-- Leo's gemini proxy

-- Connecting to gemlog.blue:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini

While I already explained about monitoring important files, there are some other things to take into consideration. Several known Linux threats use tricks and vulnerabilities that require using specific commands. While some of them can be used legitimally (downloading some resources, reading others...) there are some that are nevertheless suspicious. But, what does it mean suspicious?


It means when the command...

- Tries to delete critical resources

- Tries to disable a firewall

- Tries to disable critical things

- Tries different passwords in a very short time


And more. It kind of depends on the threat, which at the same time, evolves. It doesn't evolve on it's own, but attackers are constantly improving their techniques in order to get to their victims. If you are curious about this you can check MITRE techniques and read about the most commonly used strategies attackers use: https://attack.mitre.org/techniques/enterprise/


In any case keep track of commands is also interesting and can throw light about what's going on in our system. For that we are going to use `sysdig`, a terminal tool that allow us to investigate further what's going on in our system. First of all, let's unstall the tool. As ecplained here (https://proxy.vulpes.one/gemini/gemlog.blue/users/alien/1649863071.gmi) we will use `apt` to download new things. So:

sudo apt install sysdig

This way we will install the tool in our system. There are so many ways to use it, but we will be trying "in time" monitoring, to see it clearly. In order to make you feel better, I recommend to do the next steps in two different terminals. Don't worry! later on we will be using a convenient script. Right now it's just explanatory. In the first terminal, write the following:

sudo sysdig -c spy_users -A &

FYI:

sudo is for root permission.

sysdis is the tool.

-c spy_user is the mode for in-time monitoring

-A is a way of creating a readable input

& is to execute in the background, allowing us to use the terminal. You can remove this one if you want, since we are using a couple of terminals.


In the other terminal write random commands such as:


- ls

- echo hello there!

- clear

- echo this is a test


Which respectively will: list all the files and folders, print in the terminal "hello there!", clear the terminal (don't worry you didn't delete anything, just cleared the view), and print in the terminal "this is a test". You will see, averytime you write some command, the first terminal keeps poping up information. This is the info Iḿ talking about we are interested in. Once you want it to stop, in the second terminal write:

ps aux | grep syslog

In which:

- ps aux will sort all the active processes.

- | allows you to perform an extra action using the output of the first command. If you don't get it, take a look at this infographic (SOON).

- grep will search for a character or a word or anything.

- syslog is the name of the process you want to look for.


Now, you will see something like:


root     19312  0.0  0.0  96804  4472 pts/0    S    18:02   0:00 sudo sysdig -c spy_users -A

One or more sentences like this. This might look scary but you are only interested about the first number that appears in each sentence, in this case "19312". This is like an ID number given to that specific process. It's like in the groceries when they give you a line number. If you see something like this:


root     19312  0.0  0.0  96804  4472 pts/0    S    18:02   0:00 sudo sysdig -c spy_users -A
root     19318  6.4  0.1 287852 26564 pts/0    R    18:02   0:02 sysdig -c spy_users -A
alien    19859  0.0  0.0  41328  1044 pts/8    S+   18:03   0:00 grep --color=auto sysdig

You are only interested in "19312" and "19318". Why am I not interested in the last one, "19859"? because that's the ID number (called PID) for the last command we used (`ps aux | grep syslog`) and we are not looking for that. Any way in order to terminate those, all we have to do is... kill them! yeah, the command is exactly like that:


sudo kill -9 <PID>

This will terminate the process. In my case I would want to do:


sudo kill -9 19312
sudo kill -9 19318

And done. All we did until now was to check how `sysdig` works in the background and learn how to kill a command. But worry not, I know this is a lot info to keep at once, so I created a script here (https://git.sr.ht/~alienagain/gigur/tree/master/item/monitoring/commands/check2.sh) to help you out. If you downloaded the folder already (https://proxy.vulpes.one/gemini/gemlog.blue/users/alien/1649863071.gmi), all you have to do is go to monitoring -> commands. Like this:


cd monitoring; cd commands

In this case I use `;`. This allow me to write two consecutive commands in a single line. I could have write it in separate lines! Or I could have done:

cd monitoring/commands

To go directly to the folder. Nevertheless in that folder you fill find a couple of scripts, we are going to use `check2.sh`. First of all let's give permissions to it:

chmod u+x check2.sh

Now, we can execute. In one terminal write:


./check2.sh

It will ask for the number of seconds you want to monitor, so let's try 20 seconds, we only have to write "20" when it asks.

How many seconds do you want to monitor?

> 20

In the other terminal write random commands, as before. Maybe try "ls", "echo hello", "clear", "cat file" ...


After 20 seconds the script will finish monitoring and it will produce a log with the commands ls, cat, echo, clear, which are the ones that are set to monitor and save. The log is called simply "logs", you can see its content if you send the command "cat logs" while on the folder where the document is.


If you are curious you can read the contents of the script, is commented so you can follow what it does.


Why is this useful? In this case we are only storing basic commands to check how it works. But we could monitor suspicious commands. For example, Mirai is a pretty common threat for Linux, it's what is called a "botnet". It takes part of your computer processing capabilities and use it to support attacks remotely, sometimes even without the user noticing. This is not a particularly rare or complex malware, itś found even in IoT devices using OpenWRT operating system, which is Linux based. This threat evolves but ususally relies on commands for basic stuff, such as deleting critical resources. Therefore we could change this code in order to monitor that, instead of "echo", "clear", "cat" or "cd". How?


In the script, line 28 to 31, where the commands are, you can change it to monitor the commands you want. Imagine you want to monitor:


rm -rf /tmp/

Which is an actual command attempt from some Mirai samples. In this case, rm means "delete", -rf means "folder or file", /tmp/ is the path. So you are literally saying "remove the path called /tmp/ and all its content". So, in this case I would go to line 28 in the script:


strings myraw | grep string:ls >> logs

And change it to:


strings myraw | grep "string:rm -rf /tmp/" >> logs

This way instead of monitoring "ls" (list files in a folder), it's monitoring the suspicious command. There are other ways of monitoring interesting commands, such as:

strings myraw | grep string:rm | grep /tmp/ >> logs

Which ignores the part of -rf, and only take into consideration if the sentence starts with rm and contains /tmp/. "grep" command is used to filter contents and keep only the lines that contains what you are looking for, and you can use "|" to concatenate more than one "grep" commands. But that's optional! you can use the first example above and it would be more than good.

-- Response ended

-- Page fetched on Thu May 9 18:45:36 2024