Successfully reported this slideshow.

Anton Chuvakin on Discovering That Your Linux Box is Hacked

3

Share

Upcoming SlideShare
Malware Analysis Made Simple
Malware Analysis Made Simple
Loading in …3
×
1 of 24
1 of 24

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

Anton Chuvakin on Discovering That Your Linux Box is Hacked

  1. 1. <ul><li>Linux Intrusion Discovery </li></ul><ul><li>v. 0.4 </li></ul><ul><li>May 2005 </li></ul><ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>Security Strategist </li></ul><ul><li>http://www.chuvakin.org </li></ul>
  2. 2. Outline <ul><li>Linux Overview : Battleground Linux </li></ul><ul><li>Common Attacks and Intruder Behavior : What they will hit you with? </li></ul><ul><li>First Suspicions : Traces and anomalies </li></ul><ul><li>Confirming the Intrusion : Oh, it is REALLY “owned”! </li></ul><ul><li>Conclusion : What to do after the panic subsides?  </li></ul>
  3. 3. Linux <ul><li>Linux ”profile”: </li></ul><ul><li>Free </li></ul><ul><li>Open source </li></ul><ul><li>Widely deployed </li></ul><ul><li>Great for servers </li></ul><ul><li>Easy to use * </li></ul><ul><li>Somewhat poorly coded** </li></ul><ul><li>Result: great target for attackers from “script kiddiez” to pros </li></ul><ul><li>* - somewhat  </li></ul><ul><li>** - at least, according to the xBSD fans  </li></ul>
  4. 4. Common Linux Attacks <ul><li>Vulnerable network daemons </li></ul><ul><ul><li>RPC </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>HTTP/HTTPS </li></ul></ul><ul><li>Brute forcing passwords </li></ul><ul><li>Web application and CGI attacks </li></ul><ul><li>Sniffing </li></ul><ul><li>Local console abuse </li></ul><ul><li>See SANS “UNIX Top 10 Weaknesses” for more details </li></ul>
  5. 5. What the attackers do? <ul><li>Close the holes </li></ul><ul><li>Backdoors </li></ul><ul><li>Trojans </li></ul><ul><li>IRC </li></ul><ul><li>Scanning and exploitation </li></ul><ul><li>DoS attacks </li></ul><ul><li>Sniffing </li></ul><ul><li>Storing “warez” and pirated content </li></ul><ul><li>Searching for credit cards </li></ul>
  6. 6. What do we want? <ul><li>Give you or your subordinates/colleagues tools and methods to tell that a system is likely compromised </li></ul><ul><li>Not require any advanced security knowledge while still be effective </li></ul><ul><li>Focus on performing simple actions and looking at their results </li></ul><ul><li>Use locally run built-in commands (and some free tools) </li></ul><ul><li>Likely not effective against advanced attackers  which is OK! </li></ul>
  7. 7. Hack Omens Summary <ul><li>Groups of intrusions signs covered on the next slides: </li></ul><ul><li>Resource waste </li></ul><ul><li>System failures </li></ul><ul><li>Unusual objects and traces </li></ul><ul><li>Unusual networking </li></ul><ul><li>“Something just doesn’t feel right!”  </li></ul>
  8. 8. Omens: Resource waste <ul><ul><li>Slow system </li></ul></ul><ul><ul><li>[anton@bmw anton]$ uptime </li></ul></ul><ul><ul><li>11:53pm up 41 days, 8:54, 1 user, load average: 12.14, 9.12, 7.09 </li></ul></ul><ul><ul><li>Excessive memory use </li></ul></ul><ul><ul><li>[anton@bmw anton]$ free </li></ul></ul><ul><ul><li>total used free shared buffers cached </li></ul></ul><ul><ul><li>Mem: 127820 108856 18964 38636 13860 21684 </li></ul></ul><ul><ul><li>-/+ buffers/cache: 73312 54508 </li></ul></ul><ul><ul><li>Swap: 336504 43788 292716 </li></ul></ul><ul><ul><li>Missing disk space </li></ul></ul><ul><ul><li>[anton@bmw anton]$ df </li></ul></ul><ul><ul><li>Filesystem 1k-blocks Used Available Use% Mounted on </li></ul></ul><ul><ul><li>/dev/hda1 2016016 2016000 1193 99% / </li></ul></ul><ul><ul><li>Slow network connectivity </li></ul></ul><ul><ul><li>[anton@bmw anton]$ ping </li></ul></ul>
  9. 9. Omens: Misc Failures <ul><ul><li>Reboots </li></ul></ul><ul><ul><li>[anton@bmw anton]$ uptime </li></ul></ul><ul><ul><li>10:05pm up 3 hours , 1:54, 2 user, load average: 0.14, 0.12, 0.09 </li></ul></ul><ul><ul><li>Application crashes and errors </li></ul></ul><ul><ul><li>VM: killing process spamassassin </li></ul></ul><ul><ul><li>Application restarts </li></ul></ul><ul><ul><li>Mar 14 05:22:32 bmw syslogd 1.3-3 : restart. </li></ul></ul><ul><ul><li>Authentication failures </li></ul></ul><ul><ul><li>Mar 14 19:02:04 bmw PAM_unix[29426]: authentication failure ; evil(uid=500) -> root for system-auth service </li></ul></ul><ul><ul><li>Spontaneous system unavailability </li></ul></ul>
  10. 10. Omens: Unusual Objects <ul><li>Files/directories </li></ul><ul><ul><li>[root@bmw /tmp]# ls -la </li></ul></ul><ul><ul><li>total 35 </li></ul></ul><ul><ul><li>drwxrwxrwt 5 root root 15360 Mar 16 00:22 . </li></ul></ul><ul><ul><li>drwx------ 2 root root 1024 Mar 16 00:22 ... </li></ul></ul><ul><li>Processes </li></ul><ul><li>Accounts </li></ul><ul><li>Connections </li></ul><ul><ul><li>From server, to client, too many </li></ul></ul><ul><li>Command output </li></ul><ul><ul><li>“ Hmm, why does it do that ?”  </li></ul></ul><ul><li>Log entries </li></ul>
  11. 11. Action Plan <ul><li>What do the above signs indicate? Nothing really ?  Maybe so, but let’s check! </li></ul><ul><li>How to quickly confirm an intrusion? </li></ul><ul><li>Using default system tools </li></ul><ul><li>Open source programs </li></ul><ul><li>And some built-in intelligence  </li></ul>
  12. 12. Actions <ul><li>Look for suspicious files </li></ul><ul><li>Look for suspicious accounts </li></ul><ul><li>Look for system corruption </li></ul><ul><li>Look for suspicious networking </li></ul><ul><li>Look for suspicious processes </li></ul><ul><li>Look for weird log entries </li></ul><ul><li>Look for misc other “weirdness” </li></ul>
  13. 13. Look for suspicious files <ul><li>Large files </li></ul><ul><ul><li># find / -size +10000k –print </li></ul></ul><ul><ul><li>Or </li></ul></ul><ul><ul><li># find / -size +10000k –mtime +7 -print </li></ul></ul><ul><li>Nobody’s files </li></ul><ul><li># find / -nouser -print </li></ul><ul><li>SUID root files </li></ul><ul><li># find / -uid 0 –perm -4000 –print </li></ul><ul><li>Weird file names (“. “,” “,”…”, etc) </li></ul><ul><ul><li># find / -name “...“ –print </li></ul></ul>
  14. 14. Look for suspicious accounts <ul><li>Privileged Accounts </li></ul><ul><li>grep :0: /etc/passwd </li></ul>[root@bmw /tmp]# grep :0: /etc/passwd root:x:0:0:root:/root:/bin/bash sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt operator:x:11:0:operator:/root: rewt:x:0:0:root:/dev/…:/bin/bash
  15. 15. Look for system corruption <ul><li>Installed software integrity </li></ul><ul><li># rpm –qa | sort </li></ul><ul><li># rpm –Va | sort </li></ul><ul><li>File integrity: AIDE </li></ul><ul><li># aide --check </li></ul><ul><li>File integrity: Tripwire </li></ul><ul><li># tripwire --check </li></ul><ul><li>System integrity : Chkrootkit </li></ul><ul><li># chkrootkit </li></ul>
  16. 16. Look for suspicious networking <ul><li>Promiscuous / sniffers </li></ul><ul><li># ip link | grep PROMISC </li></ul><ul><li>or </li></ul><ul><li># /sbin/ifconfig </li></ul><ul><li>or </li></ul><ul><li># dmesg | grep promisc </li></ul><ul><li>Listeners (to) </li></ul><ul><ul><li># lsof –i </li></ul></ul><ul><ul><li># netstat –nap </li></ul></ul><ul><li>Connections ( from) </li></ul><ul><ul><li># netstat –na </li></ul></ul><ul><li>ARP </li></ul><ul><ul><li># arp –a </li></ul></ul><ul><ul><li>bmw.chuvakin.org (10.10.230.12) at 00:90:27:9F:B5:8C [ether] on eth0 </li></ul></ul>
