domingo, 31 de marzo de 2019

Virus Total .. security community .. Analyze out-date ! . . 2da prueba

Virus Total ..  security community .. Analyze out-date ! . . 2da prueba . .
..
Por desgracia los de Virus Total se enojan si andas ingresando tanto al ir viendo sus reportes de resultados . . XD . . me dejaron fuera de su servicio y me arrollaron con recaptchas despues de unos cuantos analisis .. como 500 urls XD ..
  { "error": { "code": "RecaptchaRequiredError", "message": "Please re-send request with a valid
reCAPTCHA response in the \"x-recaptcha-response\" header" } } . . .
.
.
Por tal motivo solo hay que pedir ver resultados de VT a los que tengan positivos; perdiendo la opcion de los marcados como sospechozos; que no aparecen como positivos. . :C
.. .. como :...
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: s0.wp.com
    Fecha: 2019-03-25    "detection-ratio">0/66<
 2019-03-25  han transcurridos 3 dias desde el ultimo analisis
                  "CLEAN MX":
>                     "result": "suspicious"
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: secure.gravatar.com
    Fecha: 2019-03-27    "detection-ratio">0/66<
 2019-03-27  han transcurridos 1 dias desde el ultimo analisis
                  "Quttera":
>                     "result": "suspicious"
 = = = = = = = = = = = = = = = = = = = = = = = = =
. ..
Tambien decido utilizar un buffer de ultimos urls analizados para bajar la carga de pedidos  VT y evitar se me niegue el servicio.
. ..
En linea punteada como quedo el arreglo; aplicado al Privoxy-log (revise entradas anteriores al respecto) ..::
#----------------------------------------------------------------------
# Ejecutar Powershell en folder de Privoxy-log
#----------------------------------------------------------------------
#Tomar las ultimas 100 lineas de "privoxy.log" dejando solo los "Request:" (son los que cruzaron privoxy); y eliminar urls seguras
$urlss = @("\.google\.com", "\.googlevideo\.com", "\.googleapis\.com", "\.gstatic\.com", "\.youtube\.com", "\.virustotal\.com", "myip\.es", "\.yimg\.com")
Get-Content "privoxy.log" | Select-Object -Last 100 | Select-String -Pattern "Request:" | Foreach-Object {$_ -Replace('.+ Request: ', '')} | Foreach-Object {$_ -Replace('\/+.+$', '')} | Foreach-Object {$_ -Replace(':\d+\/$', '')} | Foreach-Object {$_ -Replace('\/$', '')} | Sort-Object -Unique | Select-String -notmatch $urlss | set-content "privoxy100.tmp"
#
# seccion Privoxy-VT-Buffer .. (1 de 2)
# vericar que exista el "Privoxy-VT-Buffer.log"; si no crearlo
if (!(Test-Path "Privoxy-VT-Buffer.log")) { New-Item "Privoxy-VT-Buffer.log" }
# descartar analisis recientes revisando el "Privoxy-VT-Buffer.log"
$AR = Get-Content "Privoxy-VT-Buffer.log" | Sort-Object -Unique
(Get-Content "privoxy100.tmp" -ErrorAction SilentlyContinue ) | Select-String -notmatch $AR | Out-File "privoxy100.tmp"
#
# evitar error de no producirce "privoxy100.tmp" if-else
if ( Test-Path "privoxy100.tmp" ) {
#
#Analizandolas en "VirusTotal"
$URLList = Get-Content "privoxy100.tmp" | ? {$_.trim() -ne "" }
Foreach($Urll in $URLList)
{
# Borrar temporales .tmp
Remove-Item "result-vt.tmp", "resultN-vt.tmp", "vt-vanalisis.tmp" -ErrorAction SilentlyContinue
#
Write-Host " = = = = = = = = = = = = = = = = = = = = = = = = = "
$counter = 1
while (($counter -lt 3) -and !(Test-Path "result-vt.tmp")) {
#
$Uri = $Urll | foreach {"https://www.virustotal.com/es/url/submission/?force=1&url=" + $_ }
$web = Invoke-WebRequest -Proxy 'http://127.0.0.1:8118' -Uri $Uri
$lines = @(".+last-analysis-date..\d+", "detection-ratio..\d+", ".+btn-url-reanalyse.", ".+btn-url-view-last-analysis.")
