diff --git a/check-all.ps1 b/check-all.ps1 new file mode 100644 index 0000000..499d6fa --- /dev/null +++ b/check-all.ps1 @@ -0,0 +1,180 @@ +# ============================================================================ +# Axios Supply Chain Attack — Recursive Detection Script (Windows) +# ============================================================================ +# Run in PowerShell: .\check-all.ps1 [-Path ] +# ============================================================================ + +param( + [string]$Path = $PWD.Path +) + +# Nastaveni UTF8 pro jistotu (vystup bude bez diakritiky pro max. kompatibilitu) +$OutputEncoding = [System.Text.Encoding]::UTF8 +[Console]::OutputEncoding = [System.Text.Encoding]::UTF8 + +Write-Host "========================================================" -ForegroundColor Cyan +Write-Host " Axios Supply Chain Attack - Recursive Scanner" -ForegroundColor Cyan +Write-Host "========================================================" -ForegroundColor Cyan +Write-Host "Prohledavam slozku: $Path" -ForegroundColor Yellow +Write-Host "" + +$global:CompromisedProjectsCount = 0 +$global:SystemCompromised = $false +$results = @() + +# --- Funkce pro globalni kontroly systemu --- +function Invoke-GlobalChecks { + Write-Host "[GLOBAL] Kontrola systemu na RAT artefakty a C2 spojeni..." -ForegroundColor Magenta + + $wtPath = "$env:PROGRAMDATA\wt.exe" + $vbsPath = "$env:TEMP\6202033.vbs" + $ps1Path = "$env:TEMP\6202033.ps1" + + # Kontrola RAT Persistence + if (Test-Path $wtPath) { + Write-Host " !! KRITICKE: Windows RAT nalezen v $wtPath" -ForegroundColor Red + $global:SystemCompromised = $true + } else { + Write-Host " OK: wt.exe v ProgramData nenalezen" -ForegroundColor Green + } + + # Kontrola podezrelych payloadu + if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) { + Write-Host " !! VAROVANI: Nalezeny payload soubory v %TEMP%" -ForegroundColor Red + $global:SystemCompromised = $true + } else { + Write-Host " OK: Zadne payload soubory v %TEMP%" -ForegroundColor Green + } + + # Kontrola aktivnich C2 spojeni + $c2Check = netstat -an | Select-String "142\.11\.206\.73" + if ($c2Check) { + Write-Host " !! KRITICKE: Aktivni spojeni na C2 (142.11.206.73) detekovano!" -ForegroundColor Red + Write-Host " $c2Check" -ForegroundColor Red + $global:SystemCompromised = $true + } else { + Write-Host " OK: Zadna aktivni C2 spojeni" -ForegroundColor Green + } + Write-Host "" +} + +# --- Funkce pro inspekci konkretniho projektu --- +function Inspect-Project { + param([string]$ProjectDir) + + $isCompromised = $false + $axiosStatus = "Nenalezeno" + $lockStatus = "N/A" + $nodeModulesStatus = "Ciste" + + Write-Host "[PROJEKT] Kontroluji: $ProjectDir" -ForegroundColor Cyan + Push-Location $ProjectDir + + # 1. Kontrola verze axios (pouze pokud existuje node_modules) + if (Test-Path "node_modules") { + $npmOut = npm list axios --depth=0 2>$null | Select-String "axios@" + if ($npmOut) { + if ($npmOut -match "1\.14\.1|0\.30\.4") { + $axiosStatus = "!! INFIKOVANO ($npmOut)" + $isCompromised = $true + Write-Host " - Axios verze: $axiosStatus" -ForegroundColor Red + } else { + $axiosStatus = "OK ($npmOut)" + Write-Host " - Axios verze: $axiosStatus" -ForegroundColor Green + } + } else { + Write-Host " - Axios verze: Nenalezeno v npm list" -ForegroundColor Gray + } + } else { + Write-Host " - Axios verze: Preskoceno (chybi node_modules)" -ForegroundColor Gray + } + + # 2. Kontrola package-lock.json + if (Test-Path "package-lock.json") { + $lockHit = Select-String -Path "package-lock.json" -Pattern "1\.14\.1|0\.30\.4|plain-crypto-js" -Quiet + if ($lockHit) { + $lockStatus = "!! INFIKOVANO" + $isCompromised = $true + Write-Host " - Lockfile: $lockStatus" -ForegroundColor Red + } else { + $lockStatus = "OK" + Write-Host " - Lockfile: $lockStatus" -ForegroundColor Green + } + } else { + Write-Host " - Lockfile: Preskoceno (soubor nenalezen)" -ForegroundColor Gray + } + + # 3. Kontrola artefaktu v node_modules + if (Test-Path "node_modules\plain-crypto-js") { + $nodeModulesStatus = "!! INFIKOVANO (plain-crypto-js existuje)" + $isCompromised = $true + Write-Host " - Artefakty: $nodeModulesStatus" -ForegroundColor Red + } + + Write-Host "" + Pop-Location + + if ($isCompromised) { + $global:CompromisedProjectsCount++ + } + + return [PSCustomObject]@{ + Path = $ProjectDir + IsCompromised = $isCompromised + AxiosStatus = $axiosStatus + LockfileStatus = $lockStatus + NodeModulesStatus = $nodeModulesStatus + } +} + +# --- Hlavni spousteci cast --- + +# 1. Globalni kontroly +Invoke-GlobalChecks + +# 2. Vyhledavani projektu +Write-Host "[HLEDANI] Vyhledavam soubory package.json (ignoruji node_modules)..." -ForegroundColor Yellow +$packageFiles = Get-ChildItem -Path $Path -Filter "package.json" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -notmatch "\\node_modules\\" } + +$totalProjects = @($packageFiles).Count +Write-Host "Nalezeno $totalProjects projektu." -ForegroundColor Yellow +Write-Host "" + +# 3. Inspekce kazdeho projektu +foreach ($file in $packageFiles) { + $results += Inspect-Project -ProjectDir $file.DirectoryName +} + +# --- Zaverecny souhrnny report --- +Write-Host "========================================================" -ForegroundColor Cyan +Write-Host " SOUHRNNY REPORT" -ForegroundColor Cyan +Write-Host "========================================================" -ForegroundColor Cyan + +if ($global:SystemCompromised) { + Write-Host "[!] ZJISTENO NAPADENI SYSTEMU: Nalezen RAT nebo C2 aktivita!" -ForegroundColor Red + Write-Host " DOPORUCENI: Izolujte stroj a zvazte kompletni preinstalaci systemu." -ForegroundColor Red +} else { + Write-Host "[+] Stav systemu: Nebyly zjisteny zadne globalni hrozby (RAT/C2)." -ForegroundColor Green +} + +Write-Host "" +Write-Host "Celkem skenovano projektu: $totalProjects" +Write-Host "Infikovano projektu: $global:CompromisedProjectsCount" + +if ($global:CompromisedProjectsCount -gt 0) { + Write-Host "" + Write-Host "Seznam infikovanych projektu:" -ForegroundColor Red + $results | Where-Object { $_.IsCompromised } | ForEach-Object { + Write-Host " - $($_.Path)" -ForegroundColor Red + } + + Write-Host "" + Write-Host "Kroky k naprave u projektu:" -ForegroundColor Yellow + Write-Host " 1. Uzamknete axios na verzi 1.14.0: npm install axios@1.14.0 --save-exact" + Write-Host " 2. Smazte node_modules a preinstalujte: rm -r node_modules; npm ci" + Write-Host " 3. Zmente vsechna hesla a klice pouzite v techto projektech." +} elseif (-not $global:SystemCompromised -and $totalProjects -gt 0) { + Write-Host "" + Write-Host "VSE CISTE! Zadne infikovane projekty nebyly nalezeny." -ForegroundColor Green +} +Write-Host "========================================================" -ForegroundColor Cyan diff --git a/check.ps1 b/check.ps1 new file mode 100644 index 0000000..df0e820 --- /dev/null +++ b/check.ps1 @@ -0,0 +1,104 @@ +# ============================================================================ +# Axios Supply Chain Attack — Detection Script (Windows) +# ============================================================================ +# Run in PowerShell: .\check.ps1 +# ============================================================================ + +Write-Host "============================================" -ForegroundColor Cyan +Write-Host " Axios Supply Chain Attack - Detection" -ForegroundColor Cyan +Write-Host "============================================" -ForegroundColor Cyan +Write-Host "" + +$found = $false + +# --- Check 1: Installed axios version --- +Write-Host "[1/5] Checking installed axios version..." -ForegroundColor Yellow +$axiosCheck = npm list axios 2>$null | Select-String "1\.14\.1|0\.30\.4" +if ($axiosCheck) { + Write-Host " !! AFFECTED: Compromised axios version found" -ForegroundColor Red + Write-Host " $axiosCheck" + $found = $true +} else { + Write-Host " OK: No compromised axios version installed" -ForegroundColor Green +} + +# --- Check 2: Lockfile --- +Write-Host "" +Write-Host "[2/5] Checking lockfile..." -ForegroundColor Yellow +if (Test-Path "package-lock.json") { + $lockHit = Select-String -Path "package-lock.json" -Pattern "1\.14\.1|0\.30\.4|plain-crypto-js" + if ($lockHit) { + Write-Host " !! AFFECTED: Compromised reference in lockfile" -ForegroundColor Red + $found = $true + } else { + Write-Host " OK: Lockfile clean" -ForegroundColor Green + } +} else { + Write-Host " SKIP: No package-lock.json found" +} + +# --- Check 3: Malicious dependency --- +Write-Host "" +Write-Host "[3/5] Checking for malicious package..." -ForegroundColor Yellow +if (Test-Path "node_modules\plain-crypto-js") { + Write-Host " !! AFFECTED: node_modules\plain-crypto-js EXISTS" -ForegroundColor Red + $found = $true +} else { + Write-Host " OK: plain-crypto-js not in node_modules" -ForegroundColor Green + Write-Host " (Note: Malware self-destructs - absence does NOT guarantee safety)" +} + +# --- Check 4: RAT artifacts --- +Write-Host "" +Write-Host "[4/5] Checking for RAT artifacts..." -ForegroundColor Yellow + +# Windows RAT: wt.exe in ProgramData +$wtPath = "$env:PROGRAMDATA\wt.exe" +if (Test-Path $wtPath) { + Write-Host " !! CRITICAL: Windows RAT found at $wtPath" -ForegroundColor Red + Get-Item $wtPath | Format-List Name, Length, LastWriteTime + $found = $true +} else { + Write-Host " OK: wt.exe not found in ProgramData" -ForegroundColor Green +} + +# Temp files +$vbsPath = "$env:TEMP\6202033.vbs" +$ps1Path = "$env:TEMP\6202033.ps1" +if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) { + Write-Host " !! WARNING: Temp payload files found" -ForegroundColor Red + $found = $true +} else { + Write-Host " OK: No temp payload files" -ForegroundColor Green +} + +# --- Check 5: C2 connections --- +Write-Host "" +Write-Host "[5/5] Checking for C2 connections..." -ForegroundColor Yellow +$c2Check = netstat -an | Select-String "142.11.206.73" +if ($c2Check) { + Write-Host " !! CRITICAL: Active connection to C2 (142.11.206.73)" -ForegroundColor Red + Write-Host " $c2Check" + $found = $true +} else { + Write-Host " OK: No active C2 connections" -ForegroundColor Green +} + +# --- Summary --- +Write-Host "" +Write-Host "============================================" -ForegroundColor Cyan +if ($found) { + Write-Host " !! POTENTIAL COMPROMISE DETECTED" -ForegroundColor Red + Write-Host "" + Write-Host " 1. Pin axios to 1.14.0: npm install axios@1.14.0 --save-exact" + Write-Host " 2. Remove node_modules and reinstall: rm -r node_modules; npm ci" + Write-Host " 3. Rotate ALL credentials" + Write-Host " 4. Block sfrclak.com and 142.11.206.73" + Write-Host " 5. If RAT found: FULL SYSTEM REBUILD" +} else { + Write-Host " ALL CLEAR" -ForegroundColor Green + Write-Host "" + Write-Host " Preventive: npm install axios@1.14.0 --save-exact" + Write-Host " Set: npm config set min-release-age 3" +} +Write-Host "============================================" -ForegroundColor Cyan