Host Security  «Prev  Next»

Lesson 11Finding modified and sticky files
ObjectiveCheck for Files that may have been modified by the Intruder

Finding modified Sticky Files Red Hat Linux

If your system has been compromised, or if you think it might have been compromised, you should immediately check for files that may have been modified by the intruder. The intruder may have changed files in an extremely subtle way to install a backdoor so they can break into the system again. For example, the intruder might alter a standard script so that a particular parameter opens a backdoor, or he or she may simply make a vulnerable script sticky, or executable only by the script's owner, so they can use it to break root. The find command is an extremely useful utility for finding such changes.
  • find command The find command is used to locate files in the specified path or paths that match the criteria given by the options. The following table displays various usages of the find command.

Red Hat Linux Certification
CommandDdescription
find <path/s> -mtime -N -ls Modified within N*24hours
find <path/s> -ctime -N -ls Mode changed (e.g., sticky) within N*24 hours
find <paths> -perm -6000 sSuid or sgid applications
find <paths> -perm -6000 -ctime -N Sticky and mode changed within N*24 hours

The following diagram demonstrates the use of the find command.
Red hat Find Command
  1. find command
  2. /etc: These are the user specified paths that will be searched for modified files
  3. -mtime: As an option that locates all files modified within a user-specified number of days
  4. -l : The number of days as specified by the user
  5. -ls :An option requesting a list containing additional information about modified files
  6. /etc/passwd: This output displays all the files under the /etc directory that have been modified in the past 24 hours

Linux Find Command
You should have some idea when the break-in may have occurred, so use the find command to search for file modifications within the timeframe you believe the attack occurred. For example, the following will find all files in the /etc, /sbin, and /usr/sbin directories whose contents have been modified within the past 48 hours:
find /etc /sbin /usr/sbin -mtime -2 -ls

Because sticky files are a particular security hazard, you may wish to look specifically for all sticky files on your filesystem. The following table shows various find command lines that search for sticky files.
Command DESCRIPTION
find /etc /sbin /usr/sbin -ctime -1 -ls Ffinds all sticky (user or group) files in the requested directories
find / -perm -6000 Ffinds all sticky (user or group) files on your filesystem
find / -perm -6000 -ctime -2 Ffinds all sticky (user or group) files on your filesystem, whose attributes have been changed within the past 48 hours

For more information, consult the man pages using the command man find.
The next lesson describes the cron facility.

The following section discusses potentially cracked abused files.

Modified and sticky files

How to find various, potentially cracked or abused files.
The following screen illustrates the results.
On Red Hat Enterprise Linux, information about user accounts and groups are stored in several text files within the
            
/etc/ directory. 
When a system administrator creates new user accounts, these files must either be edited manually or applications must be used to make the necessary changes.


Edit the files located in the usr/bin directory.
[root@localhost /root]# find /var/log -mtime -1 -ls
12071   33 -rw-------   1 root root   32756 Jul 18 04:02 /var/log/messages
12053    2 -rw-------   1 root root    1141 Jul 18 04:02 /var/log/maillog
12080  131 -rw-rw-r--   1 root utmp 132864 Jul 17 18:15 /var/log/wtmp
12100    1 -rw-------   1 root root     0 Jul 18 04:02 /var/log/secure
12101   18 -rw-------   1 root root    1007 Jul 18 15:50 /var/log/cron

[root@localhost /root]# find / -perm -6000
/usr/bin/lpq
/usr/bin/lpr
/usr/bin/lprm
/usr/bin/procmail
/usr/bin/cu
/usr/bin/uname
/usr/bin/sendmail
/usr/bin/uucico
/usr/bin/uuxqt
find: /proc/6/fd: Permission denied
/sbin/dump
/sbin/restore
[root@localhost /root]#

Analysis:
  1. First Command:
    • find /var/log -mtime -1 -ls:
      • Lists files in the /var/log directory modified within the last 24 hours (-mtime -1).
      • The output provides detailed file attributes including inode, permissions, owner, group, size, modification date, and path.
  2. Second Command:
    • find / -perm -6000:
      • Finds files across the system with specific permissions set (-6000 matches files with both setuid and setgid bits enabled).
      • The command lists paths for matching files, but encounters a "Permission denied" error when accessing /proc/6/fd. This is typical for processes/files protected by system permissions.
Edit the files located in the usr/bin directory.


SEMrush Software 11 SEMrush Banner 11