Installation, configuration and use of Antidoto security scanner
I previously wrote about two well-known general security scanners rkhunter and CentOS.
On "Habré" there is also a description of the organization of the scanner for webhosting - maldet. Now I would like to consider the implementation of the application for the heuristic detection of vulnerabilities, viruses and botnets for OpenVZ Linux OS - Antidoto.
With an Italian name, this open project is the brainchild of Russian-speaking developer Pavel Odintsov pavelodintsov . This is an open source project and is located on the githab . One of the reasons for creating this scanner, as well as the fact that vividly distinguishes it before the rest, is scanning the memory of a running system to detect running malicious software.
Declared work on all popular modern Linux distributions: Centos 5-6, Debian 5-7, Ubuntu 10-14. In general, it should work on other distributions, since the project is written in perl.
Consider the possibilities of Antidote.
Antidoto can be run in audit mode, which is used to replace several programs at once: netstat, lsof, ss, and ps. It can also use the installed ClamAV as a scanning engine.
')
Installing and running an antidoto scanner is very simple, since no additional dependencies are required to run. Just download the scanner file and module to it:
In addition to the file scanner scanner, there is a network scanner that comes with Antidoto.
Next, we consider the practical use of Antidoto on a server running CentOS on which a number of openvz containers are located.
Neither the first script nor the second one implies the use of parameters at startup.
But Antidoto.pl has a set of parameters in the code with which you can correct the verification of network activity. Boolean values are used, so tuning is not particularly difficult.
The next block will be fully dedicated to TCP connections.
The last block is similar to the previous one, but applies to UDP
Running the script on the parent server, I received the following data
As we see, when checking the server, a suspicious file was found in the temporary directory of the 485 container and the mismatch of the architecture of the running 3proxy process.
Fortunately, no malware was detected on the server.
Let us turn to the consideration of the diagnostic mode (audit) of the server, which is represented by a separate script - linux_network_activity_tracker.pl
Its advantages are that it replaces several utilities at once: netstat, lsof, ss and ps and provides readable information output as a result of the check. Like Antidoto, we just run the script on the parent server with containers.
As can be seen from the information received, the audit script found in one container connections to port 6667 (this is the most popular port for connecting to IRC and managing bots), and in the other, an application waiting for a connection to port 9050. Upon further consideration, this turned out to be a socks proxy.
Other articles about security and vulnerability scanners:
On "Habré" there is also a description of the organization of the scanner for webhosting - maldet. Now I would like to consider the implementation of the application for the heuristic detection of vulnerabilities, viruses and botnets for OpenVZ Linux OS - Antidoto.
With an Italian name, this open project is the brainchild of Russian-speaking developer Pavel Odintsov pavelodintsov . This is an open source project and is located on the githab . One of the reasons for creating this scanner, as well as the fact that vividly distinguishes it before the rest, is scanning the memory of a running system to detect running malicious software.
Declared work on all popular modern Linux distributions: Centos 5-6, Debian 5-7, Ubuntu 10-14. In general, it should work on other distributions, since the project is written in perl.
Consider the possibilities of Antidote.
- Search for non-empty files and directories with strange names (spaces, dots) in publicly accessible directories (/ tmp, / var / tmp)
- Search for non-empty files with scheduler tasks for apache, www-data users (/ var / spoo / crontabs, / var / spool / cron)
- Notification of missing files with information about recent authorizations (/ var / log / btmp, / var / log / wtmp)
- Search for processes whose executable files are missing
- Detection of popular malware in memory by md5 hashes
- Detection of suspicious software using udp / tcp ports (irc, proxy, botnet controllers)
- Detection of connections to remote servers with abnormal number of threads (from 5 and up)
- Detection of processes that differ in architecture from the system used on the server
- Detection of processes running from statically collected files (binary files including all dependent components)
- Detection of processes that were started using LD_PRELOAD, started from files with SUID, SGID bits
Antidoto can be run in audit mode, which is used to replace several programs at once: netstat, lsof, ss, and ps. It can also use the installed ClamAV as a scanning engine.
')
Installing and running an antidoto scanner is very simple, since no additional dependencies are required to run. Just download the scanner file and module to it:
wget -OAntidoto.pl --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl wget -OAntidoto.pm --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm perl Antidoto.pl In addition to the file scanner scanner, there is a network scanner that comes with Antidoto.
wget -OAntidoto.pm --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm wget -Olinux_network_activity_tracker.pl --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/linux_network_activity_tracker.pl perl linux_network_activity_tracker.pl Next, we consider the practical use of Antidoto on a server running CentOS on which a number of openvz containers are located.
Neither the first script nor the second one implies the use of parameters at startup.
But Antidoto.pl has a set of parameters in the code with which you can correct the verification of network activity. Boolean values are used, so tuning is not particularly difficult.
- compress_forks => 1, when detecting forks of a process, show only one process
- show_process_information => 1, display information about the processes found
- show_open_files => 1, output open application files to the report
The next block will be fully dedicated to TCP connections.
- show_tcp => 1, display any information related to TCP
- show_whitelisted_listen_tcp => 1, list the listened sockets in the white list
- show_listen_tcp => 1, display a list of listening TCP sockets
- show_client_tcp => 1, display a list of TCP client sockets
- show_local_tcp_connections => 1, display information about local TCP connections
The last block is similar to the previous one, but applies to UDP
- show_udp => 1,
- show_whitelisted_listen_udp => 1,
- show_listen_udp => 1,
- show_client_udp => 1,
- show_local_udp_connections => 1,
Running the script on the parent server, I received the following data
# perl Antidoto.pl We got warning about process from CT: 115: 'Programm is x86 on container with arch x86_64 Probably it's an malware!' pid: 48998 name: 3proxy ppid: 30919 uid: 13 gid: 13 CT: 115 exe path: /home/proxy/bin/3proxy cwd: / cmdline: /home/proxy/bin/3proxy /home/proxy/conf/main.cfg We found a file with suspicious name .crontab.kVBjzc.swp in CT 485 in directory: /vz/root/485/tmp We got warning about process from CT: 485: 'it running manually from NOT root user and it's very dangerous' pid: 927381 name: AchievementSave ppid: 925991 uid: 501 gid: 502 CT: 485 exe path: /home/0xp_servers/prop_hunt2/serverfiles/srcds_linux cwd: /home/0xp_servers/prop_hunt2/serverfiles cmdline: ./srcds_linux -game garrysmod -strictportbind -ip 192.168.0.2 -port 27015 +host_workshop_collection -authkey +clientport 27008 +tv_port 27023 +map cs_office +servercfgfile prop_hunt2.cfg -maxplayers 32 +gamemode prop_hunt -tickrate 33 As we see, when checking the server, a suspicious file was found in the temporary directory of the 485 container and the mismatch of the architecture of the running 3proxy process.
Fortunately, no malware was detected on the server.
Let us turn to the consideration of the diagnostic mode (audit) of the server, which is represented by a separate script - linux_network_activity_tracker.pl
Its advantages are that it replaces several utilities at once: netstat, lsof, ss and ps and provides readable information output as a result of the check. Like Antidoto, we just run the script on the parent server with containers.
# perl linux_network_activity_tracker.pl Container's 15675 process 415528 connected to the DANGER tcp port 6667 to the server 192.169.0.2 Container's 15675 process 415530 connected to the DANGER tcp port 6667 to the server 192.169.0.2 Container's 29419 process 174494 listens DANGER tcp port 9050 As can be seen from the information received, the audit script found in one container connections to port 6667 (this is the most popular port for connecting to IRC and managing bots), and in the other, an application waiting for a connection to port 9050. Upon further consideration, this turned out to be a socks proxy.
Other articles about security and vulnerability scanners:
Source: https://habr.com/ru/post/254079/
All Articles