Skip to main content

DefenseRobot

While the DefenseRobot is enabled by default, you can manually enable or disable it with the following command:

  • Enable: bitninjacli --module=DefenseRobot --enabled

  • Disable: bitninjacli --module=DefenseRobot --disabled

After enabling, the module will wait for events coming from the MalwareDetection module, e.g. when a malware has been found. With this information in hand, the module tries to find log lines related to the malware upload within the configured time window, which is 30 seconds before the malware is changed (ctime).

The default watched logs for this module is found in Shogun's LogDetector categories, which are collected in the following order:

  1. xferlog
  2. PureFtpd logs
  3. vsftpd logs
  4. Apache access logs
  5. Nginx access logs
  6. cPanel access logs
  7. Plesk access logs
  8. WAF access logs

These categories hold various techniques for detecting log files. E.g.: XferLog tries to detect and find log files at paths:

  • /var/log/proftpd/xferlog
  • /var/log/xferlog
  • /var/log/plesk/xferlog

If relevant information has been found in these log files, various actions can be performed using the correlation information.

These actions are the following (for now):

  • SendToShogun: Creates a BL_BN_LOG type incident with log only type. It will not challenge list IPs, but we'll have the information about the attacker. It's enabled by default.
  • LogToFile: Save the correlation information about the incident to /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid folder. It's enabled by default.
  • ChallengeList: Changes the SendToShogun action's incident level to a valid incident. The IPs will be challenge listed and the incident level will not be log only. It'll be enabled by default after the test period.
  • SaveUnFilteredLoglines: Saves every log line in the time window. E.g: HTTP access logs will contain GET, HEAD, PUT request lines too. IPs in these lines will not trigger any incidents, but it can help to find out what happened on the system during that time. It's disabled by default.
  • CollectUnWatchedLogs: SenseLog has other LogDetectors, like Auth, Exim, PostfixLogin. With this action these log lines will be collected too, but IPs found in them will not trigger any incidents. It's disabled by default.

New actions will be implemented in the near future.

These options can be changed in the module's configuration file which is located in /etc/bitninja/DefenseRobot/config.ini.

Configuration options

    [core]
time_window = 30

[actionManager]
actions[] = 'SendToShogun'
actions[] = 'LogToFile'
;actions[] = 'GreyList'
;actions[] = 'SaveUnFilteredLoglines'
;actions[] = 'CollectUnWatchedLogs'

;
; Change Control Panel/FTP user password
; Not Implemented yet
;
;actions[] = 'ChangePassword'
;
; Automatically WAF Honeypotify abused domain/uri
; Not Implemented yet
;
;actions[] = 'WAFHoneypotify'
warning

Don't forget to sync your local configuration to the cloud with bitninjacli --syncconfigs after you have changed any settings in the configuration file.

HowTo's

When the module is triggered and it finds something useful in the logs, the Agent will send a DefenseRobot type incident about the collected IPs and log lines. You can check these incidents under the Incidents menu in the Dashboard.

Incidents

Example:

Incident Content:

{
"correlated_logs": {
"pr_apacheaccess": "\nXXX.232.XX.242 - - [23\/Nov\/2023:06:14:44 +0330] \"POST \/wp-login.php HTTP\/1.1\" 302 0 \"https:\/\/example.com\/wp-login.php\" \"Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:94.0) Gecko\/20100101 Firefox\/94.0\""
},
"malware_uploaded": "\/home3\/bitninja\/public_html\/wp-content\/plugins\/__MACOSX\/elementor-pro\/modules\/flip-box\/widgets\/joNHpgYO.php",
"malware_name": "{SA-SNIPPET}File.s\/php\/bitninja_sa-md5\/5ffa2273ad0235ffa2273ad0.php.autovalidate.22538"
}

Now a new folder will be created at /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid.


ls -la /var/log/bitninja/correlations/2019/02/13/04_08_5c638a2c033ab/
összesen 24
drwx------ 2 root root 4096 febr 13 04:08 .
drwx------ 3 root root 4096 febr 13 04:08 ..
-rw------- 1 root root 144 febr 13 04:08 domains.txt
-rw------- 1 root root 13 febr 13 04:08 extracted_ip_ApacheAccess.txt
-rw------- 1 root root 746 febr 13 04:08 malware_info.txt
-rw------- 1 root root 396 febr 13 04:08 raw_ApacheAccess.log


