Solutionary Minds - Your Information Security Blog Source

Recently I was reviewing exploit code we had identified as part of a privilege escalation attack against a UNIX-based server. There were certainly a lot of interesting things in the exploit code, including shellcode, assembly language instructions and funny hacker “l33t sp3ak” comments, but one thing that always sticks out for me is, the attacker hiding their tracks.

In particular, the following code caught my eye:
if(pid == 0) {
char *args[] = {"/bin/sh", "-i", NULL};
char *envp[] = {"TERM=linux", "BASH_HISTORY=/dev/null", "HISTORY=/dev/null", "history=/dev/null", "HISTFILE=/dev/null", "HISTFILESIZE=0", "PATH=/bin:/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin", NULL };
execve("/bin/sh", args, envp);
    }

The above code is run as part of the exploit. In short, it sets the environmental variables for commands executed on the UNIX command line to go to /dev/null.

/dev/null is a *nix interface that acts like a black hole, so no data is actually stored or written to the file. In this case, it means anything the attacker types in the command line during his attack is never logged, since, instead, it goes to the “black hole” of /dev/null. Like a Jedi mind trick, this technique has been used for years, and is still used today due to its effectiveness.
What does this mean to you? Well, imagine your organization was compromised and during the investigation you suddenly find that you can no longer see what the attacker was doing? Did he access sensitive data? Did he add user accounts via the command line? Did he use that system to pivot to others?

This is the equivalent to locking the door on a busy Mos Eisley street – visibility is lost.
Depending on the skill of the attacker and exploits used, it is also possible to remove all logs generated during the attack, but in many cases the previous example is typical.

Point: It is important to always make sure systems are prepared for attacks. Hindsight is something that educates us all; learn from previous experiences and prepare for the worst. Ensuring a proper event-logging environment is implemented can preserve visibility and really help your organization during incidents.

Some good guidelines to follow to keep visibility within your network:

•    First and foremost, make sure you are logging security events
•    Ensure events are logged to a centralized logging server
•    Make sure all log sources and servers are time synchronized
•    Review logs on a regular basis
•    Implement policies and procedures to handle security events if (when?) they do arise

We have a great year ahead of us; let’s make the most of it. Please stop by and say ‘hello’ if you run into us at any of the conferences this year.

See how Solutionary managed security services based on the patented ActiveGuard® Security & Compliance Platform combine security intelligence and expertise to provide visibility and threat response.