Script detects its own scanning process in logs and reports compromised

Question

Script detects its own scanning process in logs and reports compromised

henrikmc opened this issue 10 months ago · comments

I get an output like this:

MATCH: denylisted content '#nssecret#'
Found evidence of potential compromise.
You should consider performing a forensic investigation of the system.

matches for '#nssecret#':
/var/log/notice.log
/var/nsproflog/newproflog_mgmtcpu

And it turns out, its found in the log files at the same time the scanner is running

*** ps -eo pcpu,pid,user,args | sort -k1 -r | head -16 *** %CPU PID USER COMMAND 0.0 89518 root [grep] 0.0 89517 root perl -0ne chomp; print(unpack("H*", $_), "\n") 0.0 89516 root find -L / -type f ( -not -path /proc/* -and -not -regex /tmp/[0-9]\{10\}/.* ) -exec grep -lI --null -e #nssecret# {} + 0.0 89515 root bash /tmp/1692186142/ioc-scanner-CVE-2023-3519.sh -v 0.0 86485 root bash /tmp/1692186142/ioc-scanner-CVE-2023-3519.sh -v 0.0 86477 root bash scanner-cve-2023-3519.sh -v 0.0 86450 root -bash (bash) 0.0 86449 root login [pam] (login) 0.0 86446 root nscli 0.0 1613 root /usr/libexec/getty std.9600 ttyu0 0.0 1612 root /usr/libexec/getty Pc ttyv7 0.0 1611 root /usr/libexec/getty Pc ttyv6 0.0 1610 root /usr/libexec/getty Pc ttyv5 0.0 1609 root /usr/libexec/getty Pc ttyv4 0.0 1608 root /usr/libexec/getty Pc ttyv3

xeaon · Answer 1 · Wed Aug 16 2023 22:04:39 GMT+0800 (China Standard Time)

I can confirm this behaviour.

Doug B · Answer 2 · Wed Aug 16 2023 22:09:19 GMT+0800 (China Standard Time)

Thank you - this is known false positive and will be addressed with release v1.1 shortly.

Doug B · Answer 3 · Wed Aug 16 2023 22:43:05 GMT+0800 (China Standard Time)

Fixed in v1.1 release