Looking for Intruders with Lsof QUICK CHECK
Total Page:16
File Type:pdf, Size:1020Kb
lsof COVER STORY Looking for intruders with lsof QUICK CHECK Track down and expose intruders with the versatile admin tool lsof. BY CASPAR CLEMENS MIERAU as your server been cracked? obtaining information that would other- has gotten comfortable. If you are seri- Are your processes running wise require a whole collection of admin ous about using lsof for intrusion detec- Hwild? If you suspect an intru- utilities. tion, leave out the make install step after sion, you’ll need accurate information As the adage goes, “everything is a compiling and manually move the bi- on what’s happening with the system. file” in Unix. Almost all activities on a nary to a write-protected medium such Open file handles are a useful source Unix-like system bear some relation to as a CD ROM. Of course, if a sophisti- for this information. lsof [1] scans the an open file. Unix-style systems use reg- cated attacker has directly modified the depths of the filesystem for these files ular files, special block files, executables, kernel (through a kernel rootkit, for ex- and then returns comprehensive and libraries, directo- detailed output. ries, internal data To be fully prepared for an attack, streams (Unix Do- you’ll need an Intrusion Detection Sys- main Sockets), tem (IDS) like Snort, Tripwire or Aide to and network con- check the filesystem and data streams nections. lsof is for suspicious patterns. However, if you able to centrally don’t have the time or resources for a collect and syn- full-blown intrusion response, Linux has thesize all this a number of standard command line information into programs capable of discovering tell-tale meaningful clues traces on a system. The usual suspects about the nature for server diagnosis are ps, netstat, top, of an attack. fuser, and other friendly helpers. Like any utility, lsof is a single tool that provides a lsof is subject to summary of similar system information. manipulation Figure 1: The promising glsof tool gives GUI fans easy access to filter You can use lsof as a single source for once the attacker settings. WWW.LINUX - MAGAZINE.COM ISSUE 77 APRIL 2007 29 COVER STORY lsof ample) the output of lsof will be unreli- You can manipulate the output for pro- able even if the tool itself is untouched. cessing with other tools using lsof -F. However, as you’ll learn in this article, Special formatting helps the downstream many attackers try tricks that aren’t tools parse the individual fields (see the especially sophisticated and are easily manpage section Output for other pro- exposed with a tool like lsof. grams for details). lsof is no substitute for a full-featured IDS, but if you are too late for that or if Flood of Information you aren’t interested in implementing Calling lsof without setting parameters or managing a more comprehensive returns too much information to provide system, you can still use lsof to look a useful overview – the flood of informa- for footprints. tion would scare off many users. How- Figure 2: The Jlsof filter dialog tells you the ever, command line parameters can help correct lsof parameters. Although this might Investigations lsof concentrate on the data you need. If confuse GUI-only users, it does make it eas- Table 1 lists a number of examples for you combine multiple parameters, lsof ier for users to move to the command line. investigating a system. If you enable assumes a logical OR operation by de- lsof’s security option, only root will re- fault; however, you can specify -a for an ceive detailed output for these com- AND operation (last line in Table 1). However, this method is as drastic as it mands. In secure mode, lsof will only Identifying processes that are prevent- is effective. show users the details that directly affect ing users from unmounting a storage them, however, even in insecure mode, medium is a typical task for lsof. Calling Expectations lsof gives users without root privileges lsof with the -t directoryname option The commands listed in Table 1 are fine fewer details, as you need root privileges returns a list of numeric process IDs for discovering important facts about a to access the details in /proc. accessing the CD-ROM: system before or after an attack. To de- lsof uses a tabular format to output fend yourself against invaders, you need the information filtered as specified by $ umount /dev/cdrom to be familiar with the normal status, the parameter list, including the follow- umount: /cdrom: device is busy and to be aware of where suspicious ing columns by default: $ kill -9 `lsof -t /dev/cdrom` entries are likely to appear. • Process name: COMMAND $ umount /dev/cdrom The following