- 7 Tem 2013
- 8,193
- 654
Let's Analyze The Linux System After The Attack
Hi,
In this topic, we will learn where do the hackers leave their mark on hacked linux systems, we will learn how can we detect these marks and how can we analyze the system after the attack. So, we will know what's going on about the attacks on the system early and we will be able to analyze the system real-timely. Btw If you want to evidence you can get an image before the analysis, let's learn how to analyze the system after the attack.
WE SHOULD CHECK THE SYSTEM TIME
Firstly, we should check the system time. We can check it using this command:
How to Control Kernel Version and How to Get Information About the System
We can display using this command:
How to Control Hash Values of Files
Each file has a unique hash value in systems. Hash values must be backed up before analyzing the system. We can see the ownership information of the files in the "/etc/" directory using this command:
The hash values of all files under the directory can be displayed with this command:
How to Detect Active Connections on the System
You can display the statistics of network connections with this command:
This command can be used to list active connections statistics.
And you can use this command to list the sockets
Examination of Memory Dump at the Time of Incident
System memory contains the deleted files unless new files are written to the storage area of the old files. So, even if the attacker deletes that the traces left on the memory, traces can be accessed from memory. In order to prevent possible data loss during the analysis of the memory, the image of the memory should be created and analyzed before the system is turned off.
In this context, we should take it from the memory at the time of incident and after. So, changes on the system can be detected by comparing the data that received in two different time periods. It can also be presented as forensic evidence. We can analyze an image file with Volality software.
Analysis of Files in Process
All files that related to process on linux can be detected with Isof. In this way, the file will show the connection established to the analyzer. This command can be used to list active connections, these connections appear as "LISTEN"
Detection of Files Changed Within The Specified Time
Information about which files the attacker has recently modified on the system can be determined with this command:
This command can be used to detect modified files in the last 60 minutes:
This command can be used to detect modified files in the last 1 day:
This command can be used to detect modified files in the last 1-7 days:
This command can be used to list more detailed information such as permissions, ownership information of the modified files:
Analysis of Files with 777 Permissions
Files with 777 permission are dangerous in the system because they are the type of files that can be modified and execute by the attacker. The detection of these files can be done with this command:
Examination of Login Attempts to the System
We can use the following command to see who can enter the system by examining the login attempts to the system. There are login attempts in var/log/wtmp directory and "last" command ensures that.
We can learn when and which IP address is logged into the system with the "lastlog" command.
This command can be used to list active users on the system:
This command can be used to see what all the users doing on the system right now:
This command can be used to display the time period of the specified user logging into the system:
This command can be used to view dumps of system reboots:
We can access the authentication dumps on the system using the following command:
Analyze of SSH Key
If the SSH key belonging to the user is stolen by the attacker, the log records that kept in the system can be examined. The general keys in the authorized_keys file keep the user records that can be connected to the system with a private key.
This command can be used to display login attempts with wrong password among ssh logs in the system:
This command can be used to view failed connection attempts:
Analyze of Scheduled Tasks on the System
The "crontab" command can be used to detect scheduled tasks added to the system by the attacker. In order to a**** any misunderstanding I would like to say that all tasks scheduled with crontab are displayed but with the comparisons, we can find the scheduled task added to the system by eliminating it from other tasks.
Detection of Files Shared on the System
Files shared with NFS on the system can be accessed by the attacker. We can use this command to detec these files:
With the following command we can examine NFS files:
With this command we can view the files shared with SAMBA:
Analysis of Users' Command Histories on the System
We can see the history from here:
Analysis of Active Processes in the System
We can install the strace tool to display system signals using this command:
You can use this command after installation:
Analysis of DISK Statistics
Analyzing the disk statistics of the system can be important to make various inferences. We can display disk statistics on the terminal with the following command:
Analysis of Audit Logs in the System
An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide ********ary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. These logs can be accessed in "/var/log/audit/audit.log."
Various tools are available to provide easy readability of Audit logs. For example, you can create audit reports with the Aureport tool with this command:
The following command can be used to view the audit reports of the failed transactions:
We can use the following command to view audit reports of executable files:
Rootkit Detection in the System
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware such as Trojans, worms, viruses that conceal their existence and actions from users and other system processes. In the Linux operating system, it is possible to detect these software. For this, we install the chkrootkit tool with this command:
Then we start the detection process with this command:
Network Traffic Analysis in the System
We can use the xplico tool for network traffic analysis. We can look at the "Network Traffic Analysis in Linux Systems with Xplico Tool" topic that I wrote earlier in the forum. We'll use the netstat tool in this topic. We can detect the IP address to which system connects the most and identify a possible SYNFlood attack.
We can use this command to view the status of connections on the system:
Thanks for reading!
Source: https://www.turkhackteam.org/adli-bilisim/1919172-saldiri-sonrasi-linux-sistemini-analiz-edelim.html
Translator: dRose98
Hi,
In this topic, we will learn where do the hackers leave their mark on hacked linux systems, we will learn how can we detect these marks and how can we analyze the system after the attack. So, we will know what's going on about the attacks on the system early and we will be able to analyze the system real-timely. Btw If you want to evidence you can get an image before the analysis, let's learn how to analyze the system after the attack.
WE SHOULD CHECK THE SYSTEM TIME
Firstly, we should check the system time. We can check it using this command:
Kod:
date
How to Control Kernel Version and How to Get Information About the System
We can display using this command:
Kod:
uname -a
How to Control Hash Values of Files
Each file has a unique hash value in systems. Hash values must be backed up before analyzing the system. We can see the ownership information of the files in the "/etc/" directory using this command:
Kod:
find /etc/ -type f -ls
The hash values of all files under the directory can be displayed with this command:
Kod:
md5deep -r /etc/
How to Detect Active Connections on the System
You can display the statistics of network connections with this command:
Kod:
netstat -s
Kod:
ss -s
This command can be used to list active connections statistics.
Kod:
watch -n1 'netstat -anp | grep -i stream'
And you can use this command to list the sockets
Kod:
netstat -tulpn
Examination of Memory Dump at the Time of Incident
System memory contains the deleted files unless new files are written to the storage area of the old files. So, even if the attacker deletes that the traces left on the memory, traces can be accessed from memory. In order to prevent possible data loss during the analysis of the memory, the image of the memory should be created and analyzed before the system is turned off.
In this context, we should take it from the memory at the time of incident and after. So, changes on the system can be detected by comparing the data that received in two different time periods. It can also be presented as forensic evidence. We can analyze an image file with Volality software.
Analysis of Files in Process
All files that related to process on linux can be detected with Isof. In this way, the file will show the connection established to the analyzer. This command can be used to list active connections, these connections appear as "LISTEN"
Kod:
lsof -i
Detection of Files Changed Within The Specified Time
Information about which files the attacker has recently modified on the system can be determined with this command:
Kod:
find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
This command can be used to detect modified files in the last 60 minutes:
Kod:
find /etc -type f -mmin -60
This command can be used to detect modified files in the last 1 day:
Kod:
find /etc -type f -mtime -1
This command can be used to detect modified files in the last 1-7 days:
Kod:
find /etc -type f -mtime -7 ! -mtime -1
This command can be used to list more detailed information such as permissions, ownership information of the modified files:
Kod:
find /etc -type f -mmin 60 -exec ls -all {} \;
Analysis of Files with 777 Permissions
Files with 777 permission are dangerous in the system because they are the type of files that can be modified and execute by the attacker. The detection of these files can be done with this command:
Kod:
find / -type f -perm 0777
Examination of Login Attempts to the System
We can use the following command to see who can enter the system by examining the login attempts to the system. There are login attempts in var/log/wtmp directory and "last" command ensures that.
Kod:
last -f /var/log/wtmp
We can learn when and which IP address is logged into the system with the "lastlog" command.
Kod:
lastlog
This command can be used to list active users on the system:
Kod:
who -aH
This command can be used to see what all the users doing on the system right now:
Kod:
w
This command can be used to display the time period of the specified user logging into the system:
Kod:
last [kullanici_adi]
This command can be used to view dumps of system reboots:
Kod:
last reboot
We can access the authentication dumps on the system using the following command:
Kod:
less /var/log/auth.log
Analyze of SSH Key
If the SSH key belonging to the user is stolen by the attacker, the log records that kept in the system can be examined. The general keys in the authorized_keys file keep the user records that can be connected to the system with a private key.
Kod:
/home/username/.ssh/authorized_keys
This command can be used to display login attempts with wrong password among ssh logs in the system:
Kod:
grep sshd.\*Failed /var/log/auth.log | less
This command can be used to view failed connection attempts:
Kod:
grep sshd.*Did /var/log/auth.log | less
Analyze of Scheduled Tasks on the System
The "crontab" command can be used to detect scheduled tasks added to the system by the attacker. In order to a**** any misunderstanding I would like to say that all tasks scheduled with crontab are displayed but with the comparisons, we can find the scheduled task added to the system by eliminating it from other tasks.
Kod:
crontab -l
Detection of Files Shared on the System
Files shared with NFS on the system can be accessed by the attacker. We can use this command to detec these files:
Kod:
df -h
With the following command we can examine NFS files:
Kod:
mount
With this command we can view the files shared with SAMBA:
Kod:
smbclient -L localhost
Analysis of Users' Command Histories on the System
We can see the history from here:
Kod:
/home/kullanici_adi/bash_history
Analysis of Active Processes in the System
Kod:
ps aux
We can install the strace tool to display system signals using this command:
Kod:
apt-get install strace
You can use this command after installation:
Kod:
strace cp
Analysis of DISK Statistics
Analyzing the disk statistics of the system can be important to make various inferences. We can display disk statistics on the terminal with the following command:
Kod:
iostat
Analysis of Audit Logs in the System
An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide ********ary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. These logs can be accessed in "/var/log/audit/audit.log."
Various tools are available to provide easy readability of Audit logs. For example, you can create audit reports with the Aureport tool with this command:
Kod:
aureport
The following command can be used to view the audit reports of the failed transactions:
Kod:
aureport --failed
We can use the following command to view audit reports of executable files:
Kod:
aureport -f -i
Rootkit Detection in the System
A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection of the two words "root" and "kit." Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware such as Trojans, worms, viruses that conceal their existence and actions from users and other system processes. In the Linux operating system, it is possible to detect these software. For this, we install the chkrootkit tool with this command:
Kod:
apt-get install chkrootkit
Then we start the detection process with this command:
Kod:
chkrootkit
Network Traffic Analysis in the System
We can use the xplico tool for network traffic analysis. We can look at the "Network Traffic Analysis in Linux Systems with Xplico Tool" topic that I wrote earlier in the forum. We'll use the netstat tool in this topic. We can detect the IP address to which system connects the most and identify a possible SYNFlood attack.
Kod:
netstat -ntu | awk '{print$5}' | cut -d: f1 | sort | uniq -c | sort -n
We can use this command to view the status of connections on the system:
Kod:
netsat -nat | awk '{print$6}' | sort | uniq -c | sort -n
Thanks for reading!
Source: https://www.turkhackteam.org/adli-bilisim/1919172-saldiri-sonrasi-linux-sistemini-analiz-edelim.html
Translator: dRose98
Moderatör tarafında düzenlendi: