CVE-2019-19781
Live Response First Steps
=========================

Some tips on how to go about running a micro-compromise assessment on Netscaler boxes, this is what I've been using:

>>> Check the root user command history: history /1

>>> Check bash log files and sort by frequency, less frequent commands at the top: cat /var/log/bash.log | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -n && zcat /var/log/bash*.gz | grep -Eio "shell_command=.*$" | sort | uniq -c | sort -n /2

>>> Check logs files (mostly ns.log and httpaccess.log but no hurt in listing them all): cat /var/log/* | grep -Ei "vpns|\.pl " && zcat /var/log/*.gz | grep -Ei "vpns|\.pl " /3

>>> Check for recently modified/written XML files, sort by date, most recent ones at the bottom (1): find / -name "*.xml" -exec ls -haltr {} \; | sed 's/ */ /g' | sort -k 8 /4

>>> Check for recently modified/written XML files, since the Vuln was announced by Citrix: find / -name "*.xml" -newermt "2020-01-10" && find / -name "*.pl" -newermt "2020-01-10" && find / -name "*.py" -newermt "2020-01-10" /5

>>> Check your crontab logs: cat /var/log/cron | sed 's/ */ /g' | cut -d" " -f 10 | sort | uniq -c && zcat /var/log/cron*gz | sed 's/ */ /g' | cut -d" " -f 10 | sort | uniq -c /6

>>> Check for recently mod scripts, sort by date, most recent ones at the bottom (you should technically only see /var/ns_system_backup.pl): find / -name "*.pl" -exec ls -haltr {} \; | grep -iv "local\/lib" | sed 's/ */ /g' | sort -k 8 /7

>>> Check for suspicious running processes and their connections (1): lsof -RPni && lsof -PnP (you could further filter with grep) /8

>>> Check for suspicious running processes and their connections (2): ps auxd | grep nobody (Ref: TrustedSec Article) /9

>>> If you want a more targeted approach, grep for suspicious scripts in the logs: zgrep -Ei "newbm.pl|rmbm.pl|picktheme.pl" /var/log/*.gz /10