axios checker

2 weeks ago · 2fe3e63cac
2 changed files with 284 additions and 0 deletions
--- a/check-all.ps1
+++ b/check-all.ps1
@ -0,0 +1,180 @@
 # ============================================================================
 # Axios Supply Chain Attack — Recursive Detection Script (Windows)
 # ============================================================================
 # Run in PowerShell: .\check-all.ps1 [-Path <Cesta_k_prohledani>]
 # ============================================================================
 param(
    [string]$Path = $PWD.Path
 )
 # Nastaveni UTF8 pro jistotu (vystup bude bez diakritiky pro max. kompatibilitu)
 $OutputEncoding = [System.Text.Encoding]::UTF8
 [Console]::OutputEncoding = [System.Text.Encoding]::UTF8
 Write-Host "========================================================" -ForegroundColor Cyan
 Write-Host "  Axios Supply Chain Attack - Recursive Scanner" -ForegroundColor Cyan
 Write-Host "========================================================" -ForegroundColor Cyan
 Write-Host "Prohledavam slozku: $Path" -ForegroundColor Yellow
 Write-Host ""
 $global:CompromisedProjectsCount = 0
 $global:SystemCompromised = $false
 $results = @()
 # --- Funkce pro globalni kontroly systemu ---
 function Invoke-GlobalChecks {
    Write-Host "[GLOBAL] Kontrola systemu na RAT artefakty a C2 spojeni..." -ForegroundColor Magenta
    $wtPath = "$env:PROGRAMDATA\wt.exe"
    $vbsPath = "$env:TEMP\6202033.vbs"
    $ps1Path = "$env:TEMP\6202033.ps1"
    # Kontrola RAT Persistence
    if (Test-Path $wtPath) {
        Write-Host "  !! KRITICKE: Windows RAT nalezen v $wtPath" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: wt.exe v ProgramData nenalezen" -ForegroundColor Green
    }
    # Kontrola podezrelych payloadu
    if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) {
        Write-Host "  !! VAROVANI: Nalezeny payload soubory v %TEMP%" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: Zadne payload soubory v %TEMP%" -ForegroundColor Green
    }
    # Kontrola aktivnich C2 spojeni
    $c2Check = netstat -an | Select-String "142\.11\.206\.73"
    if ($c2Check) {
        Write-Host "  !! KRITICKE: Aktivni spojeni na C2 (142.11.206.73) detekovano!" -ForegroundColor Red
        Write-Host "  $c2Check" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: Zadna aktivni C2 spojeni" -ForegroundColor Green
    }
    Write-Host ""
 }
 # --- Funkce pro inspekci konkretniho projektu ---
 function Inspect-Project {
    param([string]$ProjectDir)
    $isCompromised = $false
    $axiosStatus = "Nenalezeno"
    $lockStatus = "N/A"
    $nodeModulesStatus = "Ciste"
    Write-Host "[PROJEKT] Kontroluji: $ProjectDir" -ForegroundColor Cyan
    Push-Location $ProjectDir
    # 1. Kontrola verze axios (pouze pokud existuje node_modules)
    if (Test-Path "node_modules") {
        $npmOut = npm list axios --depth=0 2>$null | Select-String "axios@"
        if ($npmOut) {
            if ($npmOut -match "1\.14\.1|0\.30\.4") {
                $axiosStatus = "!! INFIKOVANO ($npmOut)"
                $isCompromised = $true
                Write-Host "  - Axios verze: $axiosStatus" -ForegroundColor Red
            } else {
                $axiosStatus = "OK ($npmOut)"
                Write-Host "  - Axios verze: $axiosStatus" -ForegroundColor Green
            }
        } else {
             Write-Host "  - Axios verze: Nenalezeno v npm list" -ForegroundColor Gray
