System Analysis of Linux (Part 1) (First Edition)
============================================================================================================================================================================================================= ====================
----- Original: Mariusz Burdach
Translation: Xi'an University of Posts and Telecommunications 0101 Xu Zhaoyuan ?? 02985384887
Translation Copyright: Xu Zhaoyuan Xi'an Posts and Telecommunications Academy 156 # flxyzsby @ 163.com / Flxyzsby @ Yahoo.com.cn
2004.8.15
Reprinted please notify
============================================================================================================================================================================================================= ====================
1 Introduction
In the process of some cases, we often encounter such situations: a dangerous system is not clear by the user or manager. This is a good opportunity to get very useful even in the vulnerability The information that cannot be recovered after clearing.
I talk about and the following concepts:
The process is running,
Open TCP / UDO port,
The deleted programming is still running in the main memory,
A module that has been established and virtual memory that is loaded into the part of the Linux system kernel.
All or more data can help analysts find exact evidence (invasive evidence) in the case of offline. In addition, if
When an intrusion event is still updated, we can restore the data that is almost exhausted by the invader.
Sometimes the connection process described here is the only way to obtain the data required to invade, as a specific type of malicious code.
For example, the ROOTKITS tool-based LKM is only loaded to memory and it does not change any file or directory. A similar process also exists in the Windows window operating system ---- red code worm is a good example, this The malicious code is not saved as any file but can be inserted into the directory, and then it will run from the memory.
?
On the other hand, the methods used below also have serious limitations and analyzes it for digital analysis of the first priority of information collection - one is not easy to complete. This is: all users and core grade tools When collecting data, it will naturally change the status of the system. Run any tool on the online system, we can overwrite the very obvious invasive evidence when it is loaded into memory and system to establish at least one process for them. Create a new When the process, the operation of the memory manager is assigned a space for its assignment space in the main memory, which occurs in the main memory and exchange partitions. Other problems occur in our ready Legal actions and needs to be done in accordance with local law. The digital signature found in the main memory is not credible because they can use the tools we have obtained. So before any action, we have to decide whether it is Information needs to be collected on this non-secure system (the translator Note: Your collection may be futile, because you may not be able to determine the identity of the invader). We are very worth learning. In the main memory, we can find it. Password and plaintext file. Using the / proc forged file system We can restore programs that have been deleted but still assign memory in memory.?
In an ideal environment, we can imagine a hardware Intel framework-based computer allowed us to do not operate
In the case of the dump memory to an external storage device. In fact, this solution already exists on the SPARC (Translator Note: SPARC is a SUN workstation system) machine, we can use firmware to start with firmware The system is documented by the entire physical memory. Unfortunately, no similar solution exists on the hardware based Intel and AMD. Despite the above problems, software-based approach is still advantageous, I will These favorable conditions are shown in the article. The main purpose of this question is to introduce a method used during the collection process. All collected data will be used for future offline statutory analysis. In the entire collection cycle, some The proposed task is also completed in the preparation and identification phase - this is two processes that are defined as "step-by-step processing" in the SANS.
2. Qualitative analysis
? This section is divided into four interrelated section:
? ● 2.1 Environment configuration
? ● 2.2 Preparation Analysis Kit
? ● 2.3 Collect data from online systems - step by step
? ● 2.4 Raw data analysis and keyword lookup
• The three parts of the 2.2, 2.3 will be discussed in this article, the remaining processes and offline analysis processes are discussed in the next.
?
2.1 Environmental configuration
?? Before collecting data from the system, we must configure our own things into the system environment. First we must run a network olfactory (Sniffer), which can monitor information input and output delivery of non-secure system networks. This action It is necessary. Through this real-time information record and analysis, we can delete a certain type of malicious activity .Tcpdump is an extremely excellent tool to implement this operation. My suggestion is to record the packet by the original way, because Its performance may cause
Other results.
