {
10596
} else {
10697
backdoorDirs = append(backdoorDirs, f1...)
10798
}
108-
10999
for _, path := range backdoorDirs {
110100
filepath.WalkDir(path, walkf)
111101
}
102+
commonBackdoorFiles = append(commonBackdoorFiles, "/etc/at.allow")
103+
commonBackdoorFiles = append(commonBackdoorFiles, "/etc/at.deny")
104+
commonBackdoorFiles = append(commonBackdoorFiles, "/etc/doas.conf")
112105
}
113106

114107
func walkf(s string, d fs.DirEntry, err error) error {

0 commit comments

Comments
 (0)