Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Anton Chuvakin on Discovering That Your Linux Box is Hacked


Published on

This presentation covers how to discover the common signs that your Linux system is compromised by attackers

Published in: Technology
  • Dating direct: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ❶❶❶ ❶❶❶
    Are you sure you want to  Yes  No
    Your message goes here

Anton Chuvakin on Discovering That Your Linux Box is Hacked

  1. 1. <ul><li>Linux Intrusion Discovery </li></ul><ul><li>v. 0.4 </li></ul><ul><li>May 2005 </li></ul><ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>Security Strategist </li></ul><ul><li> </li></ul>
  2. 2. Outline <ul><li>Linux Overview : Battleground Linux </li></ul><ul><li>Common Attacks and Intruder Behavior : What they will hit you with? </li></ul><ul><li>First Suspicions : Traces and anomalies </li></ul><ul><li>Confirming the Intrusion : Oh, it is REALLY “owned”! </li></ul><ul><li>Conclusion : What to do after the panic subsides?  </li></ul>
  3. 3. Linux <ul><li>Linux ”profile”: </li></ul><ul><li>Free </li></ul><ul><li>Open source </li></ul><ul><li>Widely deployed </li></ul><ul><li>Great for servers </li></ul><ul><li>Easy to use * </li></ul><ul><li>Somewhat poorly coded** </li></ul><ul><li>Result: great target for attackers from “script kiddiez” to pros </li></ul><ul><li>* - somewhat  </li></ul><ul><li>** - at least, according to the xBSD fans  </li></ul>
  4. 4. Common Linux Attacks <ul><li>Vulnerable network daemons </li></ul><ul><ul><li>RPC </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>HTTP/HTTPS </li></ul></ul><ul><li>Brute forcing passwords </li></ul><ul><li>Web application and CGI attacks </li></ul><ul><li>Sniffing </li></ul><ul><li>Local console abuse </li></ul><ul><li>See SANS “UNIX Top 10 Weaknesses” for more details </li></ul>
  5. 5. What the attackers do? <ul><li>Close the holes </li></ul><ul><li>Backdoors </li></ul><ul><li>Trojans </li></ul><ul><li>IRC </li></ul><ul><li>Scanning and exploitation </li></ul><ul><li>DoS attacks </li></ul><ul><li>Sniffing </li></ul><ul><li>Storing “warez” and pirated content </li></ul><ul><li>Searching for credit cards </li></ul>
  6. 6. What do we want? <ul><li>Give you or your subordinates/colleagues tools and methods to tell that a system is likely compromised </li></ul><ul><li>Not require any advanced security knowledge while still be effective </li></ul><ul><li>Focus on performing simple actions and looking at their results </li></ul><ul><li>Use locally run built-in commands (and some free tools) </li></ul><ul><li>Likely not effective against advanced attackers  which is OK! </li></ul>
  7. 7. Hack Omens Summary <ul><li>Groups of intrusions signs covered on the next slides: </li></ul><ul><li>Resource waste </li></ul><ul><li>System failures </li></ul><ul><li>Unusual objects and traces </li></ul><ul><li>Unusual networking </li></ul><ul><li>“Something just doesn’t feel right!”  </li></ul>
  8. 8. Omens: Resource waste <ul><ul><li>Slow system </li></ul></ul><ul><ul><li>[anton@bmw anton]$ uptime </li></ul></ul><ul><ul><li>11:53pm up 41 days, 8:54, 1 user, load average: 12.14, 9.12, 7.09 </li></ul></ul><ul><ul><li>Excessive memory use </li></ul></ul><ul><ul><li>[anton@bmw anton]$ free </li></ul></ul><ul><ul><li>total used free shared buffers cached </li></ul></ul><ul><ul><li>Mem: 127820 108856 18964 38636 13860 21684 </li></ul></ul><ul><ul><li>-/+ buffers/cache: 73312 54508 </li></ul></ul><ul><ul><li>Swap: 336504 43788 292716 </li></ul></ul><ul><ul><li>Missing disk space </li></ul></ul><ul><ul><li>[anton@bmw anton]$ df </li></ul></ul><ul><ul><li>Filesystem 1k-blocks Used Available Use% Mounted on </li></ul></ul><ul><ul><li>/dev/hda1 2016016 2016000 1193 99% / </li></ul></ul><ul><ul><li>Slow network connectivity </li></ul></ul><ul><ul><li>[anton@bmw anton]$ ping </li></ul></ul>
