In this post I´m going to show an interesting tool for monitoring file access in GNU\Linux. It can be tricky for identifying unauthorized access to Web Servers, if all previous measures have been defeated, but in fact, we can use fsnoop in our daily tasks and not exclusively for security reasons.
Previous example pic shows how www-data, Apache user by default, has created 3 files in /dev/shm, likely after exploiting some RFI or SQLi, the attacker wants to escalate privileges, and /tmp ( aka /dev/shm ) is the first place where bad guys will try to execute code because is worl-readable in most systems.
That way, we can run fsnoop with -d ( daemon ) and -o ( output to a log ) in any path, and check with a shell script & crontab if the log is growing under certain users, then use sendmail to send alerts and take some decissions about.
We can download fsnoop from its main web page and see other useful examples
http://vladz.devzero.fr/fsnoop.php
Thank you for covering this tool ! ;)
I just would like to make a correction, the right usage for monitoring multiple directories is : ./fsnoop /tmp,/dev/shm
Thank you so much for your feedback ! Hope to see you here again :)
Pingback: Nebula level 09 – Exploiting preg_replace in PHP : : Kernel Security