You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
181 lines
7.0 KiB
181 lines
7.0 KiB
# ============================================================================
|
|
# Axios Supply Chain Attack — Recursive Detection Script (Windows)
|
|
# ============================================================================
|
|
# Run in PowerShell: .\check-all.ps1 [-Path <Cesta_k_prohledani>]
|
|
# ============================================================================
|
|
|
|
param(
|
|
[string]$Path = $PWD.Path
|
|
)
|
|
|
|
# Nastaveni UTF8 pro jistotu (vystup bude bez diakritiky pro max. kompatibilitu)
|
|
$OutputEncoding = [System.Text.Encoding]::UTF8
|
|
[Console]::OutputEncoding = [System.Text.Encoding]::UTF8
|
|
|
|
Write-Host "========================================================" -ForegroundColor Cyan
|
|
Write-Host " Axios Supply Chain Attack - Recursive Scanner" -ForegroundColor Cyan
|
|
Write-Host "========================================================" -ForegroundColor Cyan
|
|
Write-Host "Prohledavam slozku: $Path" -ForegroundColor Yellow
|
|
Write-Host ""
|
|
|
|
$global:CompromisedProjectsCount = 0
|
|
$global:SystemCompromised = $false
|
|
$results = @()
|
|
|
|
# --- Funkce pro globalni kontroly systemu ---
|
|
function Invoke-GlobalChecks {
|
|
Write-Host "[GLOBAL] Kontrola systemu na RAT artefakty a C2 spojeni..." -ForegroundColor Magenta
|
|
|
|
$wtPath = "$env:PROGRAMDATA\wt.exe"
|
|
$vbsPath = "$env:TEMP\6202033.vbs"
|
|
$ps1Path = "$env:TEMP\6202033.ps1"
|
|
|
|
# Kontrola RAT Persistence
|
|
if (Test-Path $wtPath) {
|
|
Write-Host " !! KRITICKE: Windows RAT nalezen v $wtPath" -ForegroundColor Red
|
|
$global:SystemCompromised = $true
|
|
} else {
|
|
Write-Host " OK: wt.exe v ProgramData nenalezen" -ForegroundColor Green
|
|
}
|
|
|
|
# Kontrola podezrelych payloadu
|
|
if ((Test-Path $vbsPath) -or (Test-Path $ps1Path)) {
|
|
Write-Host " !! VAROVANI: Nalezeny payload soubory v %TEMP%" -ForegroundColor Red
|
|
$global:SystemCompromised = $true
|
|
} else {
|
|
Write-Host " OK: Zadne payload soubory v %TEMP%" -ForegroundColor Green
|
|
}
|
|
|
|
# Kontrola aktivnich C2 spojeni
|
|
$c2Check = netstat -an | Select-String "142\.11\.206\.73"
|
|
if ($c2Check) {
|
|
Write-Host " !! KRITICKE: Aktivni spojeni na C2 (142.11.206.73) detekovano!" -ForegroundColor Red
|
|
Write-Host " $c2Check" -ForegroundColor Red
|
|
$global:SystemCompromised = $true
|
|
} else {
|
|
Write-Host " OK: Zadna aktivni C2 spojeni" -ForegroundColor Green
|
|
}
|
|
Write-Host ""
|
|
}
|
|
|
|
# --- Funkce pro inspekci konkretniho projektu ---
|
|
function Inspect-Project {
|
|
param([string]$ProjectDir)
|
|
|
|
$isCompromised = $false
|
|
$axiosStatus = "Nenalezeno"
|
|
$lockStatus = "N/A"
|
|
$nodeModulesStatus = "Ciste"
|
|
|
|
Write-Host "[PROJEKT] Kontroluji: $ProjectDir" -ForegroundColor Cyan
|
|
Push-Location $ProjectDir
|
|
|
|
# 1. Kontrola verze axios (pouze pokud existuje node_modules)
|
|
if (Test-Path "node_modules") {
|
|
$npmOut = npm list axios --depth=0 2>$null | Select-String "axios@"
|
|
if ($npmOut) {
|
|
if ($npmOut -match "1\.14\.1|0\.30\.4") {
|
|
$axiosStatus = "!! INFIKOVANO ($npmOut)"
|
|
$isCompromised = $true
|
|
Write-Host " - Axios verze: $axiosStatus" -ForegroundColor Red
|
|
} else {
|
|
$axiosStatus = "OK ($npmOut)"
|
|
Write-Host " - Axios verze: $axiosStatus" -ForegroundColor Green
|
|
}
|
|
} else {
|
|
Write-Host " - Axios verze: Nenalezeno v npm list" -ForegroundColor Gray
|
|
}
|
|
} else {
|
|
Write-Host " - Axios verze: Preskoceno (chybi node_modules)" -ForegroundColor Gray
|
|
}
|
|
|
|
