From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditd and hidden ports Date: Mon, 18 Dec 2017 19:24:53 -0500 Message-ID: <1756476.PUDoVLGFRe@x2> References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5428807188362068080==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============5428807188362068080== Content-Type: multipart/alternative; boundary="nextPart1945143.35AnLpbvRu" Content-Transfer-Encoding: 7Bit This is a multi-part message in MIME format. --nextPart1945143.35AnLpbvRu Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" Hello, On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote: > unhide reports that there are ports that are not being seeing by ss. i > also used lsof and netstat and they don't show up. >=20 > [~] % sudo unhide-tcp > Unhide-tcp 20130526 > Copyright =A9 2013 Yago Jesus & Patrick Gouin > License GPLv3+ : GNU GPL version 3 or later > http://www.unhide-forensics.info > Used options: > [*]Starting TCP checking >=20 > Found Hidden port that not appears in ss: 840 >=20 > Found Hidden port that not appears in ss: 851 > [*]Starting UDP checking > [~] % >=20 > i created auditd rules to monitor socket related system calls >=20 > % sudo auditctl -l > -a always,exit -F arch=3Db64 -S connect -F key=3DCONNECT > -a always,exit -F arch=3Db64 -S bind -F key=3DBIND > -a always,exit -F arch=3Db64 -S socket -F key=3DSOCKET > -a always,exit -F arch=3Db64 -S listen -F key=3DLISTEN > -a always,exit -F arch=3Db64 -S shutdown -F key=3DSHUTDOWN > -a always,exit -F arch=3Db64 -S close -F key=3DCLOSE >=20 >=20 > the problem is that when i search the log files, i don't see any > references to hidden ports 840 or 851. below is one entry where > unhide-tcp is trying to bind to port 39781, so i know auditd is > logging entries >=20 > type=3DSOCKADDR msg=3Daudit(12/15/2017 16:17:32.935:11040116) : saddr=3Di= net > host:0.0.0.0 serv:39781 > type=3DSYSCALL msg=3Daudit(12/15/2017 16:17:32.935:11040116) : arch=3Dx86= _64 > syscall=3Dbind success=3Dyes exit=3D0 a0=3D0x3 a1=3D0x7ffc212a92f0 a2=3D0= x10 > a3=3D0x0 items=3D0 ppid=3D21752 pid=3D21753 auid=3D*** uid=3Droot gid=3Dr= oot > euid=3Droot suid=3Droot fsuid=3Droot egid=3Droot sgid=3Droot fsgid=3Droot= tty=3Dpts1 > ses=3D225 comm=3Dunhide-tcp exe=3D/usr/sbin/unhide-tcp > subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3DBIND >=20 >=20 > do any of you have any suggestions? If you got rooted, then you may not be able to trust anything. Typically th= ey hide=20 processes seen by ps and files seen by ls. It might be that they use an unk= nown=20 syscall number or its in the kernel itself. I also don't know if they jump = into a=20 network namespace if the audit daemon will see it. It might be an innocent= =20 explanation like that. =2DSteve --nextPart1945143.35AnLpbvRu Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="iso-8859-1"

Hello,

&nb= sp;

On Monday, = December 18, 2017 2:37:53 PM EST Yectli Huerta wrote:

> unhide= reports that there are ports that are not being seeing by ss. i

> also u= sed lsof and netstat and they don't show up.

>

> [~] % = sudo unhide-tcp

> Unhide= =2Dtcp 20130526

> Copyri= ght =A9 2013 Yago Jesus & Patrick Gouin

> Licens= e GPLv3+ : GNU GPL version 3 or later

> http:/= /www.unhide-forensics.info

> Used o= ptions:

> [*]Sta= rting TCP checking

>

> Found = Hidden port that not appears in ss: 840

>

> Found = Hidden port that not appears in ss: 851

> [*]Sta= rting UDP checking

> [~] %<= /p>

>

> i crea= ted auditd rules to monitor socket related system calls

>

> % sudo= auditctl -l

> -a alw= ays,exit -F arch=3Db64 -S connect -F key=3DCONNECT

> -a alw= ays,exit -F arch=3Db64 -S bind -F key=3DBIND

> -a alw= ays,exit -F arch=3Db64 -S socket -F key=3DSOCKET

> -a alw= ays,exit -F arch=3Db64 -S listen -F key=3DLISTEN

> -a alw= ays,exit -F arch=3Db64 -S shutdown -F key=3DSHUTDOWN

> -a alw= ays,exit -F arch=3Db64 -S close -F key=3DCLOSE

>

>

> the pr= oblem is that when i search the log files, i don't see any

> refere= nces to hidden ports 840 or 851. below is one entry where

> unhide= =2Dtcp is trying to bind to port 39781, so i know auditd is

> loggin= g entries

>

> type= =3DSOCKADDR msg=3Daudit(12/15/2017 16:17:32.935:11040116) : saddr=3Dinet

> host:0= =2E0.0.0 serv:39781

> type= =3DSYSCALL msg=3Daudit(12/15/2017 16:17:32.935:11040116) : arch=3Dx86_64

> syscal= l=3Dbind success=3Dyes exit=3D0 a0=3D0x3 a1=3D0x7ffc212a92f0 a2=3D0x10

> a3=3D0= x0 items=3D0 ppid=3D21752 pid=3D21753 auid=3D*** uid=3Droot gid=3Droot

> euid= =3Droot suid=3Droot fsuid=3Droot egid=3Droot sgid=3Droot fsgid=3Droot tty= =3Dpts1

> ses=3D= 225 comm=3Dunhide-tcp exe=3D/usr/sbin/unhide-tcp

> subj= =3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=3DBIND

>

>

> do any= of you have any suggestions?

&nb= sp;

If you got = rooted, then you may not be able to trust anything. Typically they hide pro= cesses seen by ps and files seen by ls. It might be that they use an unknow= n syscall number or its in the kernel itself. I also don't know if they jum= p into a network namespace if the audit daemon will see it. It might be an = innocent explanation like that.

&nb= sp;

-Steve

&nb= sp;

--nextPart1945143.35AnLpbvRu-- --===============5428807188362068080== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============5428807188362068080==--