, 13 tweets, 9 min read Read on Twitter
Let's go step-by-step and do some basic live process forensics for #Linux. Today's contestant is a bindshell backdoor waiting for a connection on Ubuntu. We saw something odd when we ran:

netstat -nalp

#DFIR #threathunting #forensics
netstat -nalp shows a process named "x7" PID with a listening port that we don't recognize. #DFIR
First thing we'll do is list out /proc/<PID> to see what is going on. Our PID is 5805:

ls -al /proc/5805

The current working directory is /tmp. The binary was in /tmp, but was deleted. A lot of exploits work out of /tmp and /dev/shm on Linux. This is a major red flag. #DFIR
Before we do anything else, we'll recover the deleted binary. As long as the process is still running, it is very easy to recover a deleted process binary on Linux:

cp /proc/<PID>/exe /destination_dir/recovered_bin

Now that we've saved the Linux binary somewhere off the system, we can recover the hashes easily. #DFIR
Let's go into our friendly /proc directory on Linux. For the PID we want to investigate we'll go to /proc/<PID> to dig around. Look at the cmdline that was used to start the malware. Some malware will cloak this data:

cat /proc/<PID>/comm
cat /proc/<PID>/cmdline

Now let's take a look at the environment. This can often reveal information about who or what started the process. Here we see the process was started with sudo by another user.

strings /proc/<PID>/environ

Now let's look at the file descriptors it has open. This can often show you hidden files and directories that the malware is using to stash things along with open sockets:

ls -al /proc/<PID>/fd

#DFIR #Linux
Another area to look into is the Linux process maps. This shows libraries the malware is using and again can show links to malicious files it is using as well.

cat /proc/<PID>/maps

#DFIR #forensics
The /proc/<PID>/stack area can sometimes reveal more details. We'll look at that like this:

cat /proc/<PID>/stack

In this case we see some network accept() calls indicating again this is a network server waiting for a connection.

#linux #DFIR
Finally for now, let's look at /proc/<PID>/status for overall process details. This can reveal parent PIDs, etc.

cat /proc/<PID>/status

Those are some basics of Linux live process analysis. The big thing is this: Don't kill a suspicious process until you have investigated what it is doing. If you kill it out of panic, then you can lose and destroy a lot of useful information.

#DFIR #Linux #malware
I have created a Linux command line cheatsheet to help you look for these and other artifacts here:


#DFIR #threathunting #linux #malware
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Craig H. Rowland
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!