Detecting Malicious Processes in Linux

Warnings:

  • Be sure you are satisfied with your backups before you make any changes to your server.
  • Modifying any part of a server with administrative access may cause services to fail or the system itself to become unbootable.  Only experienced and authorized administrators should perform any steps outlined in this guide.
  • It is very possible that the utilities on the server that one might use in this guide (such as 'ps', 'ls', lsof', 'netstat', etc.) have been replaced by hacked versions and might hide information vital to locating the malicious processes you are trying to find.

Netstat:

One of the main functions of the ‘netstat’ utility is to show all the network connections currently in.  To find all the current network connections currently in use with port numbers only instead of names execute the following command with root privileges:

# netstat –an

Lsof:

  • Example for IRC traffic:

Since a common symptom of botnet activity is the use of IRC to communicate with the command and control server one might see ports in use in the range of 6660-7000.

The lsof utility is an incredibly useful tool in finding unusual activity because it can help you find the relationship between an open network port and an actual file on the computer’s disk. 

First we must find the process ID (pid) responsible for the suspicious network connection.  Lets assume that the netstat command shows a network connection going out to TCP port 6667 on another server.  The following command (executed with root permissions) will show what processes are responsible for that network connection.  Please note the intentional use of the colon before the port number.

# lsof –RPni :6667

The process ID (pid) is in the second column beside each connection using the given port.  The user the process is running as is also very useful information.  If the user is not “root” then it’s likely that the server was not completely compromised and repairing the issue will not require a full reinstallation of the operating system.  If the process is running as “root” however there may be a very serious issue with the server and it shouldn’t be trusted further.  A full reinstallation of the server is not only recommended but should be considered a requirement in that case.

To find what files are being used for that process one may execute the following command with root privileges while substituting <pid> for the process ID discovered earlier:

# lsof –Pnp <pid>

Not only could you use ‘kill’ to stop the process responsible but you also have a list of files involved that may require deletion. Use extreme causing when deleting related files since some might be legitimate parts of the operating system simply being used by the malicious process.   Files that one might want to disable with ‘chmod’ or rename will be ones located within /dev/shm, /tmp, /var/tmp, /home/…, or other areas were system files do not reside. The lines of output from the 'lsof' command with "cwd" and "txt" under the "FD" column are the biggest clues here.

After stopping and disabling the files involved one must check to make sure it will not be re-executed.  Changing the permissions will help but is not always the solution.  Checking for and disabling/removing malicious startup scripts in /etc/init.d/ as well as the crontab (usually that of the user the process was running as) is very important so the process does not start again upon reboot or at a certain time of day.

  • Example for outbound hostile ssh traffic

In some cases, a compromised account is exploited by a malicious person or a botnet to run ssh bruteforce program. The same process can be also used to locate which account is generating this outbound hostile ssh traffic, and where the malicious file is located.

# lsof –RPni :22
# lsof –Pnp <pid>

Once the compromised account has been located, it is important to inspect that account content and logs to clean

  • Show all active connections:
# lsof –Pni

 

Detecting Malicious Processes in Windows

Warnings:

  • Be sure you are satisfied with your backups before you make any changes to your server.
  • Modifying any part of a server with administrative access may cause services to fail or the system itself to become unbootable.  Only experienced and authorized administrators should perform any steps outlined in this guide.

Netstat:

The ‘netstat’ utility available in Windows cmd prompt shows all the network connections currently in.  To find all the current network connections currently in use, execute the following command as Administrator:

# netstat /ano

Third party tools:

The use of common antivirus tools in Windows will rarely detect botnet activity because upon establishing the botnet membership certain modifications are made to hide the processes from those tools.  For this reason it is better to detect the behaviour that is symptomatic of botnet activity and work backwards to find the processes and files responsible.  There are several tools that can help with this.

Please see the documentation from the vendor of the tool you’ve chosen on how it is used.  The list above is by no means a comprehensive list and we do not specifically endorse their use.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk