Notes from CPNT-250 course at SAIT.
Approach depends on type of incident. Includes:
- reviewing logs
- review relevant files
- identify unauthorized user accounts or groups
- checking the shell history
- identify rogue processes
- checking for rootkits
stat - display file or file system status
$ stat favicon.ico File: ‘favicon.ico’ Size: 3262 Blocks: 8 IO Block: 4096 regular file Device: fd02h/64770d Inode: 293912 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ mo) Gid: ( 1000/ mo) Context: unconfined_u:object_r:user_home_t:s0 Access: 2016-04-10 18:40:19.631463576 -0600 Modify: 2016-04-09 08:19:50.321826875 -0600 Change: 2016-04-09 08:19:50.321826875 -0600 Birth: -
- (M)odified time stamp is updated when the content of the file or directiry is written.
- (A)ccessed time stamp is updated when the content of the file or directory is read.
- (C)hanged time stamp is updated when the inode is modified.
- (D)eleted time stamp is updated only when the file is deleted.
FHS is a standard that describes the proper organization and use of the various directories found on Linux systems.
- /bin: essential binaries for all users.
- /boot: files needed for the system bootloader
- /dev: device files
- /etc: system configuration files
- /home: user home directories
- /lib: essential shared libraries and kernel modules
- /media: mount points for removable media (usually automounts)
- /mnt: temporary mount points (usually mounted manually)
- /opt: add-on application packages (outside of system package manager)
- /root: root user’s home directory
- /sbin: system binaries
- /tmp: temporary files
Ownership and Permissions
Ownership refers to the user and/or group that a file or directory belongs to, whereas permissiosn refer to the things these (and other) users can do with or to the file or directory.
File are `hidden’ from normal view by beginning the filename with a dot ‘.’.
$ mkdir -p ... $ ls -a | head -n4 ./ ../ .../ 404.mkd
In the example above ‘.’ refers to the current directory. ‘..’ refers to the parent directory and ‘…’ refers to an actual directory we just created. This is a sneaky way to hide a directory in plain sight.
In the next example we are hiding a secret in the file named ‘ ‘.
$ echo 'secret' > ' ' $ ls -a | head -n4 ./ ../ .../
In the next example we alias ls to show control characters. Then we create a filename with a backspace character ‘\b’.
$ alias ls='ls --show-control-chars' $ echo 'secret' > $'a\bb' $ ls| head -n2 404.mkd b
Begin looking for information on user accounts in /etc/passwd. It contains a list of users and the full path to their home directory. The passwords for user accounts are generally stored in the /etc/shadow file.
username : hashed password (deprecated) : user id : group id : comment : home dir : shell
$ cat /etc/passwd | head -n1 root:x:0:0:root:/root:/bin/bash
/etc/group file has a format similar to /etc/passwd.
group name : group password hash : group id : csv of group members
$ cat /etc/group | head -n1 root:x:0:
/etc/shadow contains the hash user passwords. ‘*’ and ‘!!’ in the password field indicate a daemon account because these are not user accounts and should not need to login. If any daemon accounts have a password field then they should be investigated.
$ sudo cat /etc/shadow daemon:*:16232:0:99999:7::: sssd:!!:16775::::::
The default shell in most linux distrutions is the Bourne Again Shell (BASH). Commands typed in shell sessions will usually be stored in a file on the users home directory called ‘.bash_history’.
- .bash_profile: stores the commands that are run when the shell is started. Commonly loads in /etc/skel directory.
- .bash_history: audit trail of commands the user has run.
- .bash_logout: set of commands that are run when the shell exists. Look in /etc/skel directory.
- .bashrc: same purpose as .bash_profile.
Most logs are stored in clear text, with a single line per event.
/var/run/utmp: holds information about active system logons.
$ last -f /var/run/utmp mo pts/0 :0 Sat Apr 9 10:17 still logged in mo :0 :0 Sat Apr 9 10:17 still logged in reboot system boot 4.5.0-1.el7.elre Sat Apr 9 10:17 - 20:35 (1+10:18) utmp begins Sat Apr 9 10:17:00 2016
/var/log/wtmp: stores logon information long term.
$ last -f /var/log/wtmp | head -n 5 mo pts/0 :0 Sat Apr 9 10:17 still logged in mo :0 :0 Sat Apr 9 10:17 still logged in (unknown :0 :0 Sat Apr 9 10:17 - 10:17 (00:00) reboot system boot 4.5.0-1.el7.elre Sat Apr 9 10:17 - 20:38 (1+10:21) mo pts/0 :0 Sat Apr 9 10:16 - 10:16 (00:00)
lastlog is binary log file that stores the last logon time and remote host for each user on the system.
$ lastlog | grep mo daemon **Never logged in** mo :0 Sat Apr 9 10:17:23 -0600 2016
- /var/log/messages or /var/log/syslog: catch all, non specified logs.
- /var/log/auth.log: user authentication attempts.
- /var/log/audit/audit.log: Auditd/SELinux
- /var/log/boot.log: Boot process logs.
ps - report a snapshot of the current processes.
- -a: all users
- -x: processes not attached to a terminal
$ ps ax | tail -n10 mo 3315 0.0 0.1 34116 14932 ? Ss Apr09 1:25 tmux mo 3316 0.0 0.0 117208 5272 pts/1 Ss Apr09 0:00 \_ -bash mo 9533 0.5 0.2 790752 26568 pts/1 Sl+ 18:13 0:54 | \_ mplayer http://relay1.dubstep.fm mo 9534 0.1 0.0 651204 7976 pts/1 S+ 18:13 0:10 | \_ mplayer http://relay1.dubstep.fm mo 9763 0.0 0.0 117332 5580 pts/2 Ss 18:14 0:00 \_ -bash mo 9906 1.4 0.1 168588 22856 pts/2 S+ 18:14 2:17 | \_ vim mo 13575 0.0 0.0 117408 5888 pts/3 Ss 19:18 0:01 \_ -bash mo 19003 0.0 0.0 151424 4224 pts/3 R+ 20:47 0:00 \_ ps auxf ax mo 19004 0.0 0.0 107944 1844 pts/3 S+ 20:47 0:00 \_ tail -n10 mo 3863 0.0 0.0 180940 4820 ? Sl Apr09 0:00 /usr/libexec/dconf-service
- -t: TCP
- -u: UDP
- -l: listening
- -p: list process name
- -n: addresses as numbers
- -a: both listening and non-listening
$ netstat -tunlp | head -n 5 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:17600 0.0.0.0:\* LISTEN 2981/dropbox tcp 0 0 127.0.0.1:17603 0.0.0.0:\* LISTEN 2981/dropbox tcp 0 0 0.0.0.0:902 0.0.0.0:\* LISTEN -
lsof - list open files
$ lsof -i:17600 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dropbox 2981 mo 97u IPv4 32441 0t0 TCP localhost:17600 (LISTEN)
crontab - maintains crontab files for individual users.
$ crontab -l no crontab for mokha
- Registry: hierarchical database that contains configuration for the windows system.
- File Metadata: Created, Modified, Accessed times.
- Hibernation File (hiberfil.sys): Sleep data is stored to the hard drive.
- Prefetch Files: Designed to speed up process startup. Found in %SystemRoot%\prefetch.
- Event Logs: lets admins view event logs on local or remote machines.
- Alternate Data Streams: Feature of NTFS to help support HFS. Can be used to store anything. (format: filename:stream)