/var/log/bitninja/correlations/2019/02/13/04_08_5c638a2c033ab# cat *
{
"\/home\/test\/web": {
"0": "example.com",
"2": "ftp.example.com",
"3": "www.example.com"
}
}
1.2.3.4
{
"user": "test",
"group": "test",
"rights": "0644",
"path": "\/home\/test\/web\/language\/administrator\/components\/com_admin\/views\/help\/tmpl\/x-max.php",
"dir": "\/home\/test\/web\/language\/administrator\/components\/com_admin\/views\/help\/tmpl",
"file_name": "x-max.php",
"malware_name": "{HEX}php.malware.magento.572",
"size": 18293,
"created": "2019-02-13 04:08:27",
"date_found": 1550027307,
"info_file_id": 17337,
"access_time": "2019-02-13 04:08:27",
"modification_time": "2019-02-13 04:08:27",
"file_hash": "27efac09763109655d7e35d9f6bd0705",
"quarantine": 1,
"honeypot": 1,
"quarantined_path": "\/var\/lib\/bitninja\/quarantine\/2019\/02\/13\/17337_x-max.php"
}
/var/log/access.log
example.com 1.2.3.4 - - [13/Feb/2019:04:08:26 +0100] "POST /language/administrator/components/com_admin/views/help/tmpl/common.php HTTP/1.1" 200 1220 "http://example.com/language/administrator/components/com_admin/views/help/tmpl/common.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36"

In the file domains.txt we can find the potentially affected domains, sorted by their web roots. By concatenating the document root and the uri in the post request, we can inspect the file being used for upload, like:

/home/test/web/language/administrator/components/com_admin/views/help/tmpl/common.php

After inspecting the file, we can make the following actions:

  • webhoneypotify with the following BitNinja Cli command:

    bitninjacli --webhoneypot --file=/path/to/file

tip

You can read more about the honeypot technique here: Web Honeypot

  • If the whole file is a malware, we can add it to our local md5 signature set with the following command:

    bitninjacli --add-file-to-signature-set=/path/to/malware

If an infection already happened, most of the time there are another infected files on the server as well. (Finding the ultimate malware detector is the Holy Grail of the industry.) But we can try to find files in the web root that have been changed recently to find additional infections. BitNinja Cli has a useful script for this:

/opt/bitninja/modules/Cli/scripts/find_recent_changed_file_in_dir.sh

When an account has been compromised it's a good place to start to list recently modified files:

  • First parameter should be the folder we want to search in.
  • Second parameter specifies the last x days in ctime for files that we want to investigate.
  • Third parameter is optional: if we don't specify it, the script will start finding modified files from where the modification time (ctime) is today, until the number of days specified in the second parameter. But if we specify a number here, it will start from "today minus x days" old files.

Example usage: find all files in /home directory, which have been modified in the last 30 days, but start with the ones that are older than 10 days.

The command is:

find_recent_changed_file_in_dir.sh /home 30 10

Running this script could produce results like the following:

/opt/bitninja/modules/Cli/scripts/find_recent_changed_file_in_dir.sh /home/test/web 10

    List files modified in the last 10 days!

