GScan
by grayddq
GScan is an automated Linux host security checklist scanner designed to assist incident responders in comprehensive threat detection and hacker attack path tracing.
本程序旨在为安全应急响应人员对Linux主机排查时提供便利,实现主机侧Checklist的自动全面化检测,根据检测结果自动数据聚合,进行黑客攻击路径溯源。
Primary Use Case
This tool is primarily used by security incident response teams to perform thorough and automated security inspections on Linux hosts, especially CentOS systems. It facilitates rapid identification of suspicious activities, backdoors, rootkits, and configuration weaknesses, enabling efficient forensic analysis and threat hunting during incident investigations.
- Automated comprehensive checklist-based security scanning of Linux hosts
- Detection of suspicious files, hidden files, and system executable anomalies
- Process and network anomaly detection including overseas IP connections and reverse shells
- Extensive backdoor detection covering LD_PRELOAD, cron, SSH, setUID, and system startup items
- Account security checks including root and empty password accounts, sudoers, and SSH keys
- Log analysis for multiple login records (secure, wtmp, utmp, lastlog)
- Rootkit and malware signature detection
- WebShell file scanning
Installation
- git clone https://github.com/grayddq/GScan.git
- cd GScan
- Ensure root privileges to run the tool
- Use Python 2.x or 3.x installed on CentOS 6 or 7
- Run the main script with python GScan.py
Usage
>_ python GScan.pyRun the default security scan on the host
>_ python GScan.py --sug --proRun scan with manual investigation suggestions and preliminary remediation plans
>_ python GScan.py --jobSet up a scheduled daily scan at midnight
>_ python GScan.py --job --hour=2Set up a scheduled scan to run every 2 hours
>_ python GScan.py -hDisplay help information and available command options
>_ python GScan.py --overseasRun scan in overseas mode, disabling overseas IP matching
>_ python GScan.py --fullEnable full comprehensive scan mode
>_ python GScan.py --debugRun in debug mode to output detailed debugging information
>_ python GScan.py --difCompare current scan results with previous results and output differences
>_ python GScan.py --time='YYYY-MM-DD HH:MM:SS~YYYY-MM-DD HH:MM:SS'Search for all files modified within the specified time range
- Integrate GScan with SIEM solutions to automate alerting on suspicious findings.
- Schedule regular GScan runs as part of incident response playbooks to speed up triage.
- Enhance the tool with custom YARA rules for organization-specific threat hunting.
- Use GScan output to build threat intelligence on attacker TTPs for purple team exercises.
- Deploy GScan in containerized environments for rapid scanning of ephemeral Linux hosts.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about GScan. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
3 free chats per tool • Instant responses • No credit card
Related Tools
mvt
mvt-project/mvt
MVT (Mobile Verification Toolkit) helps with conducting forensics of mobile devices in order to find signs of a potential compromise.
post-mortems
danluu/post-mortems
A collection of postmortems. Sorry for the delay in merging PRs!
Detect-It-Easy
horsicq/Detect-It-Easy
Program for determining types of files for Windows, Linux and MacOS.
howtheysre
upgundecha/howtheysre
A curated collection of publicly available resources on how technology and tech-savvy organizations around the world practice Site Reliability Engineering (SRE)
awesome-incident-response
meirwah/awesome-incident-response
A curated list of tools for incident response
chainsaw
WithSecureLabs/chainsaw
Rapidly Search and Hunt through Windows Forensic Artefacts