Intrusion Discovery Cheat Sheet for Linux
0 likes287 views
This document serves as a cheat sheet for system administrators to detect potential security breaches in Linux systems. It outlines various commands and tools for identifying unusual accounts, processes, files, and network activities that may indicate a compromise. The guide emphasizes the significance of periodic checks and reporting any anomalies to an incident handling team.
![Look for processes running out of or accessing files
that have been unlinked (i.e., link count is zero). An
attacker may be hiding data in or running a backdoor
from such files:
# lsof +L1
On a Linux machine with RPM installed (RedHat,
Mandrake, etc.), run the RPM tool to verify packages:
# rpm βVa | sort
This checks size, MD5 sum, permissions, type,
owner, and group of each file with information from
RPM database to look for changes. Output includes:
S β File size differs
M β Mode differs (permissions)
5 β MD5 sum differs
D β Device number mismatch
L β readLink path mismatch
U β user ownership differs
G β group ownership differs
T β modification time differs
Pay special attention to changes associated with
items in /sbin, /bin, /usr/sbin, and /usr/bin.
In some versions of Linux, this analysis is automated
by the built-in check-packages script.
Unusual Network Usage Continued
Look for unusual port listeners:
# netstat βnap
Get more details about running processes listening
on ports:
# lsof βi
These commands require knowledge of which TCP
and UDP ports are normally listening on your
system. Look for deviations from the norm.
Look for unusual ARP entries, mapping IP address to
MAC addresses that arenβt correct for the LAN:
# arp βa
This analysis requires detailed knowledge of which
addresses are supposed to be on the LAN. On a
small and/or specialized LAN (such as a DMZ), look
for unexpected IP addresses.
Unusual Files Continued
Unusual Scheduled Tasks
Look for cron jobs scheduled by root and any other
UID 0 accounts:
# crontab βu root βl
Look for unusual system-wide cron jobs:
# cat /etc/crontab
# ls /etc/cron.*
Look at all running processes:
# ps βaux
Get familiar with "normal" processes for the machine.
Look for unusual processes. Focus on processes with
root (UID 0) privileges.
If you spot a process that is unfamiliar, investigate in
more detail using:
# lsof βp [pid]
This command shows all files and ports used by the
running process.
If your machine has it installed, run chkconfig to see
which services are enabled at various runlevels:
# chkconfig --list
Unusual Processes and Services
Look for unusual SUID root files:
# find / -uid 0 βperm -4000 βprint
This requires knowledge of normal SUID files.
Look for unusual large files (greater than 10
MegaBytes):
# find / -size +10000k βprint
This requires knowledge of normal large files.
Look for files named with dots and spaces ("...", ".. ",
". ", and " ") used to camouflage files:
# find / -name " " βprint
# find / -name ".. " βprint
# find / -name ". " βprint
# find / -name " " βprint
Unusual Files
Look for promiscuous mode, which might indicate a
sniffer:
# ip link | grep PROMISC
Note that the ifconfig doesnβt work reliably for
detecting promiscuous mode on Linux kernel 2.4, so
please use "ip link" for detecting it.