  9. 9. Omens: Misc Failures <ul><ul><li>Reboots </li></ul></ul><ul><ul><li>[anton@bmw anton]$ uptime </li></ul></ul><ul><ul><li>10:05pm up 3 hours , 1:54, 2 user, load average: 0.14, 0.12, 0.09 </li></ul></ul><ul><ul><li>Application crashes and errors </li></ul></ul><ul><ul><li>VM: killing process spamassassin </li></ul></ul><ul><ul><li>Application restarts </li></ul></ul><ul><ul><li>Mar 14 05:22:32 bmw syslogd 1.3-3 : restart. </li></ul></ul><ul><ul><li>Authentication failures </li></ul></ul><ul><ul><li>Mar 14 19:02:04 bmw PAM_unix[29426]: authentication failure ; evil(uid=500) -> root for system-auth service </li></ul></ul><ul><ul><li>Spontaneous system unavailability </li></ul></ul>
  10. 10. Omens: Unusual Objects <ul><li>Files/directories </li></ul><ul><ul><li>[root@bmw /tmp]# ls -la </li></ul></ul><ul><ul><li>total 35 </li></ul></ul><ul><ul><li>drwxrwxrwt 5 root root 15360 Mar 16 00:22 . </li></ul></ul><ul><ul><li>drwx------ 2 root root 1024 Mar 16 00:22 ... </li></ul></ul><ul><li>Processes </li></ul><ul><li>Accounts </li></ul><ul><li>Connections </li></ul><ul><ul><li>From server, to client, too many </li></ul></ul><ul><li>Command output </li></ul><ul><ul><li>“ Hmm, why does it do that ?”  </li></ul></ul><ul><li>Log entries </li></ul>
  11. 11. Action Plan <ul><li>What do the above signs indicate? Nothing really ?  Maybe so, but let’s check! </li></ul><ul><li>How to quickly confirm an intrusion? </li></ul><ul><li>Using default system tools </li></ul><ul><li>Open source programs </li></ul><ul><li>And some built-in intelligence  </li></ul>
  12. 12. Actions <ul><li>Look for suspicious files </li></ul><ul><li>Look for suspicious accounts </li></ul><ul><li>Look for system corruption </li></ul><ul><li>Look for suspicious networking </li></ul><ul><li>Look for suspicious processes </li></ul><ul><li>Look for weird log entries </li></ul><ul><li>Look for misc other “weirdness” </li></ul>
  13. 13. Look for suspicious files <ul><li>Large files </li></ul><ul><ul><li># find / -size +10000k –print </li></ul></ul><ul><ul><li>Or </li></ul></ul><ul><ul><li># find / -size +10000k –mtime +7 -print </li></ul></ul><ul><li>Nobody’s files </li></ul><ul><li># find / -nouser -print </li></ul><ul><li>SUID root files </li></ul><ul><li># find / -uid 0 –perm -4000 –print </li></ul><ul><li>Weird file names (“. “,” “,”…”, etc) </li></ul><ul><ul><li># find / -name “...“ –print </li></ul></ul>
  14. 14. Look for suspicious accounts <ul><li>Privileged Accounts </li></ul><ul><li>grep :0: /etc/passwd </li></ul>[root@bmw /tmp]# grep :0: /etc/passwd root:x:0:0:root:/root:/bin/bash sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt operator:x:11:0:operator:/root: rewt:x:0:0:root:/dev/…:/bin/bash
  15. 15. Look for system corruption <ul><li>Installed software integrity </li></ul><ul><li># rpm –qa | sort </li></ul><ul><li># rpm –Va | sort </li></ul><ul><li>File integrity: AIDE </li></ul><ul><li># aide --check </li></ul><ul><li>File integrity: Tripwire </li></ul><ul><li># tripwire --check </li></ul><ul><li>System integrity : Chkrootkit </li></ul><ul><li># chkrootkit </li></ul>
  16. 16. Look for suspicious networking <ul><li>Promiscuous / sniffers </li></ul><ul><li># ip link | grep PROMISC </li></ul><ul><li>or </li></ul><ul><li># /sbin/ifconfig </li></ul><ul><li>or </li></ul><ul><li># dmesg | grep promisc </li></ul><ul><li>Listeners (to) </li></ul><ul><ul><li># lsof –i </li></ul></ul><ul><ul><li># netstat –nap </li></ul></ul><ul><li>Connections ( from) </li></ul><ul><ul><li># netstat –na </li></ul></ul><ul><li>ARP </li></ul><ul><ul><li># arp –a </li></ul></ul><ul><ul><li> ( at 00:90:27:9F:B5:8C [ether] on eth0 </li></ul></ul>
  17. 17. Look for suspicious processes <ul><li>Process list </li></ul><ul><ul><li># ps –aux </li></ul></ul><ul><ul><li>(./daemons, strange names, etc) </li></ul></ul><ul><li>Process details </li></ul><ul><ul><li># cat /proc/13555 </li></ul></ul><ul><li>Utilized system components </li></ul><ul><ul><li># lsof –p 13555 </li></ul></ul><ul><li>Daemons and services </li></ul><ul><ul><li># chkconfig --list </li></ul></ul><ul><li>Kernel module list </li></ul><ul><li># /sbin/lsmod </li></ul>
  18. 18. Look for weird log entries <ul><li>RPC exploit attempts </li></ul><ul><li>Oct 19 05:27:43 bmw rpc.statd[560]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x% </li></ul><ul><li>HTTP attacks </li></ul><ul><li>/scripts/..%2f../winnt/system32/cmd.exe?/c+dir </li></ul><ul><li>SSL attacks </li></ul><ul><li>[error] mod_ssl: SSL handshake failed (server 443, client (OpenSSL library error follows) [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143) </li></ul><ul><li>Auth failures (SSH, telnet, HTTP, FTP, POP3, IMAP, SQL, etc) </li></ul><ul><li>Large quantities of errors </li></ul><ul><li>Large/small log files </li></ul>
  19. 19. Misc other “weirdness” <ul><li>Contents of </li></ul><ul><ul><li>.rhosts / .shost </li></ul></ul><ul><ul><li>.forward </li></ul></ul><ul><ul><li>/etc/inetd.conf or /etc/xinetd.* </li></ul></ul><ul><ul><li>~/.ssh/authorized_keys </li></ul></ul><ul><ul><li>/tmp and /var/tmp </li></ul></ul><ul><li>Suspicious cron jobs (esp. “root”) </li></ul><ul><li>Suspicious logged on users (“system”, “bin”, etc) </li></ul><ul><li>File attributes (“lsattr –R /”) </li></ul>
  20. 20. What the attackers do II <ul><li>Close the holes : system changes, application restarts </li></ul><ul><li>Backdoors : system changes, broken commands, new servers </li></ul><ul><li>Trojans : new programs, new application behavior </li></ul><ul><li>IRC : network connections, servers </li></ul><ul><li>Scanning and exploitation : network connections, new programs </li></ul><ul><li>DoS attacks : network connections, system slow </li></ul><ul><li>Sniffing : promiscuous, missing disk space </li></ul><ul><li>Storing “warez” and pirated content: missing disk space, slow networking </li></ul>
  21. 21. What have we learned? <ul><li>We can quickly look for known signs of intrusions </li></ul><ul><li>We have a plan for doing that! </li></ul><ul><li>It doesn’t require any expensive “security tools” </li></ul><ul><li>Many regular computer users can be trained to do that </li></ul>
  22. 22. Conclusion <ul><li>Is Linux Secure? </li></ul><ul><li>Just “securable”! </li></ul><ul><li>Let’s just help it a bit by looking for intrusion signs! </li></ul><ul><li>Similar methods are available for Windows! </li></ul>
  23. 23. Additional Resources <ul><li>SANS resources – Intrusion Discovery Checklists </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  24. 24. Thanks for Viewing the Presentation <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li> </li></ul><ul><li>Author of “Security Warrior” (O’Reilly) – </li></ul><ul><li>Read my blog at http:// </li></ul><ul><li>Book on logs is coming soon! </li></ul><ul><li>See for my papers, books, reviews and other security resources related to logs </li></ul>