Monthly Archives: January 2014

Fast easy Linux Monitoring with Bash

When it comes to security on a large scale it is usually necessary to setup IDS/IPS to monitor network traffic. But what happens if the attacker already has backdoors installed on your Linux box? The following script will take care of just that, giving the admin a bird’s eye view of what is currently going on, on his system.

This script monitors network traffic, system changes, recent and current logins, user permissions, command aliases, and cronjobs.

[code language=”bash”]
if [ $(whoami) != "root" ];then
echo "THIS SCRIPT MUST BE RUN AS ROOT!"
exit
fi

find / -name .bashrc > temp4 &
md5sum /etc/passwd /etc/group /etc/profile md5sum /etc/sudoers /etc/hosts /etc/ssh/ssh_config /etc/ssh/sshd_config > temp2
ls -a /etc/ /usr/ /sys/ /home/ /bin/ /etc/ssh/ >> temp2
while true;
do
netstat -n -A inet | grep ESTABLISHED > temp
outgoing_ftp=$(cat temp | cut -d ‘:’ -f2 | grep "^21" | wc -l)
incoming_ftp=$(cat temp | cut -d ‘:’ -f3 | grep "^21" | wc -l)

outgoing_ssh=$(cat temp | cut -d ‘:’ -f2 | grep "^22" | wc -l)
incoming_ssh=$(cat temp | cut -d ‘:’ -f3 | grep "^22" | wc -l)

outgoing_telnet=$(cat temp | cut -d ‘:’ -f2 | grep "^23" | wc -l)
incoming_telnet=$(cat temp | cut -d ‘:’ -f3 | grep "^23" | wc -l)

echo "ACTIVE NETWORK CONNECTIONS:"
echo "—————————"
if [ $outgoing_telnet -gt 0 ]; then
echo $outgoing_telnet successful outgoing telnet connection.
fi

if [ $incoming_telnet -gt 0 ]; then
echo $incoming_telnet successful incoming telnet session.
fi

if [ $outgoing_ssh -gt 0 ]; then
echo $outgoing_ssh successful outgoing ssh connection.
fi

if [ $incoming_ssh -gt 0 ]; then
echo $incoming_ssh successful incoming ssh session.
fi

if [ $outgoing_ftp -gt 0 ]; then
echo $outgoing_ftp successful outgoing ftp connection.
fi

if [ $incoming_ftp -gt 0 ]; then
echo $incoming_ftp successful incoming ftp session.
fi

if [ $incoming_ftp -gt 0 ]; then
echo $incoming_ftp successful incoming ftp session.
fi
cat temp
sleep 5
clear

echo "CURRENT LOGIN SESSIONS:"
echo "———————–"
w
echo
echo "RECENT LOGIN SESSIONS:"
echo "———————-"
last | head -n5
sleep 5
clear

sleepingProcs=$(pstree | grep sleep)
if [[ ! -z "$sleepingProcs" ]];then
echo "SLEEP PROCESSES:"
echo "—————-"
sleep 5
clear
fi

#Check for changes to important files.

md5sum /etc/passwd /etc/group /etc/profile md5sum /etc/sudoers /etc/hosts /etc/ssh/ssh_config /etc/ssh/sshd_config > temp3
ls -a /etc/ /usr/ /sys/ /home/ /bin/ /etc/ssh/ >> temp3
fileChanges=$(diff temp2 temp3)
if [[ ! -z "$fileChanges" ]];then
echo CHANGE TRACKER:
echo -e "\n"
echo "$fileChanges"
sleep 5
clear
fi

echo "CRON JOBS:"
echo "Found Cronjobs for the following users:"
echo "—————————————"
ls /var/spool/cron/crontabs
echo
echo "Cronjobs in cron.d:"
echo "——————-"
ls /etc/cron.d/
sleep 5
clear

echo "ALIASES:"
echo "——–"
alias
echo
echo ".BASHRC LOCATIONS:"
echo "——————"
cat temp4 | while read line
do
echo $line
done
sleep 5
clear

echo "USERS ABLE TO LOGIN:"
echo "——————–"
grep -v -e "/bin/false" -e "/sbin/nologin" /etc/passwd | cut -d ‘:’ -f1
sleep 5
clear

echo "CURRENT PROCESS TREE:"
echo "———————"
pstree
sleep 7
clear
done

[/code]

~Jamin Becker

Linksys & Netgear Backdoor by the Numbers

If you’d like to just skip to the data, feel free to scroll on down. Research is not endorsed or attributable to $DayJob 🙂

After reading Rick Lawshae’s post on Hunting Botnets with ZMAP, I started wondering what types of cool things ZMAP can be used for. It wasn’t but a day or two later that something fell into my hands. On January first, Eloi Vanderbeken posted his findings on a backdoor that listens on TCP port 32764. The backdoor appears to affect older versions of Netgear and Linksys routers but some users are also reporting that other brands are also affected by the backdoor. Eloi was also able to write a python script that had the ability to check for the vulnerability among other functions. To get more info on the backdoor and how Eloi discovered it, you can check it out here: https://github.com/elvanderb/TCP-32764/blob/master/backdoor_description_for_those_who_don-t_like_pptx.pdf.

Once I had wrapped up my reading on his work, I got excited. I realized that I finally have a way of answering a question we usually go without knowing. Almost every couple months you hear someone say, “There’s another backdoor in XYZ product!” and that’s about when media blows up, PR statements are released, Snort sigs are written, and we all wait for the first exploits to start rolling out.

I know that I don’t speak for all but I feel like the general mindset is that when a major backdoor or ZeroDay starts to make headlines, we think that hundreds of thousands, maybe millions of users, are affected by the vulnerability. With this in mind I set out to answer the question, “How bad is it?”

Step one was to figure out how to use Zmap so I installed it on my kali VM and gave it a shot. I followed the extremely simple instructions on their webpage an in one line I had my scan configured “$ zmap –p 32764 –o OpenPorts.csv”.

I then went to my VPS provider of choice and purchased a VPS that had a gigabit connection to the intertubes . I loaded up a vanilla install of Ubuntu server 12.04 and installed Zmap. Before I launched the scan, I made sure to read the Scanning Best Practices section of the Zmap documentation which lists things such as “Conduct scans no longer than time need for research” and “Should someone ask you to cease scanning their environment, add their range to your blacklist”.

The scan took roughly 22 hours to complete. The Zmap documentation and advertising states that you can get it done in less than an hour but I think they used a cluster format plus 22 hours isn’t bad by any means. 22 hours and 13 abuse complaints later (all complaints were acknowledged and scanning was ceased), I had my list of roughly 1.5 million IP addresses that were currently had TCP port 32764 open.  1.5 million…I thought to my self “That’s a pretty big number.”

I knew that this probably wasn’t statistically accurate though because there had been no validation that the backdoor service was the service listening on those open ports. To help validate how many of our 1.5 million users were actually vulnerable, I pulled in my friend Farel (Jamin) Becker.

Using Eloi’s findings Jamin was able to write some scripts using bash and python that allowed for us to quickly check the 1.5 million hosts for the vulnerability. It did this by simply reaching out to the port and seeing if there were indicators that the service was running. No exploitation or malicious actions were taken against the vulnerable routers.  Our checking was comparable to when you try and connect to a web page.

To effectively check for the vulnerable service, Jamin’s scripts functioned by splitting the list of 1.5 million IPs into roughly 2000 different list. Then the system was able to spin up 2000 independent instances of python to perform the work. To do this, we needed a pretty beefy computer so we rented the top EC2 server we could find. Needless to say it worked beautifully and only cost about $2.40 for the hour it took to complete the validation.

This is where the real data comes in. My first thought was “Oh man, here comes the part where we get to tell the world 400,000 routers are vulnerable RIGHT NOW!” The results were actually quite surprising. It turns out that only 4,998 routers were exposed and vulnerable. Safe to say that I expected more and I feel most would too. Below is some statistical data around what Jamin and I found. Geo data was gathered by querying the Maxmind Database.

ByCountry

byISP

ByState

-Max Rogers & Jamin Becker

Tagged , ,

5,000 whois lookups in under a minute

There have been many times in my IT career I have been required to solve very specific problems. My first step to solving these problems almost always begins with the same question: “Has it been done before?” Most of the time, if the problem is specific enough the answer is a resounding, “No.”

The other day I came across the following conundrum. I was asked to whois 5000 hosts in a reasonable amount of time (minutes) given a server with only one processor core and 2GB of RAM.

I ended up creating a BASH script to do the following:

1. Break down the huge text file into smaller text files each containing only a few IPs.

2. Spin up a separate process for each of these text files to do the whois lookups.

[code language=”bash”]
#!/bin/bash
#Super fast whois lookup – Jamin B
echo Enter the file you want to read in:
read file
echo Spawn into how many threads?
read splitNumber
totalLines=`<$file wc -l` #determine the total number of lines
currentLine=0
currentFile=0
splitSize=$(($totalLines/$splitNumber))
echo Each file will contain $splitSize IPs.
rm -rf tmpdir
mkdir tmpdir
rm -rf whois
mkdir whois
cat $file | while read line
do
(( currentLine = currentLine +1))
if [ $(($currentLine%$splitSize)) == 0 ]; then
(( currentFile = currentFile + 1))
clear
echo Creating file $currentFile in tmpdir
cat /proc/meminfo | grep MemFree
fi
echo $line >> tmpdir/$currentFile
done
i=0
while [ $i -lt $splitNumber ]; do
(( i = i + 1 ))
clear
echo Spawning process for file number $i
cat tmpdir/$i | while read line
do
whois $line > whois/$line.txt &
done
done
[/code]

The result: 5000 whois reports generated in under a minute!

Screen Shot 2014-01-10 at 1.27.54 PM

-Jamin Becker