Linux Security Response | Relish the Moment

Learn how to master Linux commands, the Security Response will be a good entry cz it involves many Linux commands related to user management, privilege control, and task monitoring which are useful when using Linux

Linux Reinforce

$ chattr +a xxx	--only appendable
$ chattr +i xxx	--cannot be deleted
$ touch /etc/nologin	--normal user cannot login
$ vi /etc/ssh/sshd_config -> banner NONE		--hide banner info
$ authconfig --passalgo=sha512 --update	--replace md5 with SHA512
$ auth required pam_tally2.so deny=3 unlock_time=5
$ even_deny_root root_unlock_time=120		--limit login times (lock 2mins every 3 logins)
$ vi /etc/profile -> HISTSIZE=5 HISTFILESIZE=20

Security Response

PDCERF: Perparation, Detection, Containment, Eradication, Recovery, Follow-up
Confirm attacking time, IP address, and the evil file (process or rootkit) last

check suspicious users

# search privileged users
$ awk -F: '$3==0{print $1}' /etc/passwd
$ grep :0 /etc/passwd
# search users able to login remotely
$ awk '/\$1|\$6/{print $1}' /etc/shadow
# search users with sudo privilege
$ more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"
# disable or delete users
    usermod -L user    unable to login
    userdel user       delete user
    userdel -r user    delete user and his homedir

# check new users
$ less /etc/passwd
# check last time of modification
$ ll -l /etc/passwd

port and process

# netstat used for port info
# ps used for process info
# lsof used for connection info between process and port
$ netstat -antlp|more
$ netstat -pantu|grep port
$ ps aux[f]|grep pid
$ ps -p port
$ lsof [-i] |grep port
$ lsof -i :port
$ lsof -p pid

# ss used for port info
# fuser used for process info
$ ss [-t] |grep port
$ ss -pantul
$ sudo apt install psmisc   # install fuser
$ sudo fuser -v port/protocol # like 80/tcp

startup item and timed tasks

$ more /etc/rc.local
$ more /etc/rc.d/rc[0~6].d

$ crontab -l 	# list cron services
$ crontab -e 	# edit
$ crontab -r 	# remove
/var/spool/cron/user 	default crontab filedir

suspicious dirs:
/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*

used to be:
$ chkconfig --list
$ chkconfig –-level  2345 httpd on/off
now is:
$ systemctl list-unit-files
$ systemctl enable httpd
$ systemctl disable httpd

log check

# locate IP which brute force root password:     
$ journalctl -xa|grep "Failed password for root" | awk '{print $11}' | sort | uniq -c | sort -nr | more

# similar to above:
$ journalctl -xa|grep "Failed password"|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c

# brute force password dict is:
$ grep "Failed password" /var/log/secure|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
 
# success logins IP:   
$ grep "Accepted " /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more

# similar to above:
$ grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'

and as you can see, both /var/log/auth.log(replace the /vat/log/secure) and the command “journalctl -xa”, can be used to check logs

add user log e.g.

Jul 10 00:12:15 localhost useradd[2382]: new group: name=user, GID=1001
Jul 10 00:12:15 localhost useradd[2382]: new user: name=user, UID=1001, GID=1001, home=/home/user
, shell=/bin/bash
Jul 10 00:12:58 localhost passwd: pam_unix(passwd:chauthtok): password changed for user
#grep "useradd" /var/log/auth.log
```
- delete user log e.g.
```bash
Jul 10 00:14:17 localhost userdel[2393]: delete user 'user'
Jul 10 00:14:17 localhost userdel[2393]: removed group 'user' owned by 'user'
Jul 10 00:14:17 localhost userdel[2393]: removed shadow group 'user' owned by 'user'
# grep "userdel" /var/log/auth.log
```
- su switch user log e.g.
```bash
Jul 10 00:38:13 localhost su: pam_unix(su-l:session): session opened for user good by root(uid=0)

view hidden processes

1
2
3

$ ps -ef | awk'{print $2}'|sort -n| uniq > tasklist1.txt
$ ls /proc | sort -n | uniq > tasklist2.txt
$ diff tasklist1.txt tasklist2.txt

Commands Summary

Files Recovery

if an important file were deleted, while a process which opens this file is alive, this process can still be read or written through it’s file descriptor.

e.g.

see /var/log/secure, only to find it was deleted
use “lsof” to see process that opens it
as we can see, pid is 1264, and fd (file descriptor) is 4. so we can find info in /proc/1264/fd/4
use I/O redirection to redirect it to file
see /var/log/secure, and now we recovered the deleted file

Tools

The ext3grep is to recovery file deleted by rm - rf on ext3 disk.
First unmount that disk to stop writting, and then install ext3grep. You can find it in apt repo, or compile it on your own.

Installation:

$ apt install e2fslibs-dev
$ tar xvf ext3grep-0.10.1.tar.gz 
$ cd ext3grep-0.10.1
$ ./configuremake && make install

Scan file name:

1	$ ext3grep /dev/sdbx --dump-names

And recover all:

1	$ ext3grep /dev/sdbx --restore-all

Or recover someone:

1	$ ext3grep /dev/sdbx --restore-file var/lib/mysql/aqsh/tb_b_attench.MYD

Another tool is extundelete, you can install it through apt or get it on sourceforge.

Installation:

$ wget http://nchc.dl.sourceforge.net/project/extundelete/extundelete/0.2.4/extundelete-0.2.4.tar.bz2 
$ apt install e2fsprogs e2fslibs-dev build-essential 
$ tar -jxvf extundelete-0.2.4.tar.bz2 
$ cd extundelete-0.2.4 
$ ./configure --prefix=/usr/local/extundelete 
$ make && make install 
# check installation
$ cd /usr/local/extundelete/bin 
$ ./extundelete -v

The usage of it is similar to ext3grep, and it can recover by directory

$ ./extundelete --restore-file var/lib/mysql/aqsh/tb_b_attench.MYD /dev/sdbx  
$ ./extundelete --restore-all /dev/sdbx 
$ date -d "May 7 18:40 2019" +%s
1557225600
$ ./extundelete --restore-all --after "1557225600" /dev/sdbx
# by directory
$ extundelete /dev/sdbx --restore-directory var/lib/mysql/aqsh

Useful Scripts

Normal

get busybox to analysis

1
2
3

$ cd /bin/
$ wget https://busybox.net/downloads/binaries/1.30.0-i686/busybox
$ chmod 755 busybox

show malicious processes

1	$ perf top -s pid,comm,dso,symbol

delete ddos trojans or mining scripts, can be used directly(from a SRC event)

ps auxf | grep -v grep | grep hwlh3wlh44lh | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep Circle_MI | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep get.bi-chi.com | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep hashvault.pro | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep nanopool.org | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/.sshd | awk '{print $2}' | xargs kill -9
ps auxf | grep -v grep | grep /usr/bin/bsd-port | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "xmr" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "xig" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "ddgs" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "qW3xT" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "wnTKYg" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "t00ls.ru" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "sustes" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "thisxxs" | awk '{print $2}' | xargs kill -9
ps auxf|grep -v grep|grep "hashfish" | awk '{print $2}'|xargs kill -9
ps auxf|grep -v grep|grep "kworkerds" | awk '{print $2}'|xargs kill -9

Operations related:

find zombie process

1	$ ps -ef \| grep defunct

count

# simply use the top to see things like ...
...
Tasks:   4 total,   1 running,   3 sleeping,   0 stopped,   0 zombie
...
# or
ps -ef | grep defunct | grep -v grep | wc -l

kill zombie process

1 2	$ ps -e -o ppid,stat \| grep Z \| cut –d" " -f2 \| xargs kill -9 $ kill -HUP `ps -A -ostat,ppid \| grep -e '^[Zz]' \| awk '{print $2}'`

Tide sec team’s auto script( in Chinese)

It is an automatic script written in pithon2, and is useful in linux security response.
It gather system information and service log, then generate a log file to save results.
This script can be found Here

A miner cleaner

This was extracted from a mining trojan, to get rid of every competitors on the victim.
Get it Here to clear mainstream mining trojans.

Clean your ass finally

After the attack, you better get your ass cleaned to be untraceable.
We have a simple cleaner Here. Another better script is Here in Chinese, which could even fake log info.

Key Files

“Key” here means important

Use lsattr to see hidden attribution

About hidden attribution


-a 　show all files and directories including  .(current dir) and ..(parent dir)
-d 　show dirs' names
-l 　just list
-R 　Recursive processing, which processes all files and subdirectories in the specified directory together.
-v 　show versions of files and dirs
-V 　show versions

Use getfacl to see things about ACL (Access Control List)

About ACL attribution

-a, --access: only displays file access control lists
-d, --default: only displays the default access control list
-c, --omit-header: not display comment headers
-e, --all-effective: show all valid permissions
-E, --no-effective: show invalid permissions
-s, --skip-base: skip files with only base entries
-R, --recursive: recursively display subdirs
-L, --logical: logical traversal (follow the symbolic link)
-P, --physical: physical traversal (does not follow symbolic links)
-t, --tabular: Use tab-delimited output format
-n, --numeric: show the user/group ID of the number
-p, --absolute-names: not remove the '/' symbol before the path
-v, --version: display version and exit
-h, --help: display this help information

Tools

chkrootkit
later…
rkhunter
later…
clamav
later…