# ============================================================================
# Axios Supply Chain Attack — Recursive Detection Script (Windows)
# ============================================================================
# Run in PowerShell: .\check-all.ps1 [-Path <Cesta_k_prohledani>]
# ============================================================================

param(
    [string]$Path = $PWD.Path
)

# Nastaveni UTF8 pro jistotu (vystup bude bez diakritiky pro max. kompatibilitu)
$OutputEncoding = [System.Text.Encoding]::UTF8
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8

Write-Host "========================================================" -ForegroundColor Cyan
Write-Host "  Axios Supply Chain Attack - Recursive Scanner" -ForegroundColor Cyan
Write-Host "========================================================" -ForegroundColor Cyan
Write-Host "Prohledavam slozku: $Path" -ForegroundColor Yellow
Write-Host ""

$global:CompromisedProjectsCount = 0
$global:SystemCompromised = $false
$results = @()

# --- Funkce pro globalni kontroly systemu ---
function Invoke-GlobalChecks {
    Write-Host "[GLOBAL] Kontrola systemu na RAT artefakty a C2 spojeni..." -ForegroundColor Magenta
    
    $wtPath = "$env:PROGRAMDATA\wt.exe"
    $vbsPath = "$env:TEMP\6202033.vbs"
    $ps1Path = "$env:TEMP\6202033.ps1"
    
    # Kontrola RAT Persistence
    if (Test-Path $wtPath) {
        Write-Host "  !! KRITICKE: Windows RAT nalezen v $wtPath" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: wt.exe v ProgramData nenalezen" -ForegroundColor Green
    }
    
    # Kontrola podezrelych payloadu
    if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) {
        Write-Host "  !! VAROVANI: Nalezeny payload soubory v %TEMP%" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: Zadne payload soubory v %TEMP%" -ForegroundColor Green
    }
    
    # Kontrola aktivnich C2 spojeni
    $c2Check = netstat -an | Select-String "142\.11\.206\.73"
    if ($c2Check) {
        Write-Host "  !! KRITICKE: Aktivni spojeni na C2 (142.11.206.73) detekovano!" -ForegroundColor Red
        Write-Host "  $c2Check" -ForegroundColor Red
        $global:SystemCompromised = $true
    } else {
        Write-Host "  OK: Zadna aktivni C2 spojeni" -ForegroundColor Green
    }
    Write-Host ""
}

# --- Funkce pro inspekci konkretniho projektu ---
function Inspect-Project {
    param([string]$ProjectDir)
    
    $isCompromised = $false
    $axiosStatus = "Nenalezeno"
    $lockStatus = "N/A"
    $nodeModulesStatus = "Ciste"
    
    Write-Host "[PROJEKT] Kontroluji: $ProjectDir" -ForegroundColor Cyan
    Push-Location $ProjectDir
    
    # 1. Kontrola verze axios (pouze pokud existuje node_modules)
    if (Test-Path "node_modules") {
        $npmOut = npm list axios --depth=0 2>$null | Select-String "axios@"
        if ($npmOut) {
            if ($npmOut -match "1\.14\.1|0\.30\.4") {
                $axiosStatus = "!! INFIKOVANO ($npmOut)"
                $isCompromised = $true
                Write-Host "  - Axios verze: $axiosStatus" -ForegroundColor Red
            } else {
                $axiosStatus = "OK ($npmOut)"
                Write-Host "  - Axios verze: $axiosStatus" -ForegroundColor Green
            }
        } else {
             Write-Host "  - Axios verze: Nenalezeno v npm list" -ForegroundColor Gray
        }
    } else {
        Write-Host "  - Axios verze: Preskoceno (chybi node_modules)" -ForegroundColor Gray
    }
    
    # 2. Kontrola package-lock.json
    if (Test-Path "package-lock.json") {
        $lockHit = Select-String -Path "package-lock.json" -Pattern "1\.14\.1|0\.30\.4|plain-crypto-js" -Quiet
        if ($lockHit) {
            $lockStatus = "!! INFIKOVANO"
            $isCompromised = $true
            Write-Host "  - Lockfile: $lockStatus" -ForegroundColor Red
        } else {
            $lockStatus = "OK"
            Write-Host "  - Lockfile: $lockStatus" -ForegroundColor Green
        }
    } else {
        Write-Host "  - Lockfile: Preskoceno (soubor nenalezen)" -ForegroundColor Gray
    }
    
    # 3. Kontrola artefaktu v node_modules
    if (Test-Path "node_modules\plain-crypto-js") {
        $nodeModulesStatus = "!! INFIKOVANO (plain-crypto-js existuje)"
        $isCompromised = $true
        Write-Host "  - Artefakty: $nodeModulesStatus" -ForegroundColor Red
    }
    
    Write-Host ""
    Pop-Location
    
    if ($isCompromised) {
        $global:CompromisedProjectsCount++
    }
    
    return [PSCustomObject]@{
        Path = $ProjectDir
        IsCompromised = $isCompromised
        AxiosStatus = $axiosStatus
        LockfileStatus = $lockStatus
        NodeModulesStatus = $nodeModulesStatus
    }
}

# --- Hlavni spousteci cast ---

# 1. Globalni kontroly
Invoke-GlobalChecks

# 2. Vyhledavani projektu
Write-Host "[HLEDANI] Vyhledavam soubory package.json (ignoruji node_modules)..." -ForegroundColor Yellow
$packageFiles = Get-ChildItem -Path $Path -Filter "package.json" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -notmatch "\\node_modules\\" }

$totalProjects = @($packageFiles).Count
Write-Host "Nalezeno $totalProjects projektu." -ForegroundColor Yellow
Write-Host ""

# 3. Inspekce kazdeho projektu
foreach ($file in $packageFiles) {
    $results += Inspect-Project -ProjectDir $file.DirectoryName
}

# --- Zaverecny souhrnny report ---
Write-Host "========================================================" -ForegroundColor Cyan
Write-Host "  SOUHRNNY REPORT" -ForegroundColor Cyan
Write-Host "========================================================" -ForegroundColor Cyan

if ($global:SystemCompromised) {
    Write-Host "[!] ZJISTENO NAPADENI SYSTEMU: Nalezen RAT nebo C2 aktivita!" -ForegroundColor Red
    Write-Host "    DOPORUCENI: Izolujte stroj a zvazte kompletni preinstalaci systemu." -ForegroundColor Red
} else {
    Write-Host "[+] Stav systemu: Nebyly zjisteny zadne globalni hrozby (RAT/C2)." -ForegroundColor Green
}

Write-Host ""
Write-Host "Celkem skenovano projektu: $totalProjects"
Write-Host "Infikovano projektu: $global:CompromisedProjectsCount"

if ($global:CompromisedProjectsCount -gt 0) {
    Write-Host ""
    Write-Host "Seznam infikovanych projektu:" -ForegroundColor Red
    $results | Where-Object { $_.IsCompromised } | ForEach-Object {
        Write-Host " - $($_.Path)" -ForegroundColor Red
    }
    
    Write-Host ""
    Write-Host "Kroky k naprave u projektu:" -ForegroundColor Yellow
    Write-Host "  1. Uzamknete axios na verzi 1.14.0: npm install axios@1.14.0 --save-exact"
    Write-Host "  2. Smazte node_modules a preinstalujte: rm -r node_modules; npm ci"
    Write-Host "  3. Zmente vsechna hesla a klice pouzite v techto projektech."
} elseif (-not $global:SystemCompromised -and $totalProjects -gt 0) {
    Write-Host ""
    Write-Host "VSE CISTE! Zadne infikovane projekty nebyly nalezeny." -ForegroundColor Green
}
Write-Host "========================================================" -ForegroundColor Cyan