### Modified 0 days ago:
### =====================
### format: file mime-type | stats (mtime ctime user group) | md5sum
text/x-php | 2019-02-13 15:46:41.727556356 +0100 2019-02-13 15:46:41.727556356 +0100 test test | 5791463245e719f288c3230723d2251f /home/test/web/index.php
text/x-php | 2019-02-13 12:29:51.910984794 +0100 2019-02-13 12:29:51.914984795 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/plugins/user/profile/fields/include.php
text/x-php | 2019-02-13 12:29:00.190982291 +0100 2019-02-13 12:29:00.194982291 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/administrator/components/com_xmap/models/fields/modal/config.php
text/x-php | 2019-02-13 12:29:00.790982320 +0100 2019-02-13 12:29:00.794982321 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/administrator/components/com_languages/models/forms/configure.php
text/x-php | 2019-02-13 12:29:01.098982335 +0100 2019-02-13 12:29:01.102982335 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/administrator/components/com_akeeba/sql/updates/sqlsrv/include.php
text/x-php | 2019-02-13 12:29:02.694982412 +0100 2019-02-13 12:29:02.698982413 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/administrator/templates/system/components.php
text/x-php | 2019-02-13 12:29:51.702984784 +0100 2019-02-13 12:29:51.706984785 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/modules/mod_psdn_moonphase/common.php
text/x-php | 2019-02-13 12:29:13.166982919 +0100 2019-02-13 12:29:13.170982919 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/components/com_mailto/views/sent/includes.php
text/plain | 2016-12-28 10:29:15.000000000 +0100 2019-02-13 10:29:15.790634587 +0100 test test | 529c4073205ec840b03cab91862b1508 /home/test/web/.htaccess
text/plain | 2019-02-13 13:21:35.915135019 +0100 2019-02-13 13:21:35.915135019 +0100 root root | a35e920b60833824ebd1eb609897e8a3 /home/test/web/google_hk_bot
text/x-php | 2019-02-13 12:29:49.814984693 +0100 2019-02-13 12:29:49.818984693 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/libraries/f0f/view/menus.php
text/x-php | 2019-02-13 12:29:50.106984707 +0100 2019-02-13 12:29:50.110984707 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/libraries/f0f/string/settings.php
text/x-php | 2019-02-13 12:38:12.683009030 +0100 2019-02-13 12:38:12.687009031 +0100 test test | ce965abb67fa10dbf9adeea08632d5ff /home/test/web/language/index.php
text/x-php | 2019-02-13 12:29:44.854984454 +0100 2019-02-13 12:29:44.862984453 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/administrator/modules/mod_menu/menus.php
text/x-php | 2019-02-13 12:29:45.238984471 +0100 2019-02-13 12:29:45.242984472 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/administrator/components/com_media/views/medialist/languages.php
text/x-php | 2018-09-03 12:29:45.000000000 +0200 2019-02-13 12:29:45.654984492 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/administrator/components/com_admin/views/help/tmpl/license
text/x-php | 2019-02-13 12:29:45.334984476 +0100 2019-02-13 12:29:45.338984476 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/administrator/components/com_admin/views/help/tmpl/common.php
text/x-php | 2019-02-13 10:33:58.194648254 +0100 2019-02-13 13:56:49.127237293 +0100 test test | 60a7e9a733a6ad5dbfa507338774d0f7 /home/test/web/language/administrator/components/com_admin/views/help/tmpl/yt9.php
text/x-php | 2019-02-13 12:29:45.578984488 +0100 2019-02-13 12:29:45.582984488 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/administrator/components/com_cache/views/cache/tmpl/admin-class.php
text/x-php | 2019-02-13 12:29:46.954984555 +0100 2019-02-13 12:29:46.958984556 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/language/installation/views/database/menus.php
text/x-php | 2019-02-13 12:29:52.946984845 +0100 2019-02-13 12:29:52.950984846 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/templates/art/index.php
text/x-php | 2019-02-13 12:29:52.986984846 +0100 2019-02-13 12:29:52.994984847 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/templates/art/data/cache.php
text/x-php | 2019-02-13 15:47:57.119560004 +0100 2019-02-13 15:47:57.123560005 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/img.php
text/x-php | 2019-02-13 12:29:50.762984739 +0100 2019-02-13 12:29:50.766984739 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/media/n2/ss3/plugins/widgetautoplay/image/configure.php
text/x-php | 2019-02-13 12:29:51.034984752 +0100 2019-02-13 12:29:51.038984752 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/advlist/cache.php
text/x-php | 2019-02-13 12:29:51.162984758 +0100 2019-02-13 12:29:51.166984758 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/advhr/css/menus.php
text/x-php | 2019-02-13 12:29:51.202984760 +0100 2019-02-13 12:29:51.206984760 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/common.php
text/x-php | 2019-02-13 12:29:51.294984765 +0100 2019-02-13 12:29:51.298984765 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb /home/test/web/media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/menus.php

Using this command could further help you finding the root cause of the infection or backdoors.