* auditd and hidden ports @ 2017-12-18 19:37 Yectli Huerta 2017-12-19 0:24 ` Steve Grubb 0 siblings, 1 reply; 4+ messages in thread From: Yectli Huerta @ 2017-12-18 19:37 UTC (permalink / raw) To: linux-audit Hi, unhide reports that there are ports that are not being seeing by ss. i also used lsof and netstat and they don't show up. [~] % sudo unhide-tcp Unhide-tcp 20130526 Copyright © 2013 Yago Jesus & Patrick Gouin License GPLv3+ : GNU GPL version 3 or later http://www.unhide-forensics.info Used options: [*]Starting TCP checking Found Hidden port that not appears in ss: 840 Found Hidden port that not appears in ss: 851 [*]Starting UDP checking [~] % i created auditd rules to monitor socket related system calls % sudo auditctl -l -a always,exit -F arch=b64 -S connect -F key=CONNECT -a always,exit -F arch=b64 -S bind -F key=BIND -a always,exit -F arch=b64 -S socket -F key=SOCKET -a always,exit -F arch=b64 -S listen -F key=LISTEN -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN -a always,exit -F arch=b64 -S close -F key=CLOSE the problem is that when i search the log files, i don't see any references to hidden ports 840 or 851. below is one entry where unhide-tcp is trying to bind to port 39781, so i know auditd is logging entries type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet host:0.0.0.0 serv:39781 type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10 a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND do any of you have any suggestions? thanks, yah -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd and hidden ports 2017-12-18 19:37 auditd and hidden ports Yectli Huerta @ 2017-12-19 0:24 ` Steve Grubb 2017-12-19 20:10 ` Yectli Huerta 0 siblings, 1 reply; 4+ messages in thread From: Steve Grubb @ 2017-12-19 0:24 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2145 bytes --] Hello, On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote: > unhide reports that there are ports that are not being seeing by ss. i > also used lsof and netstat and they don't show up. > > [~] % sudo unhide-tcp > Unhide-tcp 20130526 > Copyright © 2013 Yago Jesus & Patrick Gouin > License GPLv3+ : GNU GPL version 3 or later > http://www.unhide-forensics.info > Used options: > [*]Starting TCP checking > > Found Hidden port that not appears in ss: 840 > > Found Hidden port that not appears in ss: 851 > [*]Starting UDP checking > [~] % > > i created auditd rules to monitor socket related system calls > > % sudo auditctl -l > -a always,exit -F arch=b64 -S connect -F key=CONNECT > -a always,exit -F arch=b64 -S bind -F key=BIND > -a always,exit -F arch=b64 -S socket -F key=SOCKET > -a always,exit -F arch=b64 -S listen -F key=LISTEN > -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN > -a always,exit -F arch=b64 -S close -F key=CLOSE > > > the problem is that when i search the log files, i don't see any > references to hidden ports 840 or 851. below is one entry where > unhide-tcp is trying to bind to port 39781, so i know auditd is > logging entries > > type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet > host:0.0.0.0 serv:39781 > type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64 > syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10 > a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root > euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 > ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND > > > do any of you have any suggestions? If you got rooted, then you may not be able to trust anything. Typically they hide processes seen by ps and files seen by ls. It might be that they use an unknown syscall number or its in the kernel itself. I also don't know if they jump into a network namespace if the audit daemon will see it. It might be an innocent explanation like that. -Steve [-- Attachment #1.2: Type: text/html, Size: 9986 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd and hidden ports 2017-12-19 0:24 ` Steve Grubb @ 2017-12-19 20:10 ` Yectli Huerta 2017-12-20 21:24 ` Yectli Huerta 0 siblings, 1 reply; 4+ messages in thread From: Yectli Huerta @ 2017-12-19 20:10 UTC (permalink / raw) To: linux-audit On 12/18/17, Steve Grubb <sgrubb@redhat.com> wrote: > Hello, > .......... > > If you got rooted, then you may not be able to trust anything. Typically > they hide > processes seen by ps and files seen by ls. It might be that they use an > unknown > syscall number or its in the kernel itself. I also don't know if they jump > into a > network namespace if the audit daemon will see it. It might be an innocent > explanation like that. > > -Steve > hi, thanks for the reply. i'm trying to narrow down the scenarios. i ran a simple program that i found on the web and i modified to check on all ports #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> /* * * from https://theredblacktree.wordpress.com/2013/09/30/how-to-check-if-a-port-is-open-or-not-in-c-unixlinux/ * */ int main(int argc, char *argv[]) { int portno = 22; char *hostname = "localhost"; int sockfd,i; struct sockaddr_in serv_addr; struct hostent *server; for (i =1; i <= 65535; i++) { sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { error("ERROR opening socket"); } server = gethostbyname(hostname); if (server == NULL) { fprintf(stderr,"ERROR, no such host\n"); exit(0); } bzero((char *) &serv_addr, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; bcopy((char *)server->h_addr, (char *)&serv_addr.sin_addr.s_addr, server->h_length); //serv_addr.sin_port = htons(portno); serv_addr.sin_port = htons(i); if (connect(sockfd,(struct sockaddr *) &serv_addr,sizeof(serv_addr)) < 0) { //printf("Port is closed, %d\n",i); } else { printf("Port is active, %d\n", i); } close(sockfd); } return 0; } } } } } } when i run it, it tells me which ports are used b/c the program can't bind to a port [/tmp] % sudo autrace ./a.out Waiting to execute: ./a.out Port is active, 22 Port is active, 111 .... when i analyze the output [/tmp] % sudo ausearch -i -p 5502 &> ~/tcp-bind-auditd.log i see that a.out was able to connect to very high ports, but not lower ports that were reported to be in use [ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | head -n 5 serv:62653 serv:62654 serv:62655 serv:62656 serv:62657 [ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | tail -n 5 serv:65531 serv:65532 serv:65533 serv:65534 serv:65535 [ ~] $ grep serv:22 tcp-bind-auditd.log [ ~] $ grep serv:111 tcp-bind-auditd.log [ ~] $ grep serv:23 tcp-bind-auditd.log [ ~] $ [~] $ grep 65535 tcp-bind-auditd.log type=SOCKADDR msg=audit(12/19/2017 13:27:52.377:33949631) : saddr=inet host:127.0.0.1 serv:65535 is something hiding the lower ports from auditd? is there a way to log all syscalls to trace what binds to the ports after a reboot. i can reboot the server and then attempt to trace each network socket . these rules don't seem to be enough to track network sockets. [/tmp] % sudo auditctl -l -a always,exit -F arch=b64 -S connect -F key=CONNECT -a always,exit -F arch=b64 -S bind -F key=BIND -a always,exit -F arch=b64 -S socket -F key=SOCKET -a always,exit -F arch=b64 -S listen -F key=LISTEN -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN -a always,exit -F arch=b64 -S close -F key=CLOSE the ports that appeared to be hidden, are no longer showing up so i'm trying to figure out what is going on. thanks yah ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: auditd and hidden ports 2017-12-19 20:10 ` Yectli Huerta @ 2017-12-20 21:24 ` Yectli Huerta 0 siblings, 0 replies; 4+ messages in thread From: Yectli Huerta @ 2017-12-20 21:24 UTC (permalink / raw) To: linux-audit a coworker suggested i change max_log_file_action to KEEP_LOGS instead of ROTATE in /etc/audit/auditd.conf. this did the trick. auditd was generating too many logs and activating log rotation. i ran a test after the change and the lower ports that did not show up previously, showed up in the logs thanks, yah ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-12-20 21:24 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-12-18 19:37 auditd and hidden ports Yectli Huerta 2017-12-19 0:24 ` Steve Grubb 2017-12-19 20:10 ` Yectli Huerta 2017-12-20 21:24 ` Yectli Huerta
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox