Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Lecture 15: UNIX Forensics 6/25/2003 CSCE 590 Summer 2003 Collecting Volatile Data • Trusted toolkit • Book recommends renaming trusted tools – Avoids accidents – i.e. tls, tnetstat • Same considerations as before – is a tradeoff • Unplugging from network causes many UNIX systems to start writing error messages to the log and the console w – what • Find out who is logged in and what they’re doing • USER field: username logged in • TTY field – control terminal assigned to the session – ttyn – n >= 0 integer. Console logon – ptsn or ttypn may signify a network connection • FROM field – where they’ve logged in from (hyphen for at the console) • LOGIN@ field – local starting time of connection w - what • IDLE field – length of time since last process was run • JCPU field – total time used by all processes connected to that terminal • PCPU field – processor time time used by process listed in WHAT column • WHAT field – process currently running on that terminal Running Processes • • • • • ps –eaf (System V) ps –wwwaux (BSD) Either on Linux and newer operating systems Note the START field – when a process started If the COMMAND field of a process contains bizarre characters, may indicate the presence of a buffer overflow attack • Bizarre characters or strangely formatted fields may also indicate a trojaned copy of ps that isn’t compiled quite right for your OS lsof • List of every open file used by a process • On UNIX an open file can be: – – – – – – – Regular file Directory Block special file (disk drive) Character special file (tty terminal) A library A stream Network file (Internet socket, NFS file or UNIX domain socket) lsof • No options gives full list of all open files and sockets • +d dirname: search for all open files and directories directly within in dirname (does not recurse or follow symbolic links) • +D dirname: above + recursion • -I: all open Internet files and connections, alternative to netstat • -D r: option tells lsof to not create a cache file (possible system change in live response) lsof Output • • • • COMMAND – command that was run PID – process ID listed from /proc USER – user associated with process FD – either File Descriptor of file (followed by r, w, u mode + some other possible codes) or: – – – – – – – cwd – current working directory of process ltx – shared library text (code and data) Mxx hex memory-mapped type number xx mem memory-mapped file pd parent directory rtd root directory txt program text (code and data) lsof Output • TYPE – type of node associated with the file • DEVICE – device numbers for character special, block special, regular, directory, or NFS files • SIZE – size of file or file offset in bytes • NODE – inode number of file • NAME – name of mount point or file system on which file resides Loadable Kernel Modules • Instead of trojaning executables like ps, rootkits (collections of trojaned system utilities) may actually use LKMs to hide their tracks • Insidious for live response: – UNIX kernel is a single program – LKMs can be dynamically linked into the kernel after it is booted – These change the way the operating system works – Use the kernel to hide your tracks – it lies to your trusted tools which have to use system calls to interface with the kernel. This is the point where the kernel can lie to you • knark, adore, heroin kstat LKM Detector • Checks memory (/dev/kmem) for info about host, including LKMs • Options: – – – – – -P: displays all processes -p pid: display process with process id pid -M: display kernel’s LKMs’ linked list -m addr: display info about module at addr -s: display info about system call table Finding knark with kstat • kstat –s – sys_fork 0xc284652c WARNING! Should be at 0xc0108c88 – LKM rootkits typically change system call table and generates warnings – Older kstat used System.map file, now compiled in – Use warnings as a signature of particular rootkits – knark changes 7 system calls: sys_fork, sys_read, sys_execve, sys_kill, sys_ioctl, sys_settimeofday, sys_clone Other LKM Rootkits • adore: – 7 calls as well – sys_fork, sys_kill, sys_clone, sys_write, sys_close, sys_mkdir, sys_getdents • rkit – Only change one system call – sys_setuid kstat -P • Shows all processes running • Including those hidden by LKM rootkits • Compare against output of ps and lsof to see if anything is missing compared to output of kstat –P Other LKM Rootkit Detectors • Chkrootkit • Does regular rootkits as well • Excellent refernce links on web site – http://www.chkrootkit.org/ • rkscan – http://www.hsc.fr/ressources/outils/rkscan/index.html.en • Carbonite – LKM itself that does an lsof/ps at the kernel level. “Freezes” the status of every process in Linux's task_struct • – http://www.foundstone.com/index.htm?subnav=resources/navigation.htm &subcontent=/resources/proddesc/carbonite.htm http://packetstormsecurity.nl/docs/hack/LKM_HACKING.html Finding Sniffers • Use ifconfig to collect information about network interface configuration • Also look for interfaces in promiscuous mode (sniffing) – Usually interfaces only pay attention to packets addressed to them or to the broadcast address – PROMISC tells the to pay attention to all packets going by on the wire – Some systems (Solaris) do not set promiscuous flag MAC Times • Collect those time stamps • Using ls: – ls –alRu (atime access times) – ls –alRc (ctime change times) – Ls –alR (mtime modification times) • Could also use our sleuth tools System Logs • Can be volatile if the system is going to remain up • If you are going to shut it down for imaging, these might be able to wait – Check /var/log or /var/adm • Logs of interest (platform dependent) – – – – – – – utmp – (w utility reads info from here) wtmp – (last utility reads from here) lastlog – (lastlog utility) Process accounting logs (lastcomm utility) Messages Web logs, history files, ftp Xferlog Syslogs (/etc/syslog.conf for locations) Configuration Files • You may want to collect these during initial response: – – – – – – – – /etc/passwd /etc/shadow /etc/groups /etc/hosts /etc/hosts.equiv /etc/ssh_known_hosts and /etc/ssh_known_hosts2 ~/.rhosts and ~/.shosts ~/.ssh/known_hosts and ~/.ssh/known_hosts2 Configuration Files • More configuration files: – – – – – – – – /etc/hosts.allow /etc/hosts.deny /etc/syslog.conf /etc/rc* /etc/inetd.conf Crontab files in /var/spool/cron (and anacron) Iptables, ipchains rules It might be good to grab all of /etc Other System Configuration • • • • • • • df –k uname –a uptime date who arp –a md5sums Memory • Grab memory – – – – – # dd if=/proc/kmem | nc forensic.rig.net 31337 # dd if=/proc/kcore | nc forensic.rig.net 31337 # dd if=/dev/mem | nc forensic.rig.net 31337 # dd if=/dev/kmem | nc forensic.rig.net 31337 # dd if=/dev/kcore | nc forensic.rig.net 31337 • Also might check for crash dumps and core dumps