command line compromise detection for linux
play

Command Line Compromise Detection for Linux Craig H. Rowland - PowerPoint PPT Presentation

Mar 03, 2024 •35 likes •425 views

Command Line Compromise Detection for Linux Craig H. Rowland @CraigHRowland @SandflySecurity www.sandflysecurity.com Introduction echo Dont Panic. www.sandflysecurity.com Simple First Common problems are surprisingly common.

  1. Command Line Compromise Detection for Linux Craig H. Rowland @CraigHRowland @SandflySecurity www.sandflysecurity.com

  2. Introduction echo “Don’t Panic.” www.sandflysecurity.com

  3. Simple First “Common problems are surprisingly common.” • Don’t worry about Advanced Persistent Threats (APT) • Worry about Commonly Run Attacks Preferred (CRAP) • Spotting common problems allows you to find advanced attackers. www.sandflysecurity.com

  4. 1000:1 Rule Defenders need to know thousands of ways for a system to get compromised. Attackers need to be right just once. Attackers need to know about thousands of ways to cover their tracks. Defenders need to spot something wrong just once. www.sandflysecurity.com

  5. The Big Five Processes Directories Files Users Logs www.sandflysecurity.com

  6. Suspicious Processes www.sandflysecurity.com

  7. Suspicious Processes • Named to look legit or very odd. • Network activity you don’t recognize. • High CPU/RAM. • Deleted binary still running. • Combination of the above. www.sandflysecurity.com

  8. Suspicious Processes Unusual Ports TCP port 22222 root@ubuntu18-dirty:/lib# netstat -nalp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID tcp 0 0 0.0.0.0:22222 0.0.0.0:* LISTEN 10580/cron tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1293/sshd tcp 0 332 192.168.1.122 120.136.1.1:56639 ESTABLISHED 11022/2 tcp6 0 0 :::22 :::* LISTEN 1293/sshd udp 0 0 0.0.0.0:555 0.0.0.0:* 32481/t raw 0 0 0.0.0.0:1 0.0.0.0:* 7 10580/cron PID “cron” ICMP Protocol Raw socket www.sandflysecurity.com

  9. Suspicious Processes Investigating a PID root@ubuntu-18-dirty:/# ls -alR /proc/*/cwd 2> /dev/null | grep tmp lrwxrwxrwx 1 root root 0 Nov 14 02:07 /proc/10580/cwd -> /tmp PID of Running interest from /tmp root@ubuntu-18-dirty:/tmp# ls -alR /proc/*/exe 2> /dev/null | grep deleted lrwxrwxrwx 1 root root 0 Nov 13 07:39 /proc/10580/exe -> /usr/bin/perl (deleted) Binary deleted but still running? www.sandflysecurity.com

  10. Suspicious Processes Investigating a PID PID of interest Running root@ubuntu-18-dirty:~# ls -al /proc/10580/cwd lrwxrwxrwx 1 root root 0 Nov 14 02:07 /proc/10580/cwd -> /tmp from /tmp root@ubuntu-18-dirty:/tmp# cat /proc/10580/comm Says it’s cron. /usr/sbin/cron root@ubuntu-18-dirty:/tmp# cat /proc/10580/cmdline Really, I’m cron! /usr/sbin/cron root@ubuntu-18-dirty:/tmp# ls -al /proc/10580/exe lrwxrwxrwx 1 root root 0 Nov 13 07:39 /proc/10580/exe -> '/usr/bin/perl (deleted)' You’re not cron. www.sandflysecurity.com

  11. Suspicious Directories www.sandflysecurity.com

  12. Suspicious Directories • Used to hide malicious binaries. • Used to hide stolen data. • Used to holding staging data for further incursion. • Used to hold persistence mechanisms. www.sandflysecurity.com

  13. Suspicious Directories Commonly Targeted /tmp, /var/tmp /lib*, /usr/lib* /dev /etc /dev/shm /var/log /bin /var/spool /sbin public_html /usr/bin Privileged home directories /usr/sbin Standard home directories www.sandflysecurity.com

