Compromised Linux Machine - What to do ?
Hi guys!
Yesterday i was reading some idiot post about how to deal with compromised linux machine. It's so ridiculous that I've started to think about making a good and real article for this kind of situation. There are very uncommon situation of this kind. Because there are a lot of Linux services/daemons/scripts/bots/kernel modules, that makes it almost impossible to detect if you are compromised already. If you think that your machine is secure but log files disappears or keeps zero sizes or machine start to send some interesting mass email - it means that you are not very secured. For example an attacker can hide malicious code in Linux Kernel or Kernel Drivers and it's actually impossible to track a good backdoor or rookit, as it has it's roots to Kernel level, it can intercept TCP windows, flows and in other Networking layers can hide. It actually does not need to hide, just encrypt traffic and that's it. Some time ago it was popular to run backdoors with DDoS clients, like Kaiten. Today it runs too but a little bit tricky with binary encryption of itself like ziggystartux. But such kind of bots runs and connects to IRC network using unencrypted connection, it's easy to catch them by running tcpdump or any other packet sniffing tool on the remote system. They can use Reverse Shells, ICMP Reverse Shells, Drop Shells in Scripts like PHP/Perl, etc... Hide processes TCP connections, or rename them to more system like. They can always run second SSH/Telnet server if they want. Or just use listen ports with port knocking technique (from outside they will be filtered). So lets first scan your machine using some TCP/UDP scanner (like nmap or nessus) from outside. Close unnecessary open ports and double check filtered ports. You can examine all sources (source code) on your Machine, if attacker forgets to delete the compiled software sources, you can get the point what was installed on your system and how it works. Of course there is an automatic tools for auditing system and it's services:
But they don't help either. Smart attackers hide their software in very different ways...
Be curious, what he did your system it's hard to know unless he's forget about log files, so lets start looking at ~/.bash_history, ~/.history, ~/.mysql_history etc... Watch auth log /var/log/auth or on some systems /var/log/secure
See if there is no new ssh public keys added to the ~/.ssh/authorized_keys.
Check local database of system users /etc/passwd /etc/shadow, if there are added no new stuff. I remember it was a good trick in FreeBSD to make file flags that does not let to delete or override files, and set system global secure level to more stricted.
Search and find recent file changes:
find /etc -type f -mtime -2 -printf '%TY-%Tm-%Td %TT %p\n' | sort -n # Last 7 days
Check if there is no new Kernel Headers or Kernel Source in /usr/src, it's used to compile new kernel modules or other stuff to be deeply hidden in your system.
How to prevent?
Always use ssh not a telnet. Use apache/nginx or other httpd daemon with FastCGI/PHP-FPM interface that is configured to run on separate user on the system with script (and not globally). Always check permissions and don't give 777 (full access) to everyone. Don't give your server credentials to other people. Do not use some common usernames/passwords. It's easy nowadays to brueforce it down with just in seconds.
Thanks all. I know it's just basics, more secure techniques is to use SeLinux or GrSec. But remember it's just security frameworks. If you already compromised then good luck. ;-)
No comments: