Identifying a breach can be broken down into three semi-simple points:
- Intruder uploads code to compromised system
- Run uploaded code locally
- Executed code makes outbound connection(s)
To track and find compromised system start by identify any new files that are present on the system. Then tie any new processes that are running on the box to outbound connections. If present, make a binary image of the drive for forensics analysis.
Let’s review some basic linux commands that should be used for helping with comparison and coloration. Starting with Process Status (ps) “ps –aux | more” will display:
- owner of the process
- current processes running
- associated tty
- execution time
- name of the command being executed
The ps utility comes in handy when responding to incidents or live monitoring of activity in attempts to identify rouge, hidden, or run-away processes and is considered a detection and not prevention for monitoring. The ps utility does not generate any default logs however scripting is utility is possible.
“netstat -an | more” is used for summarizing the TCP/IP network traffic running on a machine with the ‘a’ switch displaying ‘all’ the services or ports active, and the ‘n’ telling the system to restrict the display to the numeric format only and not to do service association.
File attributes can be reviewed with “ls -ld /home /mnt” the ‘l’ switch displays detailed file listing and ‘d’ forces the ls command to display the file attributes for actual directories listed. Note that dates within the last year display the actual time of modification while older dates imply display month, day, and year.
Containment is critical, start by taking a binary image of the box in question. This can be done with the dd tool. A little history lesson – only two other tools have been around in the Unix environment since day one. They are cpio (copy in copy out) and tar (tape archive). The dd utility can be run locally, from scripts, or done across the network. Here is an example of running locally:
dd if=INPUT-FILE-NAME of=OUTPUT-FILE-NAME
Imaging is done at a low level (1’s & 0’s) and the OS does not matter. You can have a bootable CD/DVD and make your image. A Live CD/DVD is great tool to use when investigating a computer’s installation, without taking the risk of modifying anything.