LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-10-2006, 12:56 PM   #1
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,605

Rep: Reputation: 53
Question catching a rogue or unknown process that last miliseconds on an "idle system"


Goal: catching a rogue or unknown process(es) that last miliseconds on an "idle system"
Has anybody a better idea than the script below?
(I mean other than rkhunter. I mean any process, without going SEL: it is for home usage)

I was trying to do that with top and ps, but could not think of any clever way to do it.
Then I tried to overload the cpu with glxgears and yes, to slow down things. Just a daft idea.
Finally with the script I found that it was gkrellm outputing an alert in a konsole with no --noclose option.

Run the script in an empty directory
It really works only if you are not creating new processes...

On my PC I could tell this was happening from time to time only (I know it is kind of normal
I suppose these are sleeping processes)
Code:
root     13858 14159  0 17:51 ?        00:00:00 kded [kdeinit] kded
+user1    14202 20771  0 17:51 ?        00:00:00 /sbin/ip route show
+user1    14204 20771  0 17:51 ?        00:00:00 [net_applet]
+root     14309 14159  0 17:51 ?        00:00:00 [ifconfig] <defunct>
+root     14310 14159  0 17:51 ?        00:00:00 [iwconfig] <defunct>
+root     14311 14159  0 17:51 ?        00:00:00 kded [kdeinit] kded
+user1    14766 20852  0 17:51 ?        00:00:00 /sbin/route -n
Code:
#!/bin/bash
# output ps -eaf to a series of file (until <ctrl><c>
# size difference is indicative of odd processes
# Handle analyse by diff after
# version 0.0b by Emmanuel_uk

#Bug yes: survey duration is limited by duration of ps + loop + write to disk rather than rest_time_microsec
# You may want to run rm -vf basename_outputfile*; nameoscript.sh to get rid of files
#could not implement duration_survey_second being fractional

rest_time_microsec=2000  #Between 2 outputs
duration_survey_second=1
basename_outputfile="test4rogue" #at least 5 chars
i=0 #file index

let "max_iter=$duration_survey_second*1000*1000/$rest_time_microsec" 
echo $max_iter" ps captures will take place"
yes | while read line | [ $i -le $max_iter ];  #looping around until ctrl-c
do    
  (( i++ ));
  case ${#i} in
  1)   pading="000000";;
  2)   pading="00000";;
  3)   pading="0000";;
  4)   pading="00";;
  5)   pading="0";;
  6)   pading="";;
  esac
  filename=$basename_outputfile$pading$i  
  ps -eaf > $filename    #Saving output to file i
  usleep $rest_time_microsec
done
# list all the files stating with basename_outputfile, sorting by size, taking the smallest
refsize_file=$( ls -l "$basename_outputfile"* | awk '{print $5}' | sort -u | head -n1 ) 
echo "refsize_file is "$refsize_file" bytes?"
#Lets get a filename which has size refsize_file
# Taking field size and filename, only the first matching size, now gettting its name
ref_filename=$( ls -l "$basename_outputfile"* | awk '{print $5" "$9}' | grep --max-count=1 $refsize_file | awk '{print $2}' )
#sanity check
if [ "${ref_filename:0:4}" != "${basename_outputfile:0:4}" ]; then echo "filename error: cannot locate a ref ps output"; exit 1; fi
echo "The ref_filename is "$ref_filename
echo "These files are not the same size as "$ref_filename 
ls -l "$basename_outputfile"* | grep -v $refsize_file 
ls -l "$basename_outputfile"* | grep -v $refsize_file | awk '{print $9}' | while read line
do
echo "--------- "$line" ----------"
diff -ru $ref_filename $line  #display some diff
done
exit 0

Last edited by Emmanuel_uk; 06-12-2006 at 02:15 AM.
 
Old 06-11-2006, 09:09 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
without going SEL
kill -6; undefined TLA encountered.


catching a rogue or unknown process(es) that last miliseconds on an "idle system"
I'm all for using scripting to the limit but this IMHO would be something outside of that realm. I think it would be "easier" to catch a process if you go kernel level and hook into system calls. If you can get notified on exec then you could suspend, save data and continue/kill. I used to use Syscalltracker kernel modules for this (easy to write rules with) but Sct won't work on 2.6.x kernels I think (unless there's goodies in SF's CVS): maybe the Linux Trace Toolkit.
 
Old 06-11-2006, 10:08 AM   #3
Emmanuel_uk
Senior Member
 
Registered: Nov 2004
Distribution: Mandriva mostly, vector 5.1, tried many.Suse gone from HD because bad Novell/Zinblows agreement
Posts: 1,605

Original Poster
Rep: Reputation: 53
Thanks this made me laugh
Quote:
without going SEL
kill -6; undefined TLA encountered.
I meant SEL Security-Enhanced Linux, that nasa tweaked kernel or whatever.
It is a step removed from me, an average homeuser; anyhow it would be
a pain to implement in Mandriva 2005, although I read a good paper from the IBM centre
about SEL for beginners

Quote:
I think it would be "easier" to catch a process if you go kernel level and hook into system calls.
This is the RBACS way of doing controls. is it not?
Too complicated for me at this stage, going kernel level, heuh not today am afraid.

Quote:
maybe the Linux Trace Toolkit.
Thanks for the suggestion
 
Old 06-11-2006, 04:42 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545Reputation: 3545
I meant SEL Security-Enhanced Linux, that nasa tweaked kernel or whatever.
I admit I'm an acronym addict, but I never seen a TLA for SELinux...
BTW it's the NSA, not the folks that rather have people die than buy proper O-rings.


This is the RBACS way of doing controls. is it not? Too complicated for me at this stage, going kernel level, heuh not today am afraid.
No, not RSBAC: think of it as intercepting like a rootkit LKM would. With the proper tools it wouldn't be that hard to do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with mounting "unknown file system type 'ntfs' " turalo Fedora 2 12-21-2005 05:04 PM
User "list" running process "python" TroelsSmit Linux - Newbie 2 02-22-2005 04:55 AM
"stealth" system process slamming cpu 360 Linux - General 4 11-24-2004 12:04 PM
"X-MS" cant open because "x-Multimedia System" cant access files at "smb&qu ponchy5 Linux - Networking 0 03-29-2004 11:18 PM
Should I set up a "rogue" Linux Machine at Work? -G- Linux - General 8 10-15-2003 09:00 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration