Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auditd and hidden ports
Date: Mon, 18 Dec 2017 19:24:53 -0500	[thread overview]
Message-ID: <1756476.PUDoVLGFRe@x2> (raw)
In-Reply-To: <CAGKX4TdtU5KvFaxYraq8RuqNySg=mwB6aHOdXhjLp6Fw1XnwVQ@mail.gmail.com>


[-- Attachment #1.1: Type: text/plain, Size: 2145 bytes --]

Hello,

On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote:
> unhide reports that there are ports that are not being seeing by ss. i
> also used lsof and netstat and they don't show up.
> 
> [~] % sudo unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> License GPLv3+ : GNU GPL version 3 or later
> http://www.unhide-forensics.info
> Used options:
> [*]Starting TCP checking
> 
> Found Hidden port that not appears in ss: 840
> 
> Found Hidden port that not appears in ss: 851
> [*]Starting UDP checking
> [~] %
> 
> i created auditd rules to monitor socket related system calls
> 
> % sudo auditctl -l
> -a always,exit -F arch=b64 -S connect -F key=CONNECT
> -a always,exit -F arch=b64 -S bind -F key=BIND
> -a always,exit -F arch=b64 -S socket -F key=SOCKET
> -a always,exit -F arch=b64 -S listen -F key=LISTEN
> -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
> -a always,exit -F arch=b64 -S close -F key=CLOSE
> 
> 
> the problem is that when i search the log files, i don't see any
> references to hidden ports 840 or 851. below is one entry where
> unhide-tcp is trying to bind to port 39781, so i know auditd is
> logging entries
> 
> type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet
> host:0.0.0.0 serv:39781
> type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64
> syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10
> a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
> ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND
> 
> 
> do any of you have any suggestions?

If you got rooted, then you may not be able to trust anything. Typically they hide 
processes seen by ps and files seen by ls. It might be that they use an unknown 
syscall number or its in the kernel itself. I also don't know if they jump into a 
network namespace if the audit daemon will see it. It might be an innocent 
explanation like that.

-Steve


[-- Attachment #1.2: Type: text/html, Size: 9986 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



  reply	other threads:[~2017-12-19  0:24 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-18 19:37 auditd and hidden ports Yectli Huerta
2017-12-19  0:24 ` Steve Grubb [this message]
2017-12-19 20:10   ` Yectli Huerta
2017-12-20 21:24     ` Yectli Huerta

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1756476.PUDoVLGFRe@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox