Mounts

Analyzing Mounted File Systems in Incident Response (Linux Systems)

In Linux systems, mounted file systems are essential for accessing external drives, network shares, and removable media. However, they can also serve as attack vectors during incidents, especially in ransomware attacks or malware propagation. Here's how to effectively analyze mounted file systems during an incident response.

Why Mounted File System Analysis is Crucial

Attackers exploit file systems for various malicious purposes:

  1. Ransomware Attacks: Encrypt data on shared or mounted storage.

  2. Malware Propagation: Spread malware across network shares and external drives.

  3. Data Exfiltration: Steal sensitive data stored on mounted devices.

  4. Persistence: Store malicious files in obscure mounts to evade detection.

Steps for Analyzing Mounted File Systems

1. Identify Active Mounts

Command: mount

Lists all currently mounted file systems along with their mount points.

mount

Output Example:

/dev/sda1 on / type ext4 (rw,relatime)
192.168.1.10:/shared on /mnt/shared type nfs (rw,noexec)

Command: findmnt

Displays mounted file systems in a tree-like structure, making it easier to trace mount points and dependencies.

findmnt

Command: df -aTh

Shows disk usage and type of file systems in a human-readable format.

df -aTh

Key Information:

  • File System Type: e.g., ext4, nfs, smbfs.

  • Mount Point: e.g., /mnt/shared.

  • Disk Usage: Helps detect unusual or critical storage consumption.

Command: cat /proc/mounts

Reads the real-time list of mounted file systems from the kernel.

cat /proc/mounts

2. Investigate Logs for Mount Events

Though mounting and unmounting events aren't always explicitly logged, they may leave traces in system logs.

Command: dmesg

Search for mount-related events in kernel messages.

dmesg | grep mount

Example Output:

[45678.123456] EXT4-fs (sdb1): mounted filesystem with ordered data mode. Opts: (null)
[45678.654321] CIFS VFS: Server 192.168.1.15 has mounted a share

Command: grep Logs for Related Events

grep "mount" /var/log/syslog
grep "mount" /var/log/messages

Key Logs:

  • Unauthorized mounts: Look for mounts not configured by administrators.

  • Network file systems: Identify mounts from suspicious external servers.

3. Evaluate Mounted File Systems

Focus on Critical Mount Points:

  • /mnt and /media: Temporary storage or external drives.

  • NFS/SMB Shares: Mounted over the network.

  • /dev and /proc: Special file systems that could hide malicious activity.

Look for Unusual or Unauthorized Mounts:

  • Unexpected Remote Shares: Mounted from unknown or unauthorized IPs.

  • Non-Standard Paths: Files or directories mounted in unusual locations.

  • Hidden Volumes: Mounted with obscure names to avoid detection.

4. Analyze Disk Usage

Command: du

Shows disk usage within a specific directory.

du -sh /mnt/shared

Command: lsblk

Displays detailed information about block devices and their mount points.

lsblk

Post-Incident Actions

1. Unmount Suspicious File Systems

If unauthorized or malicious mounts are identified, unmount them immediately:

umount /path/to/mount

2. Isolate Compromised Systems

Quarantine affected systems or shares to prevent further spread of malware or encryption by ransomware.

3. Restore from Backups

If data has been compromised, such as in a ransomware attack, restore the affected file systems from clean, verified backups.

Hardening and Prevention

1. Restrict Mount Permissions

  • Use the noexec option for mounts to prevent execution of binaries.

  • Limit mounting permissions to trusted users only.

Example:

mount -o noexec /dev/sdb1 /mnt/secure

2. Implement Network Share Security

  • Limit access to network shares using IP whitelisting.

  • Monitor and log all access to shared mounts.

3. Enable File System Monitoring

Use tools like Auditd to monitor file system activities, including mount operations:

auditctl -w /mnt -p rwxa -k mounted-shares

4. Use Read-Only Mounts for Non-Essential Data

Prevent attackers from writing malicious files to critical shares:

mount -o ro /dev/sdc1 /mnt/readonly

Key Commands

Command

Purpose

mount

List currently mounted file systems.

findmnt

Display mounts in a tree structure.

df -aTh

Show disk usage and file system types.

cat /proc/mounts

Real-time view of mounted file systems.

`dmesg

grep mount`

umount /path/to/mount

Unmount a suspicious or unauthorized file system.

auditctl -w /mnt

Monitor mounted directories for changes.

Key Points

Mounted file systems are critical to the functionality and storage capabilities of Linux systems, but they also pose security risks during an attack. By methodically analyzing mounted file systems, incident responders can identify malicious activity, secure compromised environments, and prevent further exploitation. Proactive measures such as limiting permissions, monitoring file system activity, and using secure mounts significantly enhance a system's resilience against attacks.

PreviousFiles and File SystemNextNetwork

Last updated