3

Let's assume I'm a user with root access to a machine and I'm a legit user. My machine/server runs Linux. I'm not very familiar with defensive security (I mainly practice offensive). Sometimes, popping shells can be as easy as running some metasploit module (meterpreter sessions).

What can I do to check if there are remote shells (root or not) running on my machine?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • I've tried looking around about detecting remote shell but haven't found anything very useful... It can be meterpreter, remote access or anything that can may be escalate to ```root``` access. – ChocolateOverflow Dec 19 '19 at 08:47
  • Hold on. Do you want to find processes that can escalate? Or do you want to find *shells*? The distinction is extremely important and you have to separate the two ideas. – schroeder Dec 19 '19 at 08:48
  • Sorry if I'm not being clear enough. My level is around that of "script kiddie". What I want to detect is a remote shell from outside, which can be used to escalate. Basically shells people love to pop in hackthebox and the like. – ChocolateOverflow Dec 19 '19 at 08:50
  • i think best way is to use netstat and just filter it somehow, or maybe is my mistake :( – pioupiou Dec 19 '19 at 08:52
  • You cannot conflate the two things. You are worried that a shell might escalate, but you cannot detect that. It's like asking which gun in a shop is going to be used to kill someone. You can detect, as I was trying to hint, processes with *network connections*. – schroeder Dec 19 '19 at 08:52
  • What about just remote shells? Can I "easily" detect that somehow? – ChocolateOverflow Dec 19 '19 at 08:55

1 Answers1

3

As I cannot find a direct answer to this on this site, I'll provide a quick answer.

There are two primary methods for locating shells:

  1. shell signatures
  2. anomalous network connections

Signature-based

Meterpreter, for example, has a very distinct signature and AV tools can find these. PHP shells and others can likewise contain unique elements that might be detected by automated tools. Custom shells are difficult to find this way.

Network-based

But a shell, in your context, is something that has a network connection. You want to look for

  • known processes that have no business connecting to the network ("why is calc.exe connecting to a Linode server?")
  • unknown processes that have a network connection ("what is sefhwebfh and why is it connecting to a Linode server?")
  • known processes that have a legitimate need to connect to the network, but the connections are unusual ("why is httpd making outbound connections to a Linode server?"

(Note, "Linode" is a generic example.)

To look for these, you need to:

  • know your OS's tools to list processes and any network connections they make. It's then important to baseline what is "normal" (either through documentation or from personal experience) to compare against.
  • run packet captures (or similar, like IDS, packet inspection on the firewall, etc.) to listen to the wire to look for anomalies from the network baseline.

What do you do once you find a shell?

Once you discover the shell, you can no longer be confident about anything on the server. You have no idea if permissions have been escalated currently or in the past. While a full forensic investigation might be interesting and satisfying, you can never be sure that you have all the information to declare the machine safe or cleaned.

Your response should be to capture an image of the machine for an investigation into the impacts of the event, then nuke the machine from orbit.

Community
  • 1
schroeder
  • 123,438
  • 55
  • 284
  • 319