  14. Suspicious Directories Weird Names root@ubuntu18-dirty:~# ls -al /bin total 17120 drwxr-xr-x 2 root root 4096 Jul 25 21:45 drwxr-xr-x 2 root root 4096 Sep 7 09:52 . drwxr-xr-x 10 root root 12288 Sep 7 09:52 . drwxr-xr-x 2 root root 4096 Mar 25 2017 . drwxr-xr-x 2 root root 4096 Mar 25 2017 . . drwxr-xr-x 24 root root 4096 Oct 11 04:01 .. drwxr-xr-x 2 root root 4096 Jun 4 01:56 .. drwxr-xr-x 2 root root 4096 Jun 4 02:25 ... drwxr-xr-x 2 root root 4096 Jun 7 00:46 ..% -rwxr-xr-x 1 root root 1037528 May 16 12:49 bash -rwxr-xr-x 1 root root 520992 Jun 15 23:46 btrfs -rwxr-xr-x 1 root root 249464 Jun 15 23:46 btrfs-calc-size www.sandflysecurity.com

  15. Suspicious Directories Weird Names } root@ubuntu18-dirty:~# ls -al /bin total 17120 drwxr-xr-x 2 root root 4096 Jul 25 21:45 drwxr-xr-x 2 root root 4096 Sep 7 09:52 . drwxr-xr-x 10 root root 12288 Sep 7 09:52 . drwxr-xr-x 2 root root 4096 Mar 25 2017 . What is this? drwxr-xr-x 2 root root 4096 Mar 25 2017 . . drwxr-xr-x 24 root root 4096 Oct 11 04:01 .. drwxr-xr-x 2 root root 4096 Jun 4 01:56 .. drwxr-xr-x 2 root root 4096 Jun 4 02:25 ... drwxr-xr-x 2 root root 4096 Jun 7 00:46 ..% -rwxr-xr-x 1 root root 1037528 May 16 12:49 bash -rwxr-xr-x 1 root root 520992 Jun 15 23:46 btrfs -rwxr-xr-x 1 root root 249464 Jun 15 23:46 btrfs-calc-size www.sandflysecurity.com

  16. Suspicious Directories Weird Names “space” root@ubuntu18-dirty:~# ls -lap /bin “space” dot total 17120 drwxr-xr-x 2 root root 4096 Jul 25 21:45 / dot “space” drwxr-xr-x 2 root root 4096 Sep 7 09:52 ./ drwxr-xr-x 10 root root 12288 Sep 7 09:52 ./ dot dot “space” drwxr-xr-x 2 root root 4096 Mar 25 2017 . / drwxr-xr-x 24 root root 4096 Oct 11 04:01 ../ Trying to look drwxr-xr-x 2 root root 4096 Jun 4 01:56 .. / legit drwxr-xr-x 2 root root 4096 Jun 4 02:25 .../ Special drwxr-xr-x 2 root root 4096 Jun 7 00:46 ..%/ characters -rwxr-xr-x 1 root root 1037528 May 16 12:49 bash -rwxr-xr-x 1 root root 520992 Jun 15 23:46 btrfs -rwxr-xr-x 1 root root 249464 Jun 15 23:46 btrfs-calc-siz www.sandflysecurity.com

  17. Suspicious Directories Hidden Directories root@ubuntu-18:/# find / -type d -name ".*” /root/.local /root/.ssh /lib/modules/4.15.0-34-generic/vdso/.build-id /bin/. . /dev/.blKb All suspicious! /dev/shm/. . www.sandflysecurity.com

  18. Suspicious Files www.sandflysecurity.com

  19. Suspicious Files • Exploit traces left behind from attack. • Files that are not what they claim to be or are out of place. • Binaries that are modified or in strange locations. www.sandflysecurity.com

  20. Suspicious Files Exploit Traces Left Behind Left by poorly root@ubuntu-18-dirty:~# ls -al /tmp written or total 44 rwxrwxrwt 8 root root 12288 Sep 5 00:12 . crashed drwxr-xr-x 23 root root 4096 Sep 5 00:03 .. log cleaner . drwxrwxrwt 2 root root 4096 Sep 5 00:03 .font-unix drwxrwxrwt 2 root root 4096 Sep 5 00:03 .ICE-unix drwxrwxrwt 2 root root 4096 Sep 5 00:03 .Test-unix -rw-r--r-- 1 root root 2304 Sep 5 00:12 utmp.bak drwxrwxrwt 2 root root 4096 Sep 5 00:03 .X11-unix drwxrwxrwt 2 root root 4096 Sep 5 00:03 .XIM-unix www.sandflysecurity.com

  21. Suspicious Files Immutable Files root@ubuntu-18-dirty:/tmp# lsattr / -R 2> /dev/null | grep "\----i" ----i---------e--- /tmp/.t Suspicious name ----i---------e--- /bin/pss and immutable in /tmp. Binaries are not normally set immutable. www.sandflysecurity.com

  22. Suspicious Files File Masquerading root@ubuntu-18-dirty:~/public_html# file * -p 1.jpg : ELF 32-bit LSB executable, ARM , …statically linked, stripped 2.jpg: ELF 32-bit LSB executable, ARM , …statically linked, stripped 3.jpg: ELF 32-bit MSB executable, MIPS , …statically linked, stripped 4.jpg: ELF 32-bit LSB executable, MIPS , …statically linked, stripped index.html: data logo.jpg: PHP script , ASCII text logo.png: PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced JPGs are ELF executables. HTML is unknown data. Another JPG is PHP. www.sandflysecurity.com

  23. Suspicious Files Hidden Binaries root@ubuntu-18-dirty:/tmp# find / -name ".*" -exec file -p '{}' \; | grep ELF /var/tmp/.ICE-unix/.db: ELF 64-bit … stripped Hidden binary in /tmp directory. Why? www.sandflysecurity.com

  24. Suspicious Files Named Pipes root@ubuntu-18:/# find / -type p /run/dmeventd-client /run/dmeventd-server … /tmp/f One character and in a /tmp directory? www.sandflysecurity.com

  25. Suspicious Files System Files Modified [root@centos-6-2 ~]# rpm -Va | grep ^..5. SM5....T. c /etc/ssh/sshd_config S.5....T. c /etc/ssh/ssh_config Manually S.5....T. c /root/.bashrc inspect these. root@ubuntu16-dirty:/bin# debsums -c /usr/sbin/nologin Why was this replaced? www.sandflysecurity.com

  26. Suspicious Users www.sandflysecurity.com

  27. Suspicious Users History File Weirdness Should www user have Creation Anti-forensics a history file? Date root@ubuntu-18:/# ls -alR | grep .*history lrwxrwxrwx 1 www www 9 Nov 13 00:23 .bash_history -> /dev/null -rw------- 1 root root 53083 Nov 12 23:49 .bash_history www.sandflysecurity.com

  28. Suspicious Users SSH Keys root@ubuntu-18-dirty:/tmp# find / -name authorized_keys /root/.ssh/authorized_keys User bin with /bin/.ssh/authorized_keys SSH key? /home/jscott/.ssh/authorized_keys /home/www/.ssh/authorized_keys Do you recognize all users that should have SSH credentials? www.sandflysecurity.com

  29. Suspicious Users Scheduler Persistence root@ubuntu-18:/tmp# crontab -l * * * * * /tmp/.d >/dev/null 2>&1 Weird name. Cron script in tmp? www.sandflysecurity.com

  30. Suspicious Logs www.sandflysecurity.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source:

Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source:

Introduction to Linux Command Line Interface Family of Unix-like Operating Systems Source: http://en.wikipedia.org/w/index.php?title=File:Unix_history-simple.svg&page=1; Creative Commons GNU/Linux and Distributions Linux kernel: the core

476 views • 5 slides
To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van

To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van

To TOP or NOT to TOP www.SAS.com To TOP or NOT to TOP Using the TOP command in Linux By Len van den Berg SAS Grid Platform Administrator Monitoring Processes in Linux By User By CPU By Size By Command By Memory By