$web.tostring() -split "[`r`n]" | select-string -Pattern $lines | Foreach-Object {$_ -Replace('^.+id=','')} | Foreach-Object {$_ -Replace('\/span.+$','')} | Set-Content "result-vt.tmp"
Start-Sleep -Seconds 4
$path = "result-vt.tmp"
$counter++
}
# VT detection-ratio
$dr = get-content "result-vt.tmp" | select-string -Pattern '.detection-ratio..\d+'
# viendo fecha de analisis
$VTdate = get-content "result-vt.tmp" | select-string -Pattern 'last-analysis-date' | Foreach-Object {$_ -Replace('^.+date..','')} | Foreach-Object {$_ -Replace('\s\d+\:\d+\:\d+.$','')}
$Newdate = Get-Date -format yyyy-MM-dd
$VTdays = (New-TimeSpan -Start $VTdate -End $Newdate).Days
Write-Host " Url: $Urll "
Write-Host "    Fecha: $VTdate    $dr"
Write-Host " $VTdate  dias transcurridos $VTdays desde el ultimo analisis"
#
#  si el analisis es mas viejo de 120 dias se reanalizar de lo contrario solo se veran resultados
if ($VTdays -gt 120) {
# si el analisis es viejo Reanalizando
Write-Host " El analisis tiene mas de 4 meses; pidiendo a VT re-analize "
$VTreanalizar = get-content "result-vt.tmp" | select-string -Pattern '^.btn-url-reanalyse.' | Foreach-Object {$_ -Replace('^.+href=..','')} | Foreach-Object {$_ -Replace('..$','')}
$Urir = $VTreanalizar | foreach {"https://www.virustotal.com/" + $_ }
Invoke-WebRequest -Proxy 'http://127.0.0.1:8118' -Uri $Urir | Out-Null
# Refresh
Start-Sleep -Seconds 6
# ver nuevos resultados
$web = Invoke-WebRequest -Proxy 'http://127.0.0.1:8118' -Uri $Uri
$lines = @(".+last-analysis-date..\d+", "detection-ratio..\d+", ".+btn-url-view-last-analysis.")
$web.tostring() -split "[`r`n]" | select-string -Pattern $lines | Foreach-Object {$_ -Replace('^.+id=','')} | Foreach-Object {$_ -Replace('\/span.+$','')} | Set-Content "resultN-vt.tmp"
#
# esperando; recheck every 3 seconds; que aparesca el archivo o se cumpla la cuenta
$counter = 0
while (($counter -lt 4) -and !(Test-Path "resultN-vt.tmp")) {
$counter++
start-sleep 2 }
#
# VT detection-ratio
$Ndr = get-content "resultN-vt.tmp" | select-string -Pattern '.detection-ratio..\d+'
$VTdate = get-content "resultN-vt.tmp" | select-string -Pattern 'last-analysis-date' | Foreach-Object {$_ -Replace('^.+date..','')} | Foreach-Object {$_ -Replace('\s\d+\:\d+\:\d+.$','')}
Write-Host "    Fecha: $VTdate    $Ndr"
#
# "viendo analisis; Detecciones . . . . . . . . . . . . "
$Ndrr = $Ndr | Foreach-Object {$_ -Replace('^.+detection-ratio..','')} | Foreach-Object {$_ -Replace('\/.+$','')}
if ($Ndrr -gt 0) {
$VTVerA = get-content "resultN-vt.tmp" | select-string -Pattern 'btn-url-view-last-analysis' | Foreach-Object {$_ -Replace('^.+href=..es.url.','ui/urls/')} | Foreach-Object {$_ -Replace('\/analysis.+$','?relationships=last_serving_ip_address,network_location') }
$UriVerA = $VTVerA | foreach {"https://www.virustotal.com/" + $_ }
$web = Invoke-WebRequest -Proxy 'http://127.0.0.1:8118' -Uri $UriVerA
$web.tostring() -split "[`r`n]" | select-string -Pattern '.result.: .[abd-tvz].+' -Context 6,0 | Set-Content "vt-vanalisis.tmp"
#
get-content "vt-vanalisis.tmp" -ErrorAction SilentlyContinue | Where-Object {$_ -notmatch 'category'} | Where-Object {$_ -notmatch 'engine_'} | Where-Object {$_ -notmatch 'method'} | Foreach-Object {$_ -Replace('{$','') } | Write-Host
}
}
else {
# "viendo analisis; Detecciones . . . . . . . . . . . . "
$drr = $dr | Foreach-Object {$_ -Replace('^.+detection-ratio..','')} | Foreach-Object {$_ -Replace('\/.+$','')}
if ($drr -gt 0) {
$VTVerA = get-content "result-vt.tmp" | select-string -Pattern 'btn-url-view-last-analysis' | Foreach-Object {$_ -Replace('^.+href=..es.url.','ui/urls/')} | Foreach-Object {$_ -Replace('\/analysis.+$','?relationships=last_serving_ip_address,network_location') }
$UriVerA = $VTVerA | foreach {"https://www.virustotal.com/" + $_ }
$web = Invoke-WebRequest -Proxy 'http://127.0.0.1:8118' -Uri $UriVerA
$web.tostring() -split "[`r`n]" | select-string -Pattern '.result.: .[abd-tvz].+' -Context 6,0 | Set-Content "vt-vanalisis.tmp"
#
get-content "vt-vanalisis.tmp" -ErrorAction SilentlyContinue | Where-Object {$_ -notmatch 'category'} | Where-Object {$_ -notmatch 'engine_'} | Where-Object {$_ -notmatch 'method'} | Foreach-Object {$_ -Replace('{$','') } | Write-Host
