#!/usr/bin/env bash
#
# Navagoo IoC scanner — run this on the compromised VM as root.
#
#   sudo bash scripts/ioc_scan.sh > /root/navagoo_ioc_$(date -u +%Y%m%dT%H%M%SZ).log 2>&1
#
# READ-ONLY by default. It only reports findings; deletion/rotation must be
# done deliberately afterwards (see remediation plan).
#
# Based on the 2026-05-13 forensic analysis. Looks for:
#   1. Webshells under storage/web/source/profile/ and other upload dirs.
#   2. MySQL UDFs, general_log artifacts, suspicious events.
#   3. Attacker SSH key on every user, GCP instance metadata SSH keys.
#   4. Backdoored .git/hooks/ files.
#   5. /tmp artifacts from the attacker's UDF build attempts.

set -u

ATTACKER_KEY="AAAAC3NzaC1lZDI1NTE5AAAAIOZW5oGeOIo+Nstk4FPF6I7Rc4tAsAPY8TxW1iZPXxug"
ATTACKER_IDS='neo@pentest\|def_usr@dev1'

hdr() { printf '\n=== %s ===\n' "$1"; }

hdr "Host"
hostname
date -u
uname -a

hdr "1. Webshells in upload dirs (PHP/PHAR/SH/TXT under storage)"
for root in /var/www/html/prod /var/www/html/qc /var/www/html/beta; do
    [ -d "$root" ] || continue
    echo "-- $root --"
    find "$root/storage/web/source" \
         "$root/storage/web/uploads" \
         -type f \
         \( -name '*.php' -o -name '*.phar' -o -name '*.phtml' \
            -o -name '*.php5' -o -name '*.pht' -o -name '*.sh' \
            -o -name '*.pl' -o -name '*.py' \) \
         2>/dev/null | sort
    echo
    # The attacker base64-encoded the UDF .so into a .txt — flag any txt > 5 KB.
    find "$root/storage/web/source" -type f -name '*.txt' -size +5k \
         2>/dev/null | sort
done

hdr "2. MySQL artifacts (run as root for password-less socket auth, else set MYSQL_PWD)"
mysql --batch -N -e "
    SELECT '--- mysql.plugin ---';
    SELECT * FROM mysql.plugin;
    SELECT '--- general_log status ---';
    SHOW GLOBAL VARIABLES LIKE 'general_log%';
    SELECT '--- event_scheduler ---';
    SHOW GLOBAL VARIABLES LIKE 'event_scheduler';
    SELECT '--- scheduled events ---';
    SELECT EVENT_SCHEMA, EVENT_NAME, DEFINER, EVENT_DEFINITION
      FROM information_schema.EVENTS;
    SELECT '--- UDF-like routines ---';
    SELECT ROUTINE_SCHEMA, ROUTINE_NAME, ROUTINE_TYPE, DEFINER
      FROM information_schema.ROUTINES
      WHERE ROUTINE_NAME RLIKE 'sys_exec|udf|cmd|shell|exec';
    SELECT '--- secure_file_priv / plugin_dir ---';
    SHOW GLOBAL VARIABLES LIKE 'secure_file_priv';
    SHOW GLOBAL VARIABLES LIKE 'plugin_dir';
" 2>&1

hdr "3. Suspicious files at known attacker paths"
for f in \
    /tmp/sys_exec.so /tmp/udf.so /tmp/udf.c /tmp/mysql_test.txt \
    /tmp/chargeWithSavedCard.zip /tmp/createPaymentIntention.zip \
    /var/lib/mysql/rce.php \
    /var/lib/mysql-files/sys_exec.so \
    /var/www/html/prod/rce.php; do
    if [ -e "$f" ]; then
        echo "PRESENT  $f"
        ls -la "$f" 2>/dev/null
    fi
done
# /tmp/gcf1_* glob
ls -la /tmp/gcf1_* 2>/dev/null

hdr "4. plugin_dir contents"
for d in /usr/lib/mysql/plugin /usr/local/lib/mysql/plugin /opt/mysql/plugin; do
    [ -d "$d" ] && { echo "-- $d --"; ls -la "$d"; }
done

hdr "5. authorized_keys per user — looking for $ATTACKER_IDS and known key"
for h in /root /home/*; do
    f="$h/.ssh/authorized_keys"
    [ -r "$f" ] || continue
    echo "-- $f --"
    if grep -E "$ATTACKER_IDS" "$f" 2>/dev/null; then
        echo "    >> ATTACKER ID MATCH"
    fi
    if grep -F "$ATTACKER_KEY" "$f" 2>/dev/null; then
        echo "    >> ATTACKER PUBLIC KEY MATCH"
    fi
    cat "$f"
done

hdr "6. GCP instance metadata SSH keys"
if command -v gcloud >/dev/null 2>&1; then
    gcloud compute instances describe navagoo \
        --zone=us-central1-a \
        --format='value(metadata.items)' 2>&1 \
        | tr ';' '\n' | grep -i ssh-keys || echo "no metadata ssh-keys"
else
    # Fall back to the metadata service directly.
    curl -fsS -H 'Metadata-Flavor: Google' \
        http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh-keys \
        2>/dev/null || echo "metadata service unreachable"
fi

hdr "7. Backdoored .git/hooks (anything that is not *.sample)"
for r in /var/www/html/prod /var/www/html/qc /var/www/html/beta; do
    [ -d "$r/.git/hooks" ] || continue
    echo "-- $r/.git/hooks --"
    find "$r/.git/hooks" -maxdepth 1 -type f ! -name '*.sample' -printf '%TY-%Tm-%Td %TH:%TM %p\n'
done

hdr "8. SUID files modified since attack window (2026-05-13)"
find /usr /bin /sbin /opt -perm -4000 -type f -newermt 2026-05-12 2>/dev/null

hdr "9. Apache/nginx access log lines targeting upload endpoint"
for log in /var/log/apache2/access.log /var/log/nginx/access.log; do
    [ -r "$log" ] || continue
    echo "-- $log --"
    grep -E '/storage/web/source/profile/.*\.(php|txt|phar|sh)|cmd=|/rce\.php' \
        "$log" | tail -50
done

hdr "10. .bash_history / .mysql_history for attacker traces"
for u in /root /home/*; do
    for h in .bash_history .mysql_history .zsh_history; do
        f="$u/$h"
        [ -r "$f" ] || continue
        if grep -E 'sys_exec|/storage/web/source|UDF|metadata\.google|setMetadata|neo@pentest' "$f" >/dev/null 2>&1; then
            echo "-- $f --"
            grep -nE 'sys_exec|/storage/web/source|UDF|metadata\.google|setMetadata|neo@pentest' "$f"
        fi
    done
done

hdr "Done"
echo "Review the output. Anything above marked 'PRESENT' or 'MATCH' is a confirmed IoC."
echo "Next steps: rotate creds, delete webshells, kill plugin entries, expire all sessions."