example uses a tradi- • Process ID: PID $ eject tional LAMP system (Linux, Apache, • Name of system user account under which the process is running: USER Finding and Building lsof • File descriptor: FD Lsof supports a number of Unix deriva- obtained from an insecure source), con- • File type: TYPE tives, and it is probably part of your basic figure the source code, and compile it. • Device: DEVICE Linux system, or at least it should reside During the configuration phase, you are • Size: SIZE in the standard repository. To install on prompted to make a few decisions. The • Connection: NODE Debian, for example, you just need to HASSECURITY and HASNOSOCKSECU- • Full name: NAME issue a apt-get install lsof command. RITY options are important. If you would The lean package has no dependencies, only like the root user to be able to use Listing 1: Compiling lsof apart from the mandatory Libc 6. lsof to list open files and sockets for all This said, there are two reasons for users, you need to answer [y] and [n]. 01 wget ftp://lsof.itap.purdue. avoiding the prebuilt binary: system The inconsistent terminology does tend edu/pub/tools/unix/lsof/lsof. compatibility and security. As lsof’s de- to be confusing. tar.bz2 veloper Vic Abel points out in the FAQ On completing the build, ./lsof -v tells 02 tar xjf lsof.tar.bz2 [2], you can only guarantee a full feature you the options it was compiled with. set and optimum stability, if you build The Only root can list all files message 03 cd lsof_4.77 the current lsof version on the target ma- means that normal users will be unable 04 wget ftp://lsof.itap.purdue. chine, since lsof digs deep into the sys- to misuse the program to list system- edu/pub/Victor_A_Abell.gpg tem architecture and kernel. It is always critical information. (Restricting access 05 gpg --import Victor_A_Abell. better to obtain tools you will be using to lsof is a rather cosmetic security solu- gpg for preventive or forensic analysis from tion, since much of the information avail- a safe source and not to mix them with able through lsof can also be obtained 06 gpg --verify lsof_4.77_src. standard system tools to avoid the dan- with tools such as ps and netstat, al- tar.sig lsof_4.77_src.tar ger of manipulation by rootkits. though the process may not be quite as 07 tar xf lsof_4.77_src.tar The lsof sources are easily compiled, convenient. The prebuilt versions in vari- ous distributions handle security differ- 08 cd lsof_4.77_src so you might as well build a version that matches your system. The commands ently. Debian grants non-administrative 09 ./Configure linux in Listing 1 grab the sources of the net- users unrestricted use of lsof, whereas 10 make -s work; use GnuPG to check the signature Red Hat Enterprise applies restrictions. 11 ./lsof -v (note that the key in our example was 30 ISSUE 77 APRIL 2007 WWW.LINUX - MAGAZINE.COM lsof COVER STORY be able to open investigates the suspicious processes for log files. In con- details of network connections, libraries trast to this, data that have been loaded, open files, and communications many other things. are handled by As malevolent hackers tend to use unprivileged pro- their own FTP, IRC, telnet, or SSH serv- cesses. Thus, a ers, initial analysis should include web server offers searching for open ports. The lsof -a -i -u a guessable con- www-data | grep LISTEN command lists figuration of users, all the IP sockets (-i), which sockets the executable files, Apache user has opened, (-u www-data), and open ports. and which are listening for connections For example, (this explains grep LISTEN). Figure 3: The Java-based JLsof tool converts lsof output to a simple www-data runs Everything apart from 80 (HTTP) and table. /usr/sbin/apache2 443 (HTTPS) is suspicious. Although a on Debian. call to netstat will give you similar MySQL, PHP). The administrator notices results, lsof can help you perform more an enormous increase in network load What’s Running Where? detailed analysis without needing to that doesn’t reflect the number of page In this context, we need a call to lsof -a switch to another tool. hits. The administrator suspects that an -d txt -u www-data to list processes that attacker has injected a trojan that copies execute the file /usr/sbin/apache2 as the The Real World files over the wire, launches distributed www-data user account. The -a option Apache and PHP exploits are fairly com- network attacks or sends spam mail. In gives us a logical AND, -d txt lists exe- mon. Listings 2a and 2b show two ex- a LAMP environment, the PHP system cuted files only, and -u www-data re- cerpts from the lsof logs on compro- interface is one of the major targets, as stricts the output to just one user.