  17. 17. Look for suspicious processes <ul><li>Process list </li></ul><ul><ul><li># ps –aux </li></ul></ul><ul><ul><li>(./daemons, strange names, etc) </li></ul></ul><ul><li>Process details </li></ul><ul><ul><li># cat /proc/13555 </li></ul></ul><ul><li>Utilized system components </li></ul><ul><ul><li># lsof –p 13555 </li></ul></ul><ul><li>Daemons and services </li></ul><ul><ul><li># chkconfig --list </li></ul></ul><ul><li>Kernel module list </li></ul><ul><li># /sbin/lsmod </li></ul>
  18. 18. Look for weird log entries <ul><li>RPC exploit attempts </li></ul><ul><li>Oct 19 05:27:43 bmw rpc.statd[560]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x% </li></ul><ul><li>HTTP attacks </li></ul><ul><li>/scripts/..%2f../winnt/system32/cmd.exe?/c+dir </li></ul><ul><li>SSL attacks </li></ul><ul><li>[error] mod_ssl: SSL handshake failed (server bmw.chuvakin.org 443, client 10.0.0.10) (OpenSSL library error follows) [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143) </li></ul><ul><li>Auth failures (SSH, telnet, HTTP, FTP, POP3, IMAP, SQL, etc) </li></ul><ul><li>Large quantities of errors </li></ul><ul><li>Large/small log files </li></ul>
  19. 19. Misc other “weirdness” <ul><li>Contents of </li></ul><ul><ul><li>.rhosts / .shost </li></ul></ul><ul><ul><li>.forward </li></ul></ul><ul><ul><li>/etc/inetd.conf or /etc/xinetd.* </li></ul></ul><ul><ul><li>~/.ssh/authorized_keys </li></ul></ul><ul><ul><li>/tmp and /var/tmp </li></ul></ul><ul><li>Suspicious cron jobs (esp. “root”) </li></ul><ul><li>Suspicious logged on users (“system”, “bin”, etc) </li></ul><ul><li>File attributes (“lsattr –R /”) </li></ul>
  20. 20. What the attackers do II <ul><li>Close the holes : system changes, application restarts </li></ul><ul><li>Backdoors : system changes, broken commands, new servers </li></ul><ul><li>Trojans : new programs, new application behavior </li></ul><ul><li>IRC : network connections, servers </li></ul><ul><li>Scanning and exploitation : network connections, new programs </li></ul><ul><li>DoS attacks : network connections, system slow </li></ul><ul><li>Sniffing : promiscuous, missing disk space </li></ul><ul><li>Storing “warez” and pirated content: missing disk space, slow networking </li></ul>
  21. 21. What have we learned? <ul><li>We can quickly look for known signs of intrusions </li></ul><ul><li>We have a plan for doing that! </li></ul><ul><li>It doesn’t require any expensive “security tools” </li></ul><ul><li>Many regular computer users can be trained to do that </li></ul>
  22. 22. Conclusion <ul><li>Is Linux Secure? </li></ul><ul><li>Just “securable”! </li></ul><ul><li>Let’s just help it a bit by looking for intrusion signs! </li></ul><ul><li>Similar methods are available for Windows! </li></ul>
  23. 23. Additional Resources <ul><li>SANS resources – Intrusion Discovery Checklists </li></ul><ul><li>http://www.sans.org/score/checklists/ID_Linux.pdf </li></ul><ul><li>http://www.sans.org/score/checklists/ID_Windows.pdf </li></ul>
  24. 24. Thanks for Viewing the Presentation <ul><li>Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org </li></ul><ul><li>Read my blog at http:// chuvakin.blogspot.com </li></ul><ul><li>Book on logs is coming soon! </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs </li></ul>

Editor's Notes

×