3 Important Things
Investigating a Suspected Compromise on a Linux System
When responding to a suspected compromise on a Linux system, answering the following key questions systematically helps uncover malicious activities and guide further investigation.
1. Is There Malware Actively Running in the System?
Objective: Detect and analyze potentially malicious processes running on the system.
Steps to Identify Malicious Processes:
List Active Processes:
Use
psortopto review running processes.ps aux | lessLook for:
Processes with unusual names (e.g.,
xmr,random123).Commands running from temporary or suspicious directories like
/tmp,/dev/shm.High CPU or memory usage by unexpected processes.
Analyze the Process Tree:
Use
pstreefor a hierarchical view of processes.pstree -pFocus on:
Unexpected parent-child relationships (e.g.,
apache2spawningbash).
Investigate Executable Files:
Use
lsofto list files opened by a specific process.lsof -p <PID>Check for:
Executables running from non-standard directories.
Open network sockets or files.
Review Hidden Processes:
Hidden processes might evade standard tools. Cross-verify using:
ps -elf | grep <process-name>
2. Is There Any Suspicious Internal or External Communication?
Objective: Detect unusual or unauthorized network activity indicative of C2 communication or data exfiltration.
Steps to Investigate Network Activity:
Check Active Network Connections:
Use
ssornetstatto list open connections and listening services.ss -tulnLook for:
Connections to unknown external IPs.
Unusual listening ports (e.g., port 4444 used for reverse shells).
Monitor Network Traffic:
Capture live traffic with
tcpdump.tcpdump -i eth0Filter for suspicious activity:
DNS queries (
port 53) for domains resembling C2 communication.tcpdump -i eth0 port 53Large outbound transfers:
tcpdump -i eth0 'tcp[13] & 16 != 0'
Analyze Historical Network Activity:
Check system logs for past network connections.
grep "connect" /var/log/syslogLook for unknown IP addresses or repeated failed connection attempts.
Inspect DNS Queries:
Review DNS query logs (if available) to identify suspicious domain resolutions.
3. Is There Any Persistence?
Objective: Detect mechanisms attackers use to maintain long-term access.
Steps to Identify Persistence Mechanisms:
Check for Malicious Cron Jobs:
List current user's scheduled tasks.
crontab -lSystem-wide cron jobs:
cat /etc/crontab ls -la /etc/cron.*Indicators:
Unknown scripts or commands scheduled to run periodically.
Scripts running from temporary locations.
Inspect Startup Scripts:
Check for suspicious scripts or services configured to start on boot:
ls -la /etc/init.d/ ls -la /etc/systemd/system/Review
/etc/rc.localfor manually added startup commands.
Examine SSH Keys:
Verify authorized keys in
~/.ssh/authorized_keys.cat ~/.ssh/authorized_keysLook for:
Unauthorized public keys potentially used for backdoor access.
Search for Recently Modified Files:
Identify files changed in the last few days.
find / -type f -mtime -5 2>/dev/nullCheck:
Key system files like
.bashrc,.profile, and system binaries for unauthorized modifications.
Findings and Next Steps:
By following the outlined steps, you can determine:
Active Malware Presence: Identified through anomalous processes and suspicious executable files.
Suspicious Network Activity: Revealed by unusual external connections, DNS queries, and active network traffic.
Persistence Mechanisms: Found through malicious cron jobs, startup scripts, or unauthorized SSH keys.
Next Steps:
Isolate the affected system to prevent further spread.
Collect Evidence: Save logs, memory dumps, and identified malware samples.
Remediate: Remove malicious processes, clean persistence mechanisms, and patch vulnerabilities.
Monitor: Continuously monitor for signs of re-infection or additional compromises.
Last updated