DefenseRobot

If you want to use the DefenseRobot module, first you have to activate it with the following command:

bitninjacli --module=DefenseRobot --enabled

After enabling, the module will wait for events coming from the MalwareDetection module, e.g. when a malware has been found. With this information in hand, the module tries to find log lines related to the malware upload within the configured time window, which is 30 seconds before the malware is changed (ctime).

The default watched logs for this module is found in SenseLog’s LogDetector categories, which are collected in the following order:

  1. xferlog
  2. PureFtpd logs
  3. vsftpd logs
  4. Apache access logs
  5. Nginx access logs
  6. cPanel access logs
  7. Plesk access logs
  8. WAF access logs

These categories hold various techniques for detecting log files. E.g.: XferLog tries to detect and find log files at paths:

  • /var/log/proftpd/xferlog
  • /var/log/xferlog
  • /var/log/plesk/xferlog

If relevant information has been found in these log files, various actions can be performed using the correlation information.

These actions are the following (for now):

  • SendToShogun: Creates a BL_BN_LOG type incident with log only type. It will not greylist IPs, but we’ll have the information about the attacker. It’s enabled by default.
  • LogToFile: Save the correlation information about the incident to /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid folder. It’s enabled by default.
  • GreyList: Changes the SendToShogun action’s incident level to a valid incident. The IPs will be greylisted and the incident level will not be log only. It’ll be enabled by default after the test period.
  • SaveUnFilteredLoglines: Saves every log line in the time window. E.g: HTTP access logs will contain GET, HEAD, PUT request lines too. IPs in these lines will not trigger any incidents, but it can help to find out what happened on the system during that time. It’s disabled by default.
  • CollectUnWatchedLogs: SenseLog has other LogDetectors, like Auth, Exim, PostfixLogin. With this action these log lines will be collected too, but IPs found in them will not trigger any incidents. It’s disabled by default.

New actions will be implemented in the near future.

These options can be changed in the module’s configuration file which is located at /etc/bitninja/DefenseRobot/config.ini

Configuration options

[core]
time_window = 30

[actionManager]
actions[] = 'SendToShogun'
actions[] = 'LogToFile'
;actions[] = 'GreyList'
;actions[] = 'SaveUnFilteredLoglines'
;actions[] = 'CollectUnWatchedLogs'

;
; Change Control Panel/FTP user password
; Not Implemented yet
;
;actions[] = 'ChangePassword'
;
; Automatically WAF Honeypotify abused domain/uri
; Not Implemented yet
;
;actions[] = 'WAFHoneypotify'

HowTos

When the module is triggered and it finds something useful in the logs, the Agent will send a BL_BN_LOG type incident about the collected IPs and log lines. You can check these incidents under the Network Attacks menu in the Dashboard.

../_images/defense_robot_network_attacks_log_incidents.jpg

Example:

../_images/defense_robot_example_incident.jpg

Now a new folder will be created at: /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid

ls -la /var/log/bitninja/correlations/2019/02/13/04_08_5c638a2c033ab/
összesen 24
drwx------ 2 root root 4096 febr  13 04:08 .
drwx------ 3 root root 4096 febr  13 04:08 ..
-rw------- 1 root root  144 febr  13 04:08 domains.txt
-rw------- 1 root root   13 febr  13 04:08 extracted_ip_ApacheAccess.txt
-rw------- 1 root root  746 febr  13 04:08 malware_info.txt
-rw------- 1 root root  396 febr  13 04:08 raw_ApacheAccess.log


