penguin

Intrusion Discovery on Linux

December 1 / 2015

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any clue of system compromise. I will cover those commands here and I hope it can help you while following the cheat sheet.

Unusual processes and services
1. List all processes and spot for unfamiliar one or the one that owns by root

00
01 > ps -ef #standard way
02 > ps -aux #UNIX process style; BSD won’t use hyphen.

2. List all processes bound to a specific user

00
01 > ps -u ambient –forest

3. If you want to see more in details, try lsof which shows all files and ports used by the process ID.

00
01 > lsof -p [process ID]

4. Investigate processes and services enabled on the machine

00
01 > top #task manager on linux.
02 > chkconfig –list #as same as services.msc

Unusual Files
1. Look for unusual SUID root files. A file that SUID root is enabled will be executed with root’s permission.
***Notes:
– The permission bits for special permission
4:SUID 2:GUID 1:Sticky bit –> 1st digit
4:owner 2:group 1:world –> other 3 digits

00
01 > find / -uid 0 –perm -4000 –print

2. Find the file that is bigger that usual such as 10MB.

00
01 > find / -size +10000k -print

3. Find the unusual file names

00
01 > find / -name ” ” –print
02 > find / -name “.. ” –print
03 > find / -name “. ” –print
04 > find / -name ” ” –print

4. Find an unlinked opened files.

00
01 > lsof +L #list all opened files with link count
02 > lsof +L1 #list all opened files with link count less that 1 which is 0

5. Verify linux packages

00
01 > rpm -Va | sort

Unusual Network Usage
1. Look for promiscuous interfaces. ifconfig cannot be relied on linux kernel 2.4.

00
01 /sbin/ip link | grep PROMISC

2. List all TCP/UDP opening ports

00
01 > netstat -tulpn #tcp,udp,listening,program,numeric

3. Look for unfamiliar arp entries or unfamiliar ip addresses

00
01 arp -a

Unusual Scheduled Tasks
1. Show scheduled tasks

00
01 > cat /etc/crontab
02 > ls /etc/cron.*
03 #OR
04 > crontab -u root -l #cron utilities to list jobs for specified
05 users

Unusual Account
1. Look for new accounts

00
01 > sort -nk3 -t: /etc/passwd | less
02 # -n numeric, -k3 start at key=3rd, -t delimeter=:, file

Try to spot new accounts and accounts which UID=0(unexpected root)
2. An orphaned file is the file that belongs to no one. It signifies a deleted temporary account.

00
01 > find / -nouser -print

Other unusual items
1. Look for overload time

00
01 > uptime
02 22:12:41 up 4:37, 2 users, load average: 0.08, 0.08, 0.06

2. View available space

01
02 > df -h

3. View last log in account

00
01 > last
02 > lastlog

For the mentioned cheat sheet on intrusion discovery please discuss
Linux Cheat Sheet

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…