auditd and hidden ports

Steve Grubb sgrubb at redhat.com
Tue Dec 19 00:24:53 UTC 2017 

Hello,

On Monday, December 18, 2017 2:37:53 PM EST Yectli Huerta wrote:
> unhide reports that there are ports that are not being seeing by ss. i
> also used lsof and netstat and they don't show up.
> 
> [~] % sudo unhide-tcp
> Unhide-tcp 20130526
> Copyright © 2013 Yago Jesus & Patrick Gouin
> License GPLv3+ : GNU GPL version 3 or later
> http://www.unhide-forensics.info
> Used options:
> [*]Starting TCP checking
> 
> Found Hidden port that not appears in ss: 840
> 
> Found Hidden port that not appears in ss: 851
> [*]Starting UDP checking
> [~] %
> 
> i created auditd rules to monitor socket related system calls
> 
> % sudo auditctl -l
> -a always,exit -F arch=b64 -S connect -F key=CONNECT
> -a always,exit -F arch=b64 -S bind -F key=BIND
> -a always,exit -F arch=b64 -S socket -F key=SOCKET
> -a always,exit -F arch=b64 -S listen -F key=LISTEN
> -a always,exit -F arch=b64 -S shutdown -F key=SHUTDOWN
> -a always,exit -F arch=b64 -S close -F key=CLOSE
> 
> 
> the problem is that when i search the log files, i don't see any
> references to hidden ports 840 or 851. below is one entry where
> unhide-tcp is trying to bind to port 39781, so i know auditd is
> logging entries
> 
> type=SOCKADDR msg=audit(12/15/2017 16:17:32.935:11040116) : saddr=inet
> host:0.0.0.0 serv:39781
> type=SYSCALL msg=audit(12/15/2017 16:17:32.935:11040116) : arch=x86_64
> syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffc212a92f0 a2=0x10
> a3=0x0 items=0 ppid=21752 pid=21753 auid=*** uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1
> ses=225 comm=unhide-tcp exe=/usr/sbin/unhide-tcp
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=BIND
> 
> 
> do any of you have any suggestions?

If you got rooted, then you may not be able to trust anything. Typically they hide 
processes seen by ps and files seen by ls. It might be that they use an unknown 
syscall number or its in the kernel itself. I also don't know if they jump into a 
network namespace if the audit daemon will see it. It might be an innocent 
explanation like that.

-Steve

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20171218/1cbf6ccb/attachment.htm>

More information about the Linux-audit mailing list