/var/log/bitninja/correlations/2019/02/13/04_08_5c638a2c033ab# cat *
{
    "\/home\/test\/web": {
        "0": "example.com",
        "2": "ftp.example.com",
        "3": "www.example.com"
    }
}
1.2.3.4
{
    "user": "test",
    "group": "test",
    "rights": "0644",
    "path": "\/home\/test\/web\/language\/administrator\/components\/com_admin\/views\/help\/tmpl\/x-max.php",
    "dir": "\/home\/test\/web\/language\/administrator\/components\/com_admin\/views\/help\/tmpl",
    "file_name": "x-max.php",
    "malware_name": "{HEX}php.malware.magento.572",
    "size": 18293,
    "created": "2019-02-13 04:08:27",
    "date_found": 1550027307,
    "info_file_id": 17337,
    "access_time": "2019-02-13 04:08:27",
    "modification_time": "2019-02-13 04:08:27",
    "file_hash": "27efac09763109655d7e35d9f6bd0705",
    "quarantine": 1,
    "honeypot": 1,
    "quarantined_path": "\/var\/lib\/bitninja\/quarantine\/2019\/02\/13\/17337_x-max.php"
}
/var/log/access.log
example.com 1.2.3.4 - - [13/Feb/2019:04:08:26 +0100] "POST /language/administrator/components/com_admin/views/help/tmpl/common.php HTTP/1.1" 200 1220 "http://example.com/language/administrator/components/com_admin/views/help/tmpl/common.php" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36"

In the file domains.txt we can find the potentially affected domains, sorted by their web roots. By concatenating the document root and the uri in the post request, we can inspect the file being used for upload, like:

/home/test/web/language/administrator/components/com_admin/views/help/tmpl/common.php

After inspecting the file, we can make the following actions:

  • webhoneypotify with the following BitNinja Cli command:
bitninjacli --webhoneypot --file=/path/to/file

Note

You can read more about the honeypot technique here: Web honeypot

  • If the whole file is a malware, we can add it to our local md5 signature set with the following command:
bitninjacli --add-file-to-signature-set=/path/to/malware

If an infection already happened, most of the time there are another infected files on the server as well. (Finding the ultimate malware detector is the Holy Grail of the industry.) But we can try to find files in the web root that have been changed recently to find additional infections. BitNinja Cli has a useful script for this:

/opt/bitninja/modules/Cli/scripts/find_recent_changed_file_in_dir.sh

When an account has been compromised it’s a good place to start to list recently modified files:

  • First parameter should be the folder we want to search in.
  • Second parameter specifies the last x days in ctime for files that we want to investigate.
  • Third parameter is optional: if we don’t specify it, the script will start finding modified files from where the modification time (ctime) is today, until the number of days specified in the second parameter. But if we specify a number here, it will start from “today minus x days” old files.

Example usage: find all files in /home directory, which have been modified in the last 30 days, but start with the ones that are older than 10 days.

The command is:

find_recent_changed_file_in_dir.sh /home 30 10

Running this script could produce results like the following:

/opt/bitninja/modules/Cli/scripts/find_recent_changed_file_in_dir.sh /home/test/web 10

List files modified in the last 10 days!

### Modified 0 days ago:
### =====================
### format: file mime-type | stats (mtime ctime user group) | md5sum
text/x-php | 2019-02-13 15:46:41.727556356 +0100 2019-02-13 15:46:41.727556356 +0100 test test | 5791463245e719f288c3230723d2251f  /home/test/web/index.php
text/x-php | 2019-02-13 12:29:51.910984794 +0100 2019-02-13 12:29:51.914984795 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/plugins/user/profile/fields/include.php
text/x-php | 2019-02-13 12:29:00.190982291 +0100 2019-02-13 12:29:00.194982291 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/administrator/components/com_xmap/models/fields/modal/config.php
text/x-php | 2019-02-13 12:29:00.790982320 +0100 2019-02-13 12:29:00.794982321 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/administrator/components/com_languages/models/forms/configure.php
text/x-php | 2019-02-13 12:29:01.098982335 +0100 2019-02-13 12:29:01.102982335 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/administrator/components/com_akeeba/sql/updates/sqlsrv/include.php
text/x-php | 2019-02-13 12:29:02.694982412 +0100 2019-02-13 12:29:02.698982413 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/administrator/templates/system/components.php
text/x-php | 2019-02-13 12:29:51.702984784 +0100 2019-02-13 12:29:51.706984785 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/modules/mod_psdn_moonphase/common.php
text/x-php | 2019-02-13 12:29:13.166982919 +0100 2019-02-13 12:29:13.170982919 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/components/com_mailto/views/sent/includes.php
text/plain | 2016-12-28 10:29:15.000000000 +0100 2019-02-13 10:29:15.790634587 +0100 test test | 529c4073205ec840b03cab91862b1508  /home/test/web/.htaccess
text/plain | 2019-02-13 13:21:35.915135019 +0100 2019-02-13 13:21:35.915135019 +0100 root root | a35e920b60833824ebd1eb609897e8a3  /home/test/web/google_hk_bot
text/x-php | 2019-02-13 12:29:49.814984693 +0100 2019-02-13 12:29:49.818984693 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/libraries/f0f/view/menus.php
text/x-php | 2019-02-13 12:29:50.106984707 +0100 2019-02-13 12:29:50.110984707 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/libraries/f0f/string/settings.php
text/x-php | 2019-02-13 12:38:12.683009030 +0100 2019-02-13 12:38:12.687009031 +0100 test test | ce965abb67fa10dbf9adeea08632d5ff  /home/test/web/language/index.php
text/x-php | 2019-02-13 12:29:44.854984454 +0100 2019-02-13 12:29:44.862984453 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/administrator/modules/mod_menu/menus.php
text/x-php | 2019-02-13 12:29:45.238984471 +0100 2019-02-13 12:29:45.242984472 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/administrator/components/com_media/views/medialist/languages.php
text/x-php | 2018-09-03 12:29:45.000000000 +0200 2019-02-13 12:29:45.654984492 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/administrator/components/com_admin/views/help/tmpl/license
text/x-php | 2019-02-13 12:29:45.334984476 +0100 2019-02-13 12:29:45.338984476 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/administrator/components/com_admin/views/help/tmpl/common.php
text/x-php | 2019-02-13 10:33:58.194648254 +0100 2019-02-13 13:56:49.127237293 +0100 test test | 60a7e9a733a6ad5dbfa507338774d0f7  /home/test/web/language/administrator/components/com_admin/views/help/tmpl/yt9.php
text/x-php | 2019-02-13 12:29:45.578984488 +0100 2019-02-13 12:29:45.582984488 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/administrator/components/com_cache/views/cache/tmpl/admin-class.php
text/x-php | 2019-02-13 12:29:46.954984555 +0100 2019-02-13 12:29:46.958984556 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/language/installation/views/database/menus.php
text/x-php | 2019-02-13 12:29:52.946984845 +0100 2019-02-13 12:29:52.950984846 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/templates/art/index.php
text/x-php | 2019-02-13 12:29:52.986984846 +0100 2019-02-13 12:29:52.994984847 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/templates/art/data/cache.php
text/x-php | 2019-02-13 15:47:57.119560004 +0100 2019-02-13 15:47:57.123560005 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/img.php
text/x-php | 2019-02-13 12:29:50.762984739 +0100 2019-02-13 12:29:50.766984739 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/media/n2/ss3/plugins/widgetautoplay/image/configure.php
text/x-php | 2019-02-13 12:29:51.034984752 +0100 2019-02-13 12:29:51.038984752 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/advlist/cache.php
text/x-php | 2019-02-13 12:29:51.162984758 +0100 2019-02-13 12:29:51.166984758 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/advhr/css/menus.php
text/x-php | 2019-02-13 12:29:51.202984760 +0100 2019-02-13 12:29:51.206984760 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/media/editors/tinymce/jscripts/tiny_mce/plugins/template/js/common.php
text/x-php | 2019-02-13 12:29:51.294984765 +0100 2019-02-13 12:29:51.298984765 +0100 test test | f09b9c3e9686a1ebf566f24e4c87b5eb  /home/test/web/media/editors/tinymce/jscripts/tiny_mce/themes/advanced/js/menus.php

Using this command could further help you finding the root cause of the infection or backdoors.