We should establish a list of collected data procedures before any activity in non-secure systems. Part III in this question You can see an instance of this. This process can eliminate any errors in our analysis. We must also make a summary after each step to determine what we have. The text is very important. He can let us decide whether to bring our results to the court (Note: Prosecute the invaders).
?
The next step is to record the result of the command in the data collection phase. We will connect a target host to the local network, and this
The target host must be accepting non-unique host information. Please keep it, we can't do anything on the non-secure system. If you perform data records on the non-secure system, you will delete the intrusion information. To avoid these influences, we must Our data is sent to a remote target host. This is a very important rule in the analysis process. It is necessary to repeat again. It is not easy to do like this requirement.
If we have not obtained the available analytics kits stored on a removable storage device, you are now a good opportunity for us to prepare these tools for our non-safety system. When using tools in these kits to collect important information, please Starting from bottom to and high depending on the reliable letter of the tool analysis structure.
The following methods show you how to prepare external storage devices for our tools.
?
2.2 Preparation Analysis Kit
?? Please remember when you are collected, we must do the following requirements:
?? ● Try not to run the program on a non-secure system. Why? Because the invader can modify the system command (such as NetStat)?
???? or system library files (such as libproc), resulting in unreliable results of these commands. In order to achieve this point we can accurately compile the device.
?? ● Try not to run programs that will modify files and directories
?? ● So the results must be written to the remote host. To achieve this requirement, we will use the remote host as our target host. We will use the NetCAT tool to transfer data.
?? ● You must use the tool to calculate the HASH value of the data. This is a method of ensuring that our data is not changed. A good practice is: To ensure that the data is not changed and properly saved on the target host We can compare whether the source file and the Hash value of the target file are consistent. Sometimes it is calculated on the non-annual host to calculate the Hash value ----- a good example is in memory. When we are in / dev / mem Different from MD5sums in the device, each Hash value is different. This is because we will change the program every time you load the program into memory (create a process that needs memory) will change the status. In the process we collect, we To calculate the HASH value immediately, when the collection is complete. If possible, this process is best performed in the source host and the target host. To maintain the integrity of the results We will use the MD5SUM tool.
● ???? In fact, make sure our tools do not write in some steps in some steps in the main memory and switch partitions of the non-secure system. These will be discussed in Section 2.3. Now, we must make sure We already have a suitable tool to store on a mobile device, the tool list is as follows (Table 1):
?
Table 1: Analyze the tools required (must be stored on the mobile device).
?
Program name
Source and related configuration
??1??
NC
http://www.atstake.com/research/tools/network_utilities/nc110.tgzhow to build: $ TAR ZXVF NC110.TGZ; make Linuxhow to verify: file nc or ldd nc
2
DD
http://www.gnu.org/software/fileutils/fileutils.html(Added to Core Utilities)
3
Datecat
http://www.gnu.org/software/coreutils/how to build: $ TAR ZXVF COREUTILS-5.0.TAR.GZ; configure cc = "gcc -static", Makehow to Verify: File Date cat or ldd Date Cat
4
PCAT
http://www.porcupine.org/forensics/tcthow to build: $ TAR ZXVF TCT-1.14.tgz; make cc = "gcc -static" how to verify: filepcat or ldd PCAT
5
Hunter.o
http://www.phrack.org/phrack/61/p61-0x03_Linenoise.txtTo make the module more "independent" we have to delete the following lines from the source code: #ifdef CONFIG_MODVERSIONS #define MODVERSIONS #include
#ENDIF
We can load this module to other kenels by removing the modversions.
How to build: $ gcc -c hunter.c -i / usr / src / linux / incrude /
6
Insmod
Http://www.kernel.org/pub/linux/UTILS/kernel/modutils/for kernel 2.4 how to build: $. / configure-enable-insmod_static; makehow to verify: file insmod.static or ldd insmod.static7
NetStatarProute
Http://freshmeat.net/projects/net-tools/how to build: $ bzip2 -d net-tools-1.60.tar.bz2; tar xvf net-tools-1.60.tar.bz2; make config; make cc = "gcc -static" How to verify: File NetStat ARP ROUTE or LDD NetStat ARP ROUTE
8
Dmesg
Http://ftp.cwi.nl/aeb/util-linux/util-linux-2.12.tar.gzhow to build: $. / configure; make cc = "gcc -static" how to verify: file dmesg or ldd Dmesg
When we have successfully configured the above tools, we have to copy them to mobile devices (such as readable and write discs (CD-RW)).
2.3 Collect data from online systems - step by step
• The next necessary condition is also very important. It is to start collecting data in an appropriate order. To do it from the most unreliable to the most reliable order. We must keep this.
?
Step 1: Intercept the screen image of the non-secure system
This is a screen shot, of course, we have to use a digital camera to do this. This is a very simple step.
? Before we conduct a second step, we will mount our removable storage device (of course, using the mount command), let us consider what the second step will have any effect on the non-safety system. What is our activity? At this point, let us first ignore the impact of its memory of the non-secure system.
?
I really appreciate that we must use an extra equipment to the non-secure system, we must use the non-trusted mount command to complete this operation. When we use untrusted system commands, this situation will certainly happen. If so In accordance with our plan, we will use the trusted tools on the already mounted device to perform our remaining commands.
?
We also need to check what the system has brought to our system by checking our system. I have completed some research on a computer, and Table 2 lists the corresponding changed files and directories.
?
# strult / bin / mount / mnt / cdrom
Table 2: List of files accessed by mount command
File
Modified meta-data by the mount command
/etc/ld.so.cache
ATIME
/LIB/TLS/Libc.so.6
ATIME
/ usr / lib / locale / locale-archive
ATIME
/ ETC / FSTAB
ATIME
/ ETC / MTAB *
ATIME, MTIME, CTIME
/ dev / cdrom
ATIME
/ bin / mount
ATIME
* We can avoid access to this file by using a "-n" switch.
? We can imagine a situation if an intruder has modified the mount command. When we want to run this command, another special process can be initialized by the process that can be deleted all invasive traces, and prevents the system loading device. The process is called "deadman switch". But here we assume that this situation does not exist, we return to our data collection.
?? I suggested that we check that each command that will be incorporated into our toolkit. These commands will be used for our later data collection.
?
We have to stop thinking about the problem that will face in the mount process:
? ○ When the media is mounted, the volume manager will automatically load the media. At this point, those files and directories will be modified?
We will column these files in Table 1.
○ Suppose an unknown media is properly loaded on a non-secure system. The first task is if we uninstall this media, then we guarantee that we can safely uninstall it. I suggest two situations. We can use non-trust Uninstall the command or copy the trusted uninstall command (static connection) to the floppy disk. Next, we load the floppy disk with the non-credit load command and then run the trusted uninstall command. This is very simple but very useful. We just used a non-trust Uninstall command. ○ Managers are logged out or more serious managers passwords to change. If the manager is logged out, we must re-enter the system. So when we enter the system, then the file is accessed and modified? How many additional The process is established? If the administrator password is changed so that other accounts on the system do you have any unreliable data to be collected? Open TCP / UDP ports, current connection, The others?
?
Step 2: Media loading
Let us continue to load the media, at this time our tools are stored on the CD-ROM
?
# mount -n / mnt / cdrom
?
If we are successful above, we can start our most important data collection phase. Please keep in mind that all the results obtained with trusted commands must be delivered to the remote host. I use the Netcat tool and pipeline method to implement this In order to better distinguish that task is done on that host. All commands running on the non-secure system will be identified by one byte identity, and the commands that are also running on the remote host are also identified by one byte. See below example.
?
In order to transmit the actual data of the non-secure system to the remote system (assuming the IP address of the remote host is 192.168.1.100) We must open the TCP port on the remote host:
(Remote host) # nc -l -p 8888> Date_compromised
?
Furthermore, open the port of the non-secure system host:
(Compromised host) # / mnt / cdrom / date | / mnt / cdrom / nc 192.168.1.100 8888 -w 3
In order to maintain the integrity of the collection, we calculate the HASH value of the collected files and will pass each step.
