Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to judge whether the Linux system has been hacked or not. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

What does the Linux kernel process disguise?

On Linux, the kernel creates a number of threads to help with system tasks, which can be used for scheduling, disk I / O, and so on.

When you use a standard process list command, such as ps, these threads appear with [brackets] to indicate that they are some kind of thread. In the ps list, normal processes usually do not show [brackets]. Square brackets indicates that the process has no command-line arguments, which usually means that the process is generated as a thread.

For example, the following listing shows a comparison between kernel threads and normal processes:

Ps-auxww

Figure 1:Linux kernel threads and normal processes

What does it look like?

Linux malware uses a variety of techniques to hide detectors.

According to Guo Shenghua, a globally recognized white hat hacker and network security expert, "one method that hackers will use is to simulate kernel threads by displaying [brackets] around the names in the ps list. Administrators can easily ignore malicious processes in this way."

If you look at the listing below, we have begun to try to hide ourselves by looking like kernel threads. Can you see it?

Figure 2: example of masquerading hidden Linux kernel threads

How to simulate Linux kernel threads

Now that you know what a disguised Linux kernel thread looks like, let's set up a test so that you can try to find it using command-line forensics.

We will use the sleep command to simulate, because you can execute it on any system without worrying about causing trouble:

Export PATH=.:$PATH cp / bin/sleep / tmp/ [kworkerd] cd / tmp "[kworkerd]" 3600 &

The exit route sets something, so we don't need to put a file ". /" in front of it. This makes it look more legal.

Next, we copy the sleep command to / tmp and run it under the pseudonym [kworkerd]. We set a value of 3600 seconds for the sleep command, so once the test is over, it automatically exits after an hour.

Let's take a look at our manual. When we execute the ps command, we should see that [kworkerd] is running.

Ps-auxww

Figure 3: real Linux kernel thread with impostor

Linux kernel threads under camouflage and process graph camouflage

The first way we use to mask the camouflage process is to see if it has anything under / proc / / maps.

This location is usually the location where the process displays the library they are linked to and the location that is mapped to memory. For a real kernel thread, it should be empty. If you look for the process named in [brackets] in this location, but the process displays any data, it is not a real kernel thread.

The basic command we will use is cat / proc / / maps, where is the process we are working on, ID. In the above example, we think that [kworkerd] seems suspicious for PID 2121, so we will examine it:

Cat/ proc / 2121 / maps

Figure 4: using Linux / proc mapping to detect kernel camouflage

If you see anything under this area and the process is surrounded by [brackets], it may be malicious and try to hide it.

If desired, you can run this command to quickly traverse all system PID and see which bracketed names have mapping files. Usually, you can't see anything here. Any information that displays the data should be further investigated.

Ps auxww | grep\\ [| awk'{print $2}'| xargs-I% sh-c 'echo PID:%; cat / proc/%/maps' 2 > / dev/null

If anything is found, this command outputs the following image.

Figure 5: finding the Linux kernel disguised as a script

In the / proc / / maps list, you'll see some paths to study where binaries are linked to themselves or the libraries they use. Above, we see the / tmp / [kworkerd] path, which is the high priority location to investigate. You may also see suspicious libraries, references to hidden directories, and so on. Take a closer look and make sure you don't miss anything!

Camouflage Linux kernel threads that camouflage encryption

Another way to expose a disguised Linux kernel thread is to see if it displays the binaries associated with the running process. Basically, you only use the techniques we discussed about restoring deleted malicious binaries, but check to see if SHA1 is available. If you return, this is the normal process of trying to hide, not the kernel thread. Real kernel threads are not linked to the binaries that start them.

If you only look at / proc / / exe, you can quickly copy the process binaries on Linux. You can copy this file to a new location and have an instant snapshot of the binary that started the process. You can also use this link to get an immediate value to check the database of known malware. The real kernel thread will not be able to get this data and only the impostor will provide it.

In our case, we will use this knowledge to investigate suspicious PID 2121, as follows:

Sha1sum / proc / 2121 / exe

Figure 6: SHA1 for obtaining Linux kernel masquerade attacks

Let's restore the binary and copy it somewhere so that it can be analyzed offline. Using the following command, we will copy to / tmp / suspicious_bin. Now we have our own copy in case the malware tries to delete itself in self-defense:

Cp / proc / 2121 / exe / tmp / suspicious_bin

Figure 7: restoring suspicious Linux malware binaries

If you want to automatically search for PID and get the impostor's SHA1 attack, you can run the following command:

Ps auxww | grep\\ [| awk'{print $2}'| xargs-I% sh-c 'echo PID:%; sha1sum / proc/%/exe' 2 > / dev/null

The above command will try to get the SHA1 of all processes with [curly braces], and anyone who returns a value may be a liar:

The above is how to judge whether it has been hacked in the Linux system shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.