Files and File System
File and File System Analysis in Incident Response (Linux Systems)
When investigating a security incident on Linux systems, analyzing the file system is crucial. Attackers frequently manipulate files and directories to maintain persistence, escalate privileges, or hide their activities. Here's a systematic approach to detect, analyze, and remediate malicious activity on the file system.
Key Linux Directories and Their Relevance in Incident Response
Directory
Purpose
Risk/Notes
/boot
Boot files, kernel images
Rarely altered but critical for boot integrity.
/etc
Configuration files
Targeted for persistence (e.g., /etc/passwd, /etc/shadow).
/bin
Essential binaries
Rarely changes; modifications can indicate rootkits.
/sbin
Superuser binaries
Altered to replace critical admin commands.
/tmp
Temporary files
Commonly used for dropping malicious files.
/var
Logs, variable data
Stores logs that can be tampered with to hide tracks.
/home
User directories
Holds user-specific data and potential malware.
/root
Root user’s home
Contains sensitive root data.
/usr
User binaries and libraries
Could be targeted for persistent malicious binaries.
/dev
Device files
May be used for hiding malicious payloads.
Steps for File and File System Analysis
1. Identify Suspicious Files
Target Common Exploitation Points:
Temporary Directories:
/tmp,/var/tmp,/dev/shmWeb Application Directories:
/var/www,/usr/share/nginx/html
Search by File Extensions
Scan for scripts or binaries with potentially malicious extensions:
Extensions to watch:
.php,.jsp,.asp(Webshells).sh(Shell scripts).elf,.out,.bin(Executable binaries)
Search by File Modification Time
Find files modified in a specific timeframe:
Other time-based filters:
Files modified in the last X days:
Files modified more than X days ago:
Search by Ownership
Locate files created or modified by specific users:
Search Recently Changed Metadata
Identify files with recent permission or ownership changes:
2. Analyze Suspicious Files
Examine File Metadata
Get detailed metadata about a file:
Details Provided:
Access, modification, and change times.
Ownership: Who owns the file?
Permissions: What operations are allowed?
Check File Contents
For readable files (e.g., scripts, logs):
Identify Binaries
For binary executables:
Hash the File
Compare file hashes against threat intelligence or virus scanning services:
Use platforms like VirusTotal for quick analysis.
3. Remediate Malicious Files
Delete Malicious Files
Once identified, remove them securely:
Restore Critical System Files
If critical files like /etc/passwd or binaries in /bin are compromised:
Restore from clean backups:
Reinstall affected system components:
Correct File Permissions and Ownership
Ensure correct permissions for critical files:
4. Review Logs for Tampering
Locate and Analyze Logs
Check logs for signs of tampering or deletion:
System logs:
Web server logs:
Look for Gaps or Unusual Activity
Search for log entries around the timeframe of the compromise:
Key Commands Cheat Sheet
Command
Purpose
find / -type f \( -iname "*.php" \)
Find files by extension.
find /tmp -newermt "YYYY-MM-DD"
Find files modified in a time range.
stat /path/to/file
Get detailed file metadata.
sha256sum /path/to/file
Hash file for verification.
cat /var/log/syslog
Review system logs.
rm -rf /path/to/malicious/file
Remove malicious file.
chmod 644 /etc/passwd
Set proper permissions for system file.
Key Points
File and file system analysis are foundational in identifying and mitigating threats on compromised Linux systems. By systematically searching for unusual files, analyzing their properties, and reviewing log entries, responders can detect malicious activity, remove threats, and restore system integrity. Implementing strong monitoring and file integrity tools enhances proactive security efforts.
Last updated