(Remote host) # md5sum date_compromised> Date_compromised.md5
?
Sometimes, we collect the school inspection and send results on the non-secure system to the remote host. About this problem can be discussed elsewhere in this article.
(compromised host) # / mnt / cdrom / md5sum / etc / fstab | / MNT / CDROM / NC 192.168.1.100 8888 -W 3
?
Step 3: Current date
• The result is recorded with UTC time (Translator Note: UTC: GMNG Time)
(transote) # nc -l -p port> Date_compromised
(compromised) # / mnt / cdrom / date -u | / mnt / cdrom / nc (remote) port
(transote) # md5sum date_compromised> Date_compromised.md5
?
Step 4: Cache Table
First, we must collect data from the cache table because these data have life cycle, which is very short in the table. I will collect this data from the ARP protocol and routing table.
?
Mac Address Cache Table:
(remote) # nc -l -p port> ARP_COMPROMISED
(compromised) # / mnt / cdrom / arp -an | / mnt / cdrom / nc (remote) port
(transote) # md5sum arp_compromised> arp_compromised.md5
?
Kernel Route Cache Table:
(transote) # nc -l -p port> route_compromised
(compromised) # / mnt / cdrom / route -cn | / mnt / cdrom / nc (remote) port
(transote) # md5sum route_compromised> route_compromised.md5
?
Step 5: Current connection and open TCP / UDP port
Now let's collect information about the current connection and open TCP / UDP port.
Sockets information about the event We will solve in the eighth step.
(transote) #nc -l -p port> connections_compromised
(Compromised) # / mnt / cdrom / netstat -an | / mnt / cdrom / nc (remote) Port
(transote) # md5sum connections_compromised> Connections_compromised.md5
?
In this step we can use the CAT command instead of the NetStat command. We will store information about the open port in the / proc file system (/ proc / net / tcp and / proc / net / udp files). Store information about the current connection in / proc / net / netstat file. All data is stored in 16.
?
For example: 0100007F: 0401 represents 127.0.0.1:1025 in decimal
• According to the methods mentioned earlier, the current connection will be monitored by the record system. This record is important:
A simple way to detect rootkit is when it is loaded into the core memory and hides into an open port. We must get the open port that is detected by the remote system and gets the NETSTAT command from the remote system. The result is compared. But this operation will bring a lot of disadvantages because we have changed the non-safety system again, and in the seventh step I will provide an replaceable detection hidden LKM-based rootkit.
?
?
The first part ends
?
Now, we have used some records of data and network connection status. We prepare some additional steps before we shut down the system. In the next month, we will concentrate from the collection in the second article. Data is looking for malicious code and sends them to the remote host. We will also discuss some search methods that can be done in a safe environment.
?
?
Reference book:
Alessandro Rubini, Jonathan Corbet. Linux Device Drivers, 2nd Edition. O'Reilly; 2001.
Dan Farmer, Wietse Venema. Column Series for The Doctor Dobb's Journal. Http://www.porcupine.org/forensics/column.html.
Daniel P. Bovet, Marco Cesati. Understanding The Linux Kernel, 2nd Edition. O'Reilly; 2002.
Kernel Source Code. Http://www.kernel.org/
Linux MANUAL PAGES.
National Institute of Standards and technology. Computer security incident handling guide. Http://csrc.nist.gov/.
Phrack # 61. Finding Hidden Kernel Modules (The Extrem Way) by Madsys. Http://www.phrack.org/.
RFC 3227. Guidelines for evidence Collection and archiving.
SMITH FRED, BACE REBECCA. A Guide to Forensic Testimony. Addison Wesley; 2003.
Symantec Corporation. CodeRed Worm. Http://securityResponse.symantec.com/.
The Honeynet Project. Scan 29. http://www.honeynet.org/
The Sans Institute. Incident Handling Step by Step. Http://www.sans.org/ About the author
View more articles by Mariusz Burdach on SecurityFocus.
?