444 views • 41 slides
STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a

STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a

STAT 605 Data Science Computing Introduction to the UNIX/Linux command line Why UNIX/Linux? As a data scientist, you will spend most of your time dealing with data Data sets never arrive ready to analyze Cleaning data, fixing formatting,

709 views • 33 slides
STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a

STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a

STATS 701 Data Analysis using Python Lecture 18: the UNIX/Linux Command Line UNIX/Linux: a (very) brief history 1960s: Multics (Bell Labs, MIT, GE), a time-sharing operating system 1970s: UNIX developed at Bell Labs 1980s: the UNIX wars

481 views • 29 slides
TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS REMOTELY M arco B uchler, Emily Franzini and Greta Franzini TABLE OF CONTENTS 1. C onnecting to the server 2. Command line introduction 2/100

679 views • 19 slides
A Command-Line Driver Generator or What I did when I got tired of writing command-line

A Command-Line Driver Generator or What I did when I got tired of writing command-line

Using a generated command-line driver Using the tool How the tool works Future work A Command-Line Driver Generator or What I did when I got tired of writing command-line interfaces myself... Jacob Sparre Andersen JSA Research &

717 views • 16 slides
Linux Basics 2 Pre-Lab Everyone installed Linux on their computer Everyone launched the

Linux Basics 2 Pre-Lab Everyone installed Linux on their computer Everyone launched the

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Linux Basics 2 Pre-Lab Everyone installed Linux on their computer Everyone launched the command line (terminal) and ran a few commands

533 views • 40 slides
Command Line + BASH Scripting Nel Escher Agenda Command line Working with absolute and

Command Line + BASH Scripting Nel Escher Agenda Command line Working with absolute and

Command Line + BASH Scripting Nel Escher Agenda Command line Working with absolute and relative paths Running programs Redirecting program output Scripting Automate sequences of commands! Say Goodbye to Your Precious

1.28k views • 38 slides
Section I: Section I: Introduction to Command Line Tools Introduction to Command Line Tools CEG

Section I: Section I: Introduction to Command Line Tools Introduction to Command Line Tools CEG

Section I: Section I: Introduction to Command Line Tools Introduction to Command Line Tools CEG 333: Introduction to UNIX Dr. Travis Doom, Associate Professor Department of Computer Science and Engineering Wright State University

1.05k views • 94 slides
AOS Linux Tutorial Introduction to Linux, Part 2 Michael Havas Dept. of Atmospheric and Oceanic

AOS Linux Tutorial Introduction to Linux, Part 2 Michael Havas Dept. of Atmospheric and Oceanic

AOS Linux Tutorial Introduction to Linux, Part 2 Michael Havas Dept. of Atmospheric and Oceanic Sciences McGill University September 21, 2010 Outline 1 Review 2 The Linux Command-Line Working With Text Redirection and Piping Chaining

618 views • 32 slides
SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

916 views • 57 slides
diff Command JACARY RICHARDSON NHANTRUNG PHAN Unix/Linux Command: diff The diff utility is

diff Command JACARY RICHARDSON NHANTRUNG PHAN Unix/Linux Command: diff The diff utility is

diff Command JACARY RICHARDSON NHANTRUNG PHAN Unix/Linux Command: diff The diff utility is at its very base a data comparison tool Generally, the diff command compares two files in the following format: diff filename1 filename2

362 views • 5 slides
JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor JAVASCRIPT DEVELOPMENT THE COMMAND LINE THE

JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor JAVASCRIPT DEVELOPMENT THE COMMAND LINE THE

JAVASCRIPT DEVELOPMENT Sasha Vodnik, Instructor JAVASCRIPT DEVELOPMENT THE COMMAND LINE THE COMMAND LINE WEEKLY OVERVIEW WEEK 2 The Command Line / Data Types WEEK 3 Loops & Conditionals / Functions & Scope WEEK 4 Slackbot Lab /

1.13k views • 87 slides
The chmod Command By: Nic Stephens and Kelly OLeary S What is it? S A Unix/Linux

