March 26, 2015 at 12:38Installing, Configuring, and Using Antidoto Security Scanner
- Tutorial
Earlier I wrote about two well-known security scanners of the general plan rkhunter and CentOS.
On "Habré" there is also a description of the organization of the scanner for web hosting - maldet. Now I would like to consider the implementation of the application for heuristic detection of vulnerabilities, viruses and botnets for OpenVZ Linux OS - Antidoto.
Having an Italian name, this open source project is the brainchild of Russian-language developer Pavel Odintsov pavelodintsov . This is an open project and is located on the github . One of the reasons for creating this scanner, as well as the fact that it stands out clearly in front of the others, is scanning the memory of a working system for detecting running malicious software.
Declared work on all the popular modern Linux distributions: Centos 5-6, Debian 5-7, Ubuntu 10-14. In general, it should work on other distributions, as the project is written in perl.
Consider the capabilities of Antidote.
Antidoto can be launched in audit mode, which is used as a replacement for several programs at once: netstat, lsof, ss and ps. It can also use the installed ClamAV as a scan engine.
Installing and running the antidoto scanner is very simple, since no additional dependencies are required to run it. The scanner file and the module for it are simply downloaded:
In addition to the file scan scanner, there is a network scanner that is included with Antidoto.
Next, we consider the practical use of Antidoto on a server running CentOS on which a number of openvz containers are located.
Neither the first script nor the second involves the use of parameters at startup.
But Antidoto.pl has a set of parameters in the code with which you can adjust the check for network activity. Boolean values are used, so tuning is not particularly difficult.
The next block will be fully devoted to TCP connections.
The last block is similar to the previous one, but applies to UDP
By running the script on the parent server, I received the following data
As we can see, when checking the server, a suspicious file was detected in the temporary directory of the 485 container and the architecture mismatch of the running 3proxy process.
Fortunately, no malware was detected on the server.
Let's move
on to the server diagnostic (audit) mode, which is presented in a separate script - linux_network_activity_tracker.pl. Its advantages are that it replaces several utilities at once: netstat, lsof, ss and ps and provides a readable output of information as a result of the verification. Like Antidoto, just run the script on the parent server with containers
As you can see from the information received, the audit script found in one container connections to port 6667 (this is the most popular port for connecting to IRC and managing bots), and in another, an application waiting to connect to port 9050. Upon further consideration, it turned out to be a socks proxy.
Other articles about security and vulnerability scanners:
On "Habré" there is also a description of the organization of the scanner for web hosting - maldet. Now I would like to consider the implementation of the application for heuristic detection of vulnerabilities, viruses and botnets for OpenVZ Linux OS - Antidoto.
Having an Italian name, this open source project is the brainchild of Russian-language developer Pavel Odintsov pavelodintsov . This is an open project and is located on the github . One of the reasons for creating this scanner, as well as the fact that it stands out clearly in front of the others, is scanning the memory of a working system for detecting running malicious software.
Declared work on all the popular modern Linux distributions: Centos 5-6, Debian 5-7, Ubuntu 10-14. In general, it should work on other distributions, as the project is written in perl.
Consider the capabilities of Antidote.
- Search for non-empty files and directories with strange names (spaces, periods) in publicly accessible directories (/ tmp, / var / tmp)
- Search for non-empty scheduler job files for apache, www-data users (/ var / spoo / crontabs, / var / spool / cron)
- Notification of missing files with information on recent authorizations (/ var / log / btmp, / var / log / wtmp)
- Search for processes whose executables are missing
- Detection of popular malware in memory using md5 hashes
- Detection of suspicious software using udp / tcp ports (irc, proxies, botnet controllers)
- Detection of connections to remote servers with an abnormal number of threads (from 5 and above)
- Discovery of processes that differ in architecture from the system used on the server
- Detection of processes that run from statically compiled files (binaries including all dependent components)
- Detection of processes that were started using LD_PRELOAD launched from files with SUID, SGID bits
Antidoto can be launched in audit mode, which is used as a replacement for several programs at once: netstat, lsof, ss and ps. It can also use the installed ClamAV as a scan engine.