        }
    } else {
        Write-Host "  - Axios verze: Preskoceno (chybi node_modules)" -ForegroundColor Gray
    }
    # 2. Kontrola package-lock.json
    if (Test-Path "package-lock.json") {
        $lockHit = Select-String -Path "package-lock.json" -Pattern "1\.14\.1|0\.30\.4|plain-crypto-js" -Quiet
        if ($lockHit) {
            $lockStatus = "!! INFIKOVANO"
            $isCompromised = $true
            Write-Host "  - Lockfile: $lockStatus" -ForegroundColor Red
        } else {
            $lockStatus = "OK"
            Write-Host "  - Lockfile: $lockStatus" -ForegroundColor Green
        }
    } else {
        Write-Host "  - Lockfile: Preskoceno (soubor nenalezen)" -ForegroundColor Gray
    }
    # 3. Kontrola artefaktu v node_modules
    if (Test-Path "node_modules\plain-crypto-js") {
        $nodeModulesStatus = "!! INFIKOVANO (plain-crypto-js existuje)"
        $isCompromised = $true
        Write-Host "  - Artefakty: $nodeModulesStatus" -ForegroundColor Red
    }
    Write-Host ""
    Pop-Location
    if ($isCompromised) {
        $global:CompromisedProjectsCount++
    }
    return [PSCustomObject]@{
        Path = $ProjectDir
        IsCompromised = $isCompromised
        AxiosStatus = $axiosStatus
        LockfileStatus = $lockStatus
        NodeModulesStatus = $nodeModulesStatus
    }
 }
 # --- Hlavni spousteci cast ---
 # 1. Globalni kontroly
 Invoke-GlobalChecks
 # 2. Vyhledavani projektu
 Write-Host "[HLEDANI] Vyhledavam soubory package.json (ignoruji node_modules)..." -ForegroundColor Yellow
 $packageFiles = Get-ChildItem -Path $Path -Filter "package.json" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -notmatch "\\node_modules\\" }
 $totalProjects = @($packageFiles).Count
 Write-Host "Nalezeno $totalProjects projektu." -ForegroundColor Yellow
 Write-Host ""
 # 3. Inspekce kazdeho projektu
 foreach ($file in $packageFiles) {
    $results += Inspect-Project -ProjectDir $file.DirectoryName
 }
 # --- Zaverecny souhrnny report ---
 Write-Host "========================================================" -ForegroundColor Cyan
 Write-Host "  SOUHRNNY REPORT" -ForegroundColor Cyan
 Write-Host "========================================================" -ForegroundColor Cyan
 if ($global:SystemCompromised) {
    Write-Host "[!] ZJISTENO NAPADENI SYSTEMU: Nalezen RAT nebo C2 aktivita!" -ForegroundColor Red
    Write-Host "    DOPORUCENI: Izolujte stroj a zvazte kompletni preinstalaci systemu." -ForegroundColor Red
 } else {
    Write-Host "[+] Stav systemu: Nebyly zjisteny zadne globalni hrozby (RAT/C2)." -ForegroundColor Green
 }
 Write-Host ""
 Write-Host "Celkem skenovano projektu: $totalProjects"
 Write-Host "Infikovano projektu: $global:CompromisedProjectsCount"
 if ($global:CompromisedProjectsCount -gt 0) {
    Write-Host ""
    Write-Host "Seznam infikovanych projektu:" -ForegroundColor Red
    $results | Where-Object { $_.IsCompromised } | ForEach-Object {
        Write-Host " - $($_.Path)" -ForegroundColor Red
    }
    Write-Host ""
    Write-Host "Kroky k naprave u projektu:" -ForegroundColor Yellow
    Write-Host "  1. Uzamknete axios na verzi 1.14.0: npm install axios@1.14.0 --save-exact"
    Write-Host "  2. Smazte node_modules a preinstalujte: rm -r node_modules; npm ci"
    Write-Host "  3. Zmente vsechna hesla a klice pouzite v techto projektech."
