Easy monitoring bad guys in GNU\ Linux Servers with fsnoop

Share it!

In this post I´m going to show an interesting tool for monitoring file access in GNU\Linux. It can be tricky for identifying unauthorized access to Web Servers, if all previous measures have been defeated,  but in fact, we can use fsnoop in our daily tasks and not exclusively for security reasons.

 

fsnoop

 

Previous example pic shows how www-data, Apache user by default, has created 3 files in /dev/shm, likely after exploiting some RFI or SQLi, the attacker wants to escalate privileges, and /tmp ( aka /dev/shm ) is the first place where bad guys will try to execute code because is worl-readable in most systems.

That way, we can run fsnoop with -d ( daemon ) and -o ( output to a log ) in any path, and check with a shell script & crontab if the log is growing under certain users, then use sendmail to send alerts and take some decissions about.

We can download fsnoop from its main web page and see other useful examples

http://vladz.devzero.fr/fsnoop.php

 

Share it!
Esta entrada fue publicada en Privilege Escalation. Guarda el enlace permanente.

3 respuestas a Easy monitoring bad guys in GNU\ Linux Servers with fsnoop

  1. vladz dijo:

    Thank you for covering this tool ! ;)

    I just would like to make a correction, the right usage for monitoring multiple directories is : ./fsnoop /tmp,/dev/shm

  2. Pingback: Nebula level 09 – Exploiting preg_replace in PHP : : Kernel Security

Responder a vladz Cancelar respuesta

Tu dirección de correo electrónico no será publicada. Los campos necesarios están marcados *

*

Puedes usar las siguientes etiquetas y atributos HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>