# 2. Kontrola package-lock.json
|
|
if (Test-Path "package-lock.json") {
|
|
# Hledame axios ve spatne verzi NEBO skodlivy balicek plain-crypto-js
|
|
$lockHit = Select-String -Path "package-lock.json" -Pattern "axios.*(1\.14\.1|0\.30\.4)|plain-crypto-js" -Quiet
|
|
if ($lockHit) {
|
|
$lockStatus = "!! INFIKOVANO"
|
|
$isCompromised = $true
|
|
Write-Host " - Lockfile: $lockStatus" -ForegroundColor Red
|
|
} else {
|
|
$lockStatus = "OK"
|
|
Write-Host " - Lockfile: $lockStatus" -ForegroundColor Green
|
|
}
|
|
} else {
|
|
Write-Host " - Lockfile: Preskoceno (soubor nenalezen)" -ForegroundColor Gray
|
|
}
|
|
|
|
# 3. Kontrola artefaktu v node_modules
|
|
if (Test-Path "node_modules\plain-crypto-js") {
|
|
$nodeModulesStatus = "!! INFIKOVANO (plain-crypto-js existuje)"
|
|
$isCompromised = $true
|
|
Write-Host " - Artefakty: $nodeModulesStatus" -ForegroundColor Red
|
|
}
|
|
|
|
Write-Host ""
|
|
Pop-Location
|
|
|
|
if ($isCompromised) {
|
|
$global:CompromisedProjectsCount++
|
|
}
|
|
|
|
return [PSCustomObject]@{
|
|
Path = $ProjectDir
|
|
IsCompromised = $isCompromised
|
|
AxiosStatus = $axiosStatus
|
|
LockfileStatus = $lockStatus
|
|
NodeModulesStatus = $nodeModulesStatus
|
|
}
|
|
}
|
|
|
|
# --- Hlavni spousteci cast ---
|
|
|
|
# 1. Globalni kontroly
|
|
Invoke-GlobalChecks
|
|
|
|
# 2. Vyhledavani projektu
|
|
Write-Host "[HLEDANI] Vyhledavam soubory package.json (ignoruji node_modules)..." -ForegroundColor Yellow
|
|
$packageFiles = Get-ChildItem -Path $Path -Filter "package.json" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.DirectoryName -notmatch "\\node_modules\\" }
|
|
|
|
$totalProjects = @($packageFiles).Count
|
|
Write-Host "Nalezeno $totalProjects projektu." -ForegroundColor Yellow
|
|
Write-Host ""
|
|
|
|
# 3. Inspekce kazdeho projektu
|
|
foreach ($file in $packageFiles) {
|
|
$results += Inspect-Project -ProjectDir $file.DirectoryName
|
|
}
|
|
|
|
# --- Zaverecny souhrnny report ---
|
|
Write-Host "========================================================" -ForegroundColor Cyan
|
|
Write-Host " SOUHRNNY REPORT" -ForegroundColor Cyan
|
|
Write-Host "========================================================" -ForegroundColor Cyan
|
|
|
|
if ($global:SystemCompromised) {
|
|
Write-Host "[!] ZJISTENO NAPADENI SYSTEMU: Nalezen RAT nebo C2 aktivita!" -ForegroundColor Red
|
|
Write-Host " DOPORUCENI: Izolujte stroj a zvazte kompletni preinstalaci systemu." -ForegroundColor Red
|
|
} else {
|
|
Write-Host "[+] Stav systemu: Nebyly zjisteny zadne globalni hrozby (RAT/C2)." -ForegroundColor Green
|
|
}
|
|
|
|
Write-Host ""
|
|
Write-Host "Celkem skenovano projektu: $totalProjects"
|
|
Write-Host "Infikovano projektu: $global:CompromisedProjectsCount"
|
|
|
|
if ($global:CompromisedProjectsCount -gt 0) {
|
|
Write-Host ""
|
|
Write-Host "Seznam infikovanych projektu:" -ForegroundColor Red
|
|
$results | Where-Object { $_.IsCompromised } | ForEach-Object {
|
|
Write-Host " - $($_.Path)" -ForegroundColor Red
|
|
}
|
|
|
|
Write-Host ""
|
|
Write-Host "Kroky k naprave u projektu:" -ForegroundColor Yellow
|
|
Write-Host " 1. Uzamknete axios na verzi 1.14.0: npm install axios@1.14.0 --save-exact"
|
|
Write-Host " 2. Smazte node_modules a preinstalujte: rm -r node_modules; npm ci"
|
|
Write-Host " 3. Zmente vsechna hesla a klice pouzite v techto projektech."
|
|
} elseif (-not $global:SystemCompromised -and $totalProjects -gt 0) {
|
|
Write-Host ""
|
|
Write-Host "VSE CISTE! Zadne infikovane projekty nebyly nalezeny." -ForegroundColor Green
|
|
}
|
|
Write-Host "========================================================" -ForegroundColor Cyan
|
|
|