The chmod Command By: Nic Stephens and Kelly OLeary S What is it? S A Unix/Linux

The chmod Command By: Nic Stephens and Kelly OLeary S What is it? S A Unix/Linux command S Ch ange Mod e S Changes permissions of a given file Symbolic Mode Type of User Letter/Operator User who owns it u Users in the

238 views • 10 slides
NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network

NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network

Moreno Baricevic CNR-INFM DEMOCRITOS Trieste, ITALY INTRO TO INTRO TO NETWORKING NETWORKING PART 2: LINUX UX commands PART 2: LINUX commands Agenda Agenda Network Interfaces Network Interfaces LINUX command line utilities LINUX

598 views • 38 slides
REKALL SOFTWARE PVT LTD LINUX BASICS KIRAN KOLLIPARA 2014-11-03 LINUX BASICS Basic Concepts

REKALL SOFTWARE PVT LTD LINUX BASICS KIRAN KOLLIPARA 2014-11-03 LINUX BASICS Basic Concepts

REKALL SOFTWARE PVT LTD LINUX BASICS KIRAN KOLLIPARA 2014-11-03 LINUX BASICS Basic Concepts Strong command-line support. Good network configuration support for router, firewall, etc. Easy package management Simple

827 views • 23 slides
Root River Fisheries Root River Fisheries Craig Helker Craig Helker WDNR WDNR Root River

Root River Fisheries Root River Fisheries Craig Helker Craig Helker WDNR WDNR Root River

Root River Fisheries Root River Fisheries Craig Helker Craig Helker WDNR WDNR Root River Watershed Root River Watershed Root River Watershed Root River Watershed Findings Findings Findings Findings Mainstem Mainstem Mainstem

182 views • 17 slides
How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13,

How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13,

How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13, 2016 2 Reaching Your Audience 3 The Reality, Unknown to Many 4 They Must We say Many Think Understand Ranchers lease to graze

336 views • 20 slides
Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado

Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado

City and County of Denver Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado 80220 970.880.1415 x102 heidi@rootpolicy.com Considerations for a Preference Policy Primary goal: To foster stable

585 views • 17 slides
javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

. . M. Lynch, M. Stanitzki, J. Strube July 2009 STFC Rutherford Appleton Laboratory J. Strube M. Stanitzki M. Lynch A Java Interface to ROOT javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

398 views • 19 slides
The Root: A new facility for food processing, distribu?on, storage and educa?on Produc(on

The Root: A new facility for food processing, distribu?on, storage and educa?on Produc(on

The Root: Growing Food, Nurturing Community The Root: A new facility for food processing, distribu?on, storage and educa?on Produc(on Processing Storage Making the links between farmers, food processors and consumers to increase local

251 views • 11 slides
Module 4 AFA CyberCamp Format Day T wo Day Three Day Four Day Five Day One Windows

Module 4 AFA CyberCamp Format Day T wo Day Three Day Four Day Five Day One Windows

AFA CyberCamp Module 4 AFA CyberCamp Format Day T wo Day Three Day Four Day Five Day One Windows Intermediate Intro to Linux CyberPatriot Cyber Safety System Windows and Ubuntu Competition! Administration Security Security 1

824 views • 53 slides
Understanding Root Causes? Understanding Freedom Poverty as a root cause? What does

Understanding Root Causes? Understanding Freedom Poverty as a root cause? What does

Understanding Root Causes? Understanding Freedom Poverty as a root cause? What does Brother Where Art Though? tell us? Freedom as The Power to Say No Poverty Borders Discrimination Speak Truth to Power Poverty is

501 views • 15 slides
Introduction to A3 QI Template Kathleen Caron Performance Management and QI Coordinator and

Introduction to A3 QI Template Kathleen Caron Performance Management and QI Coordinator and

Introduction to A3 QI Template Kathleen Caron Performance Management and QI Coordinator and DHS Lean Point of Contact Division of Public Health September 2018 To protect and promote the health and safety of the people of Wisconsin

577 views • 22 slides

More recommend