Installing and running the antidoto scanner is very simple, since no additional dependencies are required to run it. The scanner file and the module for it are simply downloaded:
wget -OAntidoto.pl --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pl
wget -OAntidoto.pm --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm
perl Antidoto.pl
In addition to the file scan scanner, there is a network scanner that is included with Antidoto.
wget -OAntidoto.pm --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/Antidoto.pm
wget -Olinux_network_activity_tracker.pl --no-check-certificate https://raw.githubusercontent.com/pavel-odintsov/Antidoto/master/linux_network_activity_tracker.pl
perl linux_network_activity_tracker.pl
Next, we consider the practical use of Antidoto on a server running CentOS on which a number of openvz containers are located.
Neither the first script nor the second involves the use of parameters at startup.
But Antidoto.pl has a set of parameters in the code with which you can adjust the check for network activity. Boolean values are used, so tuning is not particularly difficult.
- compress_forks => 1, when detecting process forks show only one process
- show_process_information => 1, display information about found processes
- show_open_files => 1, report open application files
The next block will be fully devoted to TCP connections.
- show_tcp => 1, display any information related to TCP
- show_whitelisted_listen_tcp => 1, list listened sockets that are in the white list
- show_listen_tcp => 1, list the listening TCP sockets
- show_client_tcp => 1, list TCP client sockets
- show_local_tcp_connections => 1, display information about local TCP connections
The last block is similar to the previous one, but applies to UDP
- show_udp => 1,
- show_whitelisted_listen_udp => 1,
- show_listen_udp => 1,
- show_client_udp => 1,
- show_local_udp_connections => 1,
By running the script on the parent server, I received the following data
# perl Antidoto.pl
We got warning about process from CT: 115: 'Programm is x86 on container with arch x86_64 Probably it's an malware!'
pid: 48998 name: 3proxy ppid: 30919 uid: 13 gid: 13 CT: 115
exe path: /home/proxy/bin/3proxy
cwd: /
cmdline: /home/proxy/bin/3proxy /home/proxy/conf/main.cfg
We found a file with suspicious name .crontab.kVBjzc.swp in CT 485 in directory: /vz/root/485/tmp
We got warning about process from CT: 485: 'it running manually from NOT root user and it's very dangerous'
pid: 927381 name: AchievementSave ppid: 925991 uid: 501 gid: 502 CT: 485
exe path: /home/0xp_servers/prop_hunt2/serverfiles/srcds_linux
cwd: /home/0xp_servers/prop_hunt2/serverfiles
cmdline: ./srcds_linux -game garrysmod -strictportbind -ip 192.168.0.2 -port 27015 +host_workshop_collection -authkey +clientport 27008 +tv_port 27023 +map cs_office +servercfgfile prop_hunt2.cfg -maxplayers 32 +gamemode prop_hunt -tickrate 33
As we can see, when checking the server, a suspicious file was detected in the temporary directory of the 485 container and the architecture mismatch of the running 3proxy process.
Fortunately, no malware was detected on the server.
Let's move
on to the server diagnostic (audit) mode, which is presented in a separate script - linux_network_activity_tracker.pl. Its advantages are that it replaces several utilities at once: netstat, lsof, ss and ps and provides a readable output of information as a result of the verification. Like Antidoto, just run the script on the parent server with containers
# perl linux_network_activity_tracker.pl
Container's 15675 process 415528 connected to the DANGER tcp port 6667 to the server 192.169.0.2
Container's 15675 process 415530 connected to the DANGER tcp port 6667 to the server 192.169.0.2
Container's 29419 process 174494 listens DANGER tcp port 9050
As you can see from the information received, the audit script found in one container connections to port 6667 (this is the most popular port for connecting to IRC and managing bots), and in another, an application waiting to connect to port 9050. Upon further consideration, it turned out to be a socks proxy.
Other articles about security and vulnerability scanners: