Intrusion Discovery on Linux

6 12 2010

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any clue of system compromise. I will cover those commands here and I hope it can help you while following the cheat sheet.

Unusual processes and services
1. List all processes and spot for unfamiliar one or the one that owns by root

> ps -ef #standard way
> ps -aux #UNIX process style; BSD won't use hyphen.

2. List all processes bound to a specific user

> ps -u ambient --forest

3. If you want to see more in details, try lsof which shows all files and ports used by the process ID.

> lsof -p [process ID]

4. Investigate processes and services enabled on the machine

> top #task manager on linux.
> chkconfig --list #as same as services.msc

Unusual Files
1. Look for unusual SUID root files. A file that SUID root is enabled will be executed with root’s permission.
– The permission bits for special permission
4:SUID 2:GUID 1:Sticky bit –> 1st digit
4:owner 2:group 1:world –> other 3 digits

> find / -uid 0 –perm -4000 –print

2. Find the file that is bigger that usual such as 10MB.

> find / -size +10000k -print

3. Find the unusual file names

> find / -name " " –print
> find / -name ".. " –print
> find / -name ". " –print
> find / -name " " –print

4. Find an unlinked opened files.

> lsof +L #list all opened files with link count
> lsof +L1 #list all opened files with link count less that 1 which is 0

5. Verify linux packages

> rpm -Va | sort

Unusual Network Usage
1. Look for promiscuous interfaces. ifconfig cannot be relied on linux kernel 2.4.

/sbin/ip link | grep PROMISC

2. List all TCP/UDP opening ports

> netstat -tulpn #tcp,udp,listening,program,numeric

3. Look for unfamiliar arp entries or unfamiliar ip addresses

arp -a

Unusual Scheduled Tasks
1. Show scheduled tasks

> cat /etc/crontab
> ls /etc/cron.*
> crontab -u root -l #cron utilities to list jobs for specified users

Unusual Account
1. Look for new accounts

> sort -nk3 -t: /etc/passwd | less
# -n numeric, -k3 start at key=3rd, -t delimeter=:, file

Try to spot new accounts and accounts which UID=0(unexpected root)
2. An orphaned file is the file that belongs to no one. It signifies a deleted temporary account.

> find / -nouser -print

Other unusual items
1. Look for overload time

> uptime
22:12:41 up 4:37, 2 users, load average: 0.08, 0.08, 0.06

2. View available space

> df -h

3. View last log in account

> last
> lastlog

For the mentioned cheat sheet on intrusion discovery please discuss
Linux Cheat Sheet



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: