Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you get told that an intruder may have recompiled, say apache, to run a bunch of extra things, adn you want to check that, how far will ldd get you? You will be able to see if it uses any unusual libraries I expect.
However, if the the extra "things" just use libc well then, it's a very weak check, right? But what other tools are available to check in situations like that?
If you get told that an intruder may have recompiled, say apache, to run a bunch of extra things, adn you want to check that, how far will ldd get you? You will be able to see if it uses any unusual libraries I expect.
However, if the the extra "things" just use libc well then, it's a very weak check, right? But what other tools are available to check in situations like that?
lsof -p pid could be a good check.
would show all modules being used as well as ports and all files being used by the given pid.
strace -p pid will trace the system calls of the pid.
and snoopy will also tell you everything the httpd executable might be up to
and snoopy will also tell you everything the httpd executable might be up to
It needs to be installed and ld.preloaded before the application to be investigated is executed.
Quote:
Originally Posted by stabu
how far will ldd get you?
Like you indicated yourself: "it depends". BTW if the investigator runs code outside an isolated environment then also see some old thoughts about doing that in Compromising analysis tools.
Quote:
Originally Posted by stabu
You will be able to see if it uses any unusual libraries I expect.
In investigations expectations and assumptions are (or should be considered) pitfalls as they colour your view. First port of call however should be to log MAC data, hash the binary and compare it to a known good copy so you know it's tampered with. Do note that while examining a root-owned binary is nice it doesn't cover the more important act of somebody replacing root-owned binaries.
Quote:
Originally Posted by stabu
However, if the the extra "things" just use libc well then, it's a very weak check, right? But what other tools are available to check in situations like that?
objdump, nm, readelf, The Examiner, fakebust, strings and whatnot.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