Unusual Network Usage](https://image.slidesharecdn.com/230-220316183421/85/Intrusion-Discovery-Cheat-Sheet-for-Linux-2-320.jpg)
Intrusion Discovery Cheat Sheet for Linux
- 1. Look in /etc/passwd for new accounts in sorted list by UID: # sort βnk3 βt: /etc/passwd | less Normal accounts will be there, but look for new, unexpected accounts, especially with UID < 500. Also, look for unexpected UID 0 accounts: # egrep ':0+:' /etc/passwd On systems that use multiple authentication methods: # getent passwd | egrep ':0+:' Look for orphaned files, which could be a sign of an attacker's temporary account that has been deleted. # find / -nouser -print System Administrators are often on the front lines of computer security. This guide aims to support System Administrators in finding indications of a system compromise. The following tools are often not built into the Linux operating system, but can be used to analyze its security status in more detail. Each is available for free download at the listed web site. DISCLAIMER: The SANS Institute is not responsible for creating, distributing, warranting, or supporting any of the following tools. Chkrootkit looks for anomalies on systems introduced by user-mode and kernel-mode RootKits β www.chkrootkit.org Tripwire looks for changes to critical system files β www.tripwire.org - free for Linux for non-commercial use AIDE looks for changes to critical system files http://www.cs.tut.fi/~rammer/aide.html The Center for Internet Security has released a Linux hardening guide for free at www.cisecurity.org. The free Bastille Script provides automated security hardening for Linux systems, available at www.bastille-linux.org. Unusual Accounts Additional Supporting Tools Purpose What to use this sheet for On a periodic basis (daily, weekly, or each time you logon to a system you manage,) run through these quick steps to look for anomalous behavior that might be caused by a computer intrusion. Each of these commands runs locally on a system. This sheet is split into these sections: β’ Unusual Processes and Services β’ Unusual Files β’ Unusual Network Usage β’ Unusual Scheduled Tasks β’ Unusual Accounts β’ Unusual Log Entries β’ Other Unusual Items β’ Additional Supporting Tools Intrusion Discovery Cheat Sheet v2.0 Linux POCKET REFERENCE GUIDE SANS Institute www.sans.org and isc.sans.org Download the latest version of this sheet from http://www.sans.org/resources/linsacheatsheet.pdf If you spot anomalous behavior: DO NOT PANIC! Your system may or may not have come under attack. Please contact the Incident Handling Team immediately to report the activities and get further assistance. Look through your system log files for suspicious events, including: "entered promiscuous mode" Large number of authentication or login failures from either local or remote access tools (e.g., telnetd, sshd, etc.) Remote Procedure Call (rpc) programs with a log entry that includes a large number (> 20) strange characters (such as ^PM-^PM-^PM- ^PM-^PM-^PM-^PM-^PM) For systems running web servers: Larger than normal number of Apache logs saying "error" Reboots and/or application restarts Unusual Log Entries Other Unusual Items Sluggish system performance: $ uptime β Look at "load average" Excessive memory use: $ free Sudden decreases in available disk space: $ df
- 2. Look for processes running out of or accessing files that have been unlinked (i.e., link count is zero). An attacker may be hiding data in or running a backdoor from such files: # lsof +L1 On a Linux machine with RPM installed (RedHat, Mandrake, etc.), run the RPM tool to verify packages: # rpm βVa | sort This checks size, MD5 sum, permissions, type, owner, and group of each file with information from RPM database to look for changes. Output includes: S β File size differs M β Mode differs (permissions) 5 β MD5 sum differs D β Device number mismatch L β readLink path mismatch U β user ownership differs G β group ownership differs T β modification time differs Pay special attention to changes associated with items in /sbin, /bin, /usr/sbin, and /usr/bin. In some versions of Linux, this analysis is automated by the built-in check-packages script. Unusual Network Usage Continued Look for unusual port listeners: # netstat βnap Get more details about running processes listening on ports: # lsof βi These commands require knowledge of which TCP and UDP ports are normally listening on your system. Look for deviations from the norm. Look for unusual ARP entries, mapping IP address to MAC addresses that arenβt correct for the LAN: # arp βa This analysis requires detailed knowledge of which addresses are supposed to be on the LAN. On a small and/or specialized LAN (such as a DMZ), look for unexpected IP addresses. Unusual Files Continued Unusual Scheduled Tasks Look for cron jobs scheduled by root and any other UID 0 accounts: # crontab βu root βl Look for unusual system-wide cron jobs: # cat /etc/crontab # ls /etc/cron.* Look at all running processes: # ps βaux Get familiar with "normal" processes for the machine. Look for unusual processes. Focus on processes with root (UID 0) privileges. If you spot a process that is unfamiliar, investigate in more detail using: # lsof βp [pid] This command shows all files and ports used by the running process. If your machine has it installed, run chkconfig to see which services are enabled at various runlevels: # chkconfig --list Unusual Processes and Services Look for unusual SUID root files: # find / -uid 0 βperm -4000 βprint This requires knowledge of normal SUID files. Look for unusual large files (greater than 10 MegaBytes): # find / -size +10000k βprint This requires knowledge of normal large files. Look for files named with dots and spaces ("...", ".. ", ". ", and " ") used to camouflage files: # find / -name " " βprint # find / -name ".. " βprint # find / -name ". " βprint # find / -name " " βprint Unusual Files Look for promiscuous mode, which might indicate a sniffer: # ip link | grep PROMISC Note that the ifconfig doesnβt work reliably for detecting promiscuous mode on Linux kernel 2.4, so please use "ip link" for detecting it. Unusual Network Usage