Discussion:
auditd and hidden ports
(too old to reply)
Yectli Huerta
2017-12-18 19:37:53 UTC
Permalink
Hi,

unhide reports that there are ports that are not being seeing by ss. i
also used lsof and netstat and they don't show up.

[~] % sudo unhide-tcp
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
Used options:
[*]Starting TCP checking

Found Hidden port that not appears in ss: 840

Found Hidden port that not appears in ss: 851
[*]Starting UDP checking
[~] %

i created auditd rules to monitor socket related system calls

% sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE


the problem is that when i search the log files, i don't see any
references to hidden ports 840 or 851. below is one entry where
unhide-tcp is trying to bind to port 39781, so i know auditd is
logging entries

type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet
host:0.0.0.0 serv:39781
type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64
syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10
a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND


do any of you have any suggestions?

thanks,

yah
Steve Grubb
2017-12-19 00:24:53 UTC
Permalink
Hello,
Post by Yectli Huerta
unhide reports that there are ports that are not being seeing by ss. i
also used lsof and netstat and they don't show up.
[~] % sudo unhide-tcp
Unhide-tcp 20130526
Copyright © 2013 Yago Jesus & Patrick Gouin
License GPLv3+ : GNU GPL version 3 or later
http://www.unhide-forensics.info
[*]Starting TCP checking
Found Hidden port that not appears in ss: 840
Found Hidden port that not appears in ss: 851
[*]Starting UDP checking
[~] %
i created auditd rules to monitor socket related system calls
% sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE
the problem is that when i search the log files, i don't see any
references to hidden ports 840 or 851. below is one entry where
unhide-tcp is trying to bind to port 39781, so i know auditd is
logging entries
type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet
host:0.0.0.0 serv:39781
type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64
syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10
a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND
do any of you have any suggestions?
If you got rooted, then you may not be able to trust anything. Typically they hide
processes seen by ps and files seen by ls. It might be that they use an unknown
syscall number or its in the kernel itself. I also don't know if they jump into a
network namespace if the audit daemon will see it. It might be an innocent
explanation like that.

-Steve
Yectli Huerta
2017-12-19 20:10:53 UTC
Permalink
Post by Steve Grubb
Hello,
..........
Post by Steve Grubb
If you got rooted, then you may not be able to trust anything. Typically they hide
processes seen by ps and files seen by ls. It might be that they use an unknown
syscall number or its in the kernel itself. I also don't know if they jump into a
network namespace if the audit daemon will see it. It might be an innocent
explanation like that.
-Steve
hi,

thanks for the reply. i'm trying to narrow down the scenarios. i ran
a simple program that i found on the web and i modified to check on
all ports

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

/*
* * from https://theredblacktree.wordpress.com/2013/09/30/how-to-check-if-a-port-is-open-or-not-in-c-unixlinux/
* */
int main(int argc, char *argv[])
{
int portno = 22;
char *hostname = "localhost";

int sockfd,i;
struct sockaddr_in serv_addr;
struct hostent *server;

for (i =1; i <= 65535; i++)
{
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (sockfd < 0) {
error("ERROR opening socket");
}

server = gethostbyname(hostname);

if (server == NULL) {
fprintf(stderr,"ERROR, no such host\n");
exit(0);
}

bzero((char *) &serv_addr, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
bcopy((char *)server->h_addr,
(char *)&serv_addr.sin_addr.s_addr,
server->h_length);

//serv_addr.sin_port = htons(portno);
serv_addr.sin_port = htons(i);
if (connect(sockfd,(struct sockaddr *)
&serv_addr,sizeof(serv_addr)) < 0) {
//printf("Port is closed, %d\n",i);
} else {
printf("Port is active, %d\n", i);
}

close(sockfd);
}
return 0;
}


}
}
}
}
}


when i run it, it tells me which ports are used b/c the program can't
bind to a port

[/tmp] % sudo autrace ./a.out
Waiting to execute: ./a.out
Port is active, 22
Port is active, 111
....

when i analyze the output
[/tmp] % sudo ausearch -i -p 5502 &> ~/tcp-bind-auditd.log

i see that a.out was able to connect to very high ports, but not lower
ports that were reported to be in use

[ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | head -n 5
serv:62653
serv:62654
serv:62655
serv:62656
serv:62657
[ ~] $ grep serv tcp-bind-auditd.log | awk {'print $NF'} | sort | tail -n 5
serv:65531
serv:65532
serv:65533
serv:65534
serv:65535
[ ~] $ grep serv:22 tcp-bind-auditd.log
[ ~] $ grep serv:111 tcp-bind-auditd.log
[ ~] $ grep serv:23 tcp-bind-auditd.log
[ ~] $

[~] $ grep 65535 tcp-bind-auditd.log
type=SOCKADDR msg=audit(12/19/2017 13:27:52.377:33949631) : saddr=inet
host:127.0.0.1 serv:65535


is something hiding the lower ports from auditd? is there a way to log
all syscalls to trace what binds to the ports after a reboot. i can
reboot the server and then attempt to trace each network socket .
these rules don't seem to be enough to track network sockets.

[/tmp] % sudo auditctl -l
-a always,exit -F arch=b64 -S connect -F key=CONNECT
-a always,exit -F arch=b64 -S bind -F key=BIND
-a always,exit -F arch=b64 -S socket -F key=SOCKET
-a always,exit -F arch=b64 -S listen -F key=LISTEN
-a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
-a always,exit -F arch=b64 -S close -F key=CLOSE

the ports that appeared to be hidden, are no longer showing up so i'm
trying to figure out what is going on.

thanks

yah
Yectli Huerta
2017-12-20 21:24:54 UTC
Permalink
a coworker suggested i change max_log_file_action to KEEP_LOGS
instead of ROTATE in /etc/audit/auditd.conf. this did the trick.
auditd was generating too many logs and activating log rotation. i ran
a test after the change and the lower ports that did not show up
previously, showed up in the logs

thanks,

yah

Loading...