}
}
Write-Host " = = = = = = = = = = = = = = = = = = = = = = = = = "
}
# seccion Privoxy-VT-Buffer .. (2 de 2)
# si se superan los 2 KB "Privoxy-VT-Buffer.log" eliminara las primeras-lineas 5 hasta que sea menor
# 2 KB aprox 50 lineas
$file = Get-Item "Privoxy-VT-Buffer.log"
$Size = $file.Length / 1KB
if($Size -gt 2) { (Get-Content "Privoxy-VT-Buffer.log") | Select-Object -Skip 2 | set-content "Privoxy-VT-Buffer.log" }
# agregar urls recien analizadas a "Privoxy-VT-Buffer.log"
Add-Content "Privoxy-VT-Buffer.log" -Value (Get-Content "privoxy100.tmp")
(Get-Content "Privoxy-VT-Buffer.log") | ? {$_.trim() -ne "" } | Out-File "Privoxy-VT-Buffer.log"
}
else {
# evitar error de no producirce "privoxy100.tmp" if-else
Write-Host ' Log Sin Cambios '
}
#
# - - -
#Resultados positivos añadirlos a la lista de bloqueo de "privoxy"
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Borrar temporales .tmp
Remove-Item *.tmp -ErrorAction SilentlyContinue
# Limpíar variables
Clear-variable -Name "Ipp", "IP", "Uri", "web", "Urii", "webb", "Urll", "URLList", "results", "VTList", "dt", "drr", "dr", "AR" -ErrorAction SilentlyContinue
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Imagen inferior como lucen los resultados.
.
. abajo mas resultados ..::
= = = = = = = = = = = = = = = = = = = = = = = = =
 Url: algarabia.com
    Fecha: 2018-10-08    "detection-ratio">0/67<
 2018-10-08  dias transcurridos 174 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: c.disquscdn.com
    Fecha: 2019-03-22    "detection-ratio">1/69<
 2019-03-22  dias transcurridos 9 desde el ultimo analisis
                  "CRDF":
>                     "result": "malicious"
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: s.ytimg.com
    Fecha: 2019-03-29    "detection-ratio">1/66<
 2019-03-29  dias transcurridos 2 desde el ultimo analisis
                  "AutoShun":
>                     "result": "malicious"
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: cocinaycomparte.com
    Fecha: 2018-11-28    "detection-ratio">0/66<
 2018-11-28  dias transcurridos 123 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: d19df3uvvqx3w2.cloudfront.net
    Fecha: 2019-03-27    "detection-ratio">0/66<
 2019-03-27  dias transcurridos 4 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: disqus.com
    Fecha: 2019-03-28    "detection-ratio">0/66<
 2019-03-28  dias transcurridos 3 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: graphql.api.dailymotion.com
    Fecha: 2019-03-08    "detection-ratio">0/66<
 2019-03-08  dias transcurridos 23 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: lee-algarabia.disqus.com
    Fecha: 2019-03-27    "detection-ratio">0/66<
 2019-03-27  dias transcurridos 4 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: proxy-13.sv6.dailymotion.com
    Fecha: 2018-12-19    "detection-ratio">0/66<
 2018-12-19  dias transcurridos 102 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: s1-ssl.dmcdn.net
    Fecha: 2019-03-11    "detection-ratio">0/66<
 2019-03-11  dias transcurridos 20 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: s2-ssl.dmcdn.net
    Fecha: 2019-03-08    "detection-ratio">0/66<
 2019-03-08  dias transcurridos 23 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: static1.dmcdn.net
    Fecha: 2019-03-14    "detection-ratio">0/66<
 2019-03-14  dias transcurridos 17 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: static2-ssl.dmcdn.net
    Fecha: 2019-03-08    "detection-ratio">0/66<
 2019-03-08  dias transcurridos 23 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: www.abcradio.com.mx
    Fecha: 2018-01-08    "detection-ratio">0/66<
 2018-01-08  dias transcurridos 447 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: www.dailymotion.com
    Fecha: 2019-03-30    "detection-ratio">0/66<
 2019-03-30  dias transcurridos 1 desde el ultimo analisis
 = = = = = = = = = = = = = = = = = = = = = = = = =
 = = = = = = = = = = = = = = = = = = = = = = = = =
 Url: cdn.hobbyconsolas.com
    Fecha: 2018-01-10    "detection-ratio">0/66<
 2018-01-10  dias transcurridos 445 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
 = = = = = = = = = = = = = = = = = = = = = = = = =
..
..
La seccion de revision a VT es transferible a otras utilidades; abajo resultados con "Netstat"
.. abajo resultados
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  104.25.12.30
Registro PTR:
Organizacion:  Cloudflare
ISP:  Cloudflare
Ciudad:
Pais:  United States
Estado:
 Url: 104.25.12.30
    Fecha: 2018-11-14    "detection-ratio">0/66<
 2018-11-14  dias transcurridos 137 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID

  TCP    192.168.0.109:8641     104.25.12.30:443       ESTABLISHED     5200
  TCP    192.168.0.109:8642     104.25.12.30:443       ESTABLISHED     5200
  TCP    192.168.0.109:8651     104.25.12.30:443       ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  172.217.11.78
Registro PTR:  lax17s34-in-f14.1e100.net
Organizacion:  Google
ISP:  Google
Ciudad:
Pais:  United States
Estado:
 Url: 172.217.11.78
    Fecha: 2019-02-25    "detection-ratio">0/66<
 2019-02-25  dias transcurridos 34 desde el ultimo analisis
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID
  TCP    192.168.0.109:8677     172.217.11.78:443      ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  178.154.131.216
Registro PTR:  static.yandex.net
Organizacion:  YANDEX LLC
ISP:  YANDEX LLC
Ciudad:
Pais:  Russia
Estado:
 Url: 178.154.131.216
    Fecha: 2019-01-23    "detection-ratio">0/66<
 2019-01-23  dias transcurridos 67 desde el ultimo analisis
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID
  TCP    192.168.0.109:8658     178.154.131.216:443    ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  2.18.175.181
Registro PTR:  a2-18-175-181.deploy.static.akamaitechnologies.com
Organizacion:  Akamai Technologies
ISP:  Akamai Technologies
Ciudad:
Pais:
Estado:
 Url: 2.18.175.181
    Fecha: 2018-02-23    "detection-ratio">0/67<
 2018-02-23  dias transcurridos 401 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID
  TCP    192.168.0.109:8682     2.18.175.181:80        ESTABLISHED     5200
  TCP    192.168.0.109:8684     2.18.175.181:443       ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  205.185.208.52
Registro PTR:  vip052.ssl.hwcdn.net
Organizacion:  Highwinds Network Group
ISP:  Highwinds Network Group
Ciudad:  Phoenix
Pais:  United States
Estado:  Arizona
 Url: 205.185.208.52
    Fecha: 2019-03-13    "detection-ratio">0/66<
 2019-03-13  dias transcurridos 18 desde el ultimo analisis
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID
  TCP    192.168.0.109:8640     205.185.208.52:443     ESTABLISHED     5200
  TCP    192.168.0.109:8690     205.185.208.52:443     ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - - - - - - - - - -
Direccion IP:  207.244.80.182
Registro PTR:
Organizacion:  Leaseweb USA
ISP:  Leaseweb USA
Ciudad:  Manassas
Pais:  United States
Estado:  Virginia
 Url: 207.244.80.182
    Fecha: 2018-10-15    "detection-ratio">0/67<
 2018-10-15  dias transcurridos 167 desde el ultimo analisis
 El analisis tiene mas de 4 meses; pidiendo a VT re-analize
    Fecha: 2019-03-31    "detection-ratio">0/66<
C:\Users\xxxxx\ProgramasPortab\privoxy.exe
 . . . . . . . netstat  . . . . . . .
  Proto  Dirección local          Dirección remota        Estado           PID
  TCP    192.168.0.109:8654     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8655     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8668     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8669     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8672     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8673     207.244.80.182:443     ESTABLISHED     5200
  TCP    192.168.0.109:8679     207.244.80.182:443     ESTABLISHED     5200
 - - - - - - - - - - - - - - - - - - - - -
..
..
Automatizado todo solo queda dar un par de teclazos  . . :D

No hay comentarios.:

Publicar un comentario