 } elseif (-not $global:SystemCompromised -and $totalProjects -gt 0) {
    Write-Host ""
    Write-Host "VSE CISTE! Zadne infikovane projekty nebyly nalezeny." -ForegroundColor Green
 }
 Write-Host "========================================================" -ForegroundColor Cyan
--- a/check.ps1
+++ b/check.ps1
@ -0,0 +1,104 @@
 # ============================================================================
 # Axios Supply Chain Attack — Detection Script (Windows)
 # ============================================================================
 # Run in PowerShell: .\check.ps1
 # ============================================================================
 Write-Host "============================================" -ForegroundColor Cyan
 Write-Host "  Axios Supply Chain Attack - Detection" -ForegroundColor Cyan
 Write-Host "============================================" -ForegroundColor Cyan
 Write-Host ""
 $found = $false
 # --- Check 1: Installed axios version ---
 Write-Host "[1/5] Checking installed axios version..." -ForegroundColor Yellow
 $axiosCheck = npm list axios 2>$null | Select-String "1\.14\.1|0\.30\.4"
 if ($axiosCheck) {
    Write-Host "  !! AFFECTED: Compromised axios version found" -ForegroundColor Red
    Write-Host "  $axiosCheck"
    $found = $true
 } else {
    Write-Host "  OK: No compromised axios version installed" -ForegroundColor Green
 }
 # --- Check 2: Lockfile ---
 Write-Host ""
 Write-Host "[2/5] Checking lockfile..." -ForegroundColor Yellow
 if (Test-Path "package-lock.json") {
    $lockHit = Select-String -Path "package-lock.json" -Pattern "1\.14\.1|0\.30\.4|plain-crypto-js"
    if ($lockHit) {
        Write-Host "  !! AFFECTED: Compromised reference in lockfile" -ForegroundColor Red
        $found = $true
    } else {
        Write-Host "  OK: Lockfile clean" -ForegroundColor Green
    }
 } else {
    Write-Host "  SKIP: No package-lock.json found"
 }
 # --- Check 3: Malicious dependency ---
 Write-Host ""
 Write-Host "[3/5] Checking for malicious package..." -ForegroundColor Yellow
 if (Test-Path "node_modules\plain-crypto-js") {
    Write-Host "  !! AFFECTED: node_modules\plain-crypto-js EXISTS" -ForegroundColor Red
    $found = $true
 } else {
    Write-Host "  OK: plain-crypto-js not in node_modules" -ForegroundColor Green
    Write-Host "  (Note: Malware self-destructs - absence does NOT guarantee safety)"
 }
 # --- Check 4: RAT artifacts ---
 Write-Host ""
 Write-Host "[4/5] Checking for RAT artifacts..." -ForegroundColor Yellow
 # Windows RAT: wt.exe in ProgramData
 $wtPath = "$env:PROGRAMDATA\wt.exe"
 if (Test-Path $wtPath) {
    Write-Host "  !! CRITICAL: Windows RAT found at $wtPath" -ForegroundColor Red
    Get-Item $wtPath | Format-List Name, Length, LastWriteTime
    $found = $true
 } else {
    Write-Host "  OK: wt.exe not found in ProgramData" -ForegroundColor Green
 }
 # Temp files
 $vbsPath = "$env:TEMP\6202033.vbs"
 $ps1Path = "$env:TEMP\6202033.ps1"
 if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) {
    Write-Host "  !! WARNING: Temp payload files found" -ForegroundColor Red
    $found = $true
 } else {
    Write-Host "  OK: No temp payload files" -ForegroundColor Green
 }
 # --- Check 5: C2 connections ---
 Write-Host ""
 Write-Host "[5/5] Checking for C2 connections..." -ForegroundColor Yellow
 $c2Check = netstat -an | Select-String "142.11.206.73"
 if ($c2Check) {
    Write-Host "  !! CRITICAL: Active connection to C2 (142.11.206.73)" -ForegroundColor Red
    Write-Host "  $c2Check"
    $found = $true
 } else {
    Write-Host "  OK: No active C2 connections" -ForegroundColor Green
 }
 # --- Summary ---
 Write-Host ""
 Write-Host "============================================" -ForegroundColor Cyan
 if ($found) {
    Write-Host "  !! POTENTIAL COMPROMISE DETECTED" -ForegroundColor Red
    Write-Host ""
    Write-Host "  1. Pin axios to 1.14.0: npm install axios@1.14.0 --save-exact"
    Write-Host "  2. Remove node_modules and reinstall: rm -r node_modules; npm ci"
    Write-Host "  3. Rotate ALL credentials"
    Write-Host "  4. Block sfrclak.com and 142.11.206.73"
    Write-Host "  5. If RAT found: FULL SYSTEM REBUILD"
 } else {
    Write-Host "  ALL CLEAR" -ForegroundColor Green
    Write-Host ""
    Write-Host "  Preventive: npm install axios@1.14.0 --save-exact"
    Write-Host "  Set: npm config set min-release-age 3"
 }
 Write-Host "============================================" -ForegroundColor Cyan