From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditd and hidden ports
Date: Mon, 18 Dec 2017 19:24:53 -0500 [thread overview]
Message-ID: <1756476.PUDoVLGFRe@x2> (raw)
In-Reply-To: <CAGKX4TdtU5KvFaxYraq8RuqNySg=mwB6aHOdXhjLp6Fw1XnwVQ@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 2145 bytes --]
Hello,
On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote:
> unhide reports that there are ports that are not being seeing by ss. i
> also used lsof and netstat and they don't show up.
>
> [~] % sudo unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> License GPLv3+ : GNU GPL version 3 or later
> http://www.unhide-forensics.info
> Used options:
> [*]Starting TCP checking
>
> Found Hidden port that not appears in ss: 840
>
> Found Hidden port that not appears in ss: 851
> [*]Starting UDP checking
> [~] %
>
> i created auditd rules to monitor socket related system calls
>
> % sudo auditctl -l
> -a always,exit -F arch=b64 -S connect -F key=CONNECT
> -a always,exit -F arch=b64 -S bind -F key=BIND
> -a always,exit -F arch=b64 -S socket -F key=SOCKET
> -a always,exit -F arch=b64 -S listen -F key=LISTEN
> -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
> -a always,exit -F arch=b64 -S close -F key=CLOSE
>
>
> the problem is that when i search the log files, i don't see any
> references to hidden ports 840 or 851. below is one entry where
> unhide-tcp is trying to bind to port 39781, so i know auditd is
> logging entries
>
> type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet
> host:0.0.0.0 serv:39781
> type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64
> syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10
> a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
> ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND
>
>
> do any of you have any suggestions?
If you got rooted, then you may not be able to trust anything. Typically they hide
processes seen by ps and files seen by ls. It might be that they use an unknown
syscall number or its in the kernel itself. I also don't know if they jump into a
network namespace if the audit daemon will see it. It might be an innocent
explanation like that.
-Steve
[-- Attachment #1.2: Type: text/html, Size: 9986 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2017-12-19 0:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-18 19:37 auditd and hidden ports Yectli Huerta
2017-12-19 0:24 ` Steve Grubb [this message]
2017-12-19 20:10 ` Yectli Huerta
2017-12-20 21:24 ` Yectli Huerta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1756476.PUDoVLGFRe@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox