Linux – Preserve evidence of intrusion / deleted executable

executablelinuxprocessSecurity

If you are faced with a non-root remote command execution vulnerability, and there is a foreign executable that's running on your Linux system from a user with only non-administrator privileges, what's the best way to preserve the executable and its state, and terminate the access?

The executable file itself is marked as deleted, so, it's not possible to simply make a copy of it. Additionally, since it appears that the exe file within the respective /proc/%d directory is merely a symlink, and the executable itself is not one of the files open within /proc/%d/fd, it seems like even saving the executable file itself might be a bit tricky.

How do you save all states associated with the executable for future analysis, as well as the executable itself?

Best Answer

You can freeze it with kill -STOP $pid. The process statistics will remain accessable through /proc/$pid, but it will not be executing.

You can get access to the executable file with cp /proc/$pid/exe /destination/path.

Related Solutions

Linux – Join the executable and all its libraries

You can copy all of its libraries from their system locations into a subdirectory of where your executable is and use patchelf, to make the executable look for its libdependencies there instead of the system lib directories.

E.g.:

relativize_libs:

#!/bin/bash -e
[ -n "$1" ] || set -- a.out
mkdir -p ./lib/ #<copy the libraries here
#use ldd to resolve the libs and use `patchelf --print-needed to filter out
# "magic" libs kernel-interfacing libs such as linux-vdso.so, ld-linux-x86-65.so or libpthread
# which you probably should not relativize anyway
join \
    <(ldd "$1" |awk '{if(substr($3,0,1)=="/") print $1,$3}' |sort) \
    <(patchelf --print-needed "$1" |sort) |cut -d\  -f2 |

#copy the lib selection to ./lib
xargs -d '\n' -I{} cp --copy-contents {} ./lib 
#make the relative lib paths override the system lib path
patchelf --set-rpath "\$ORIGIN/lib" "$1"

(I believe that unlike LD_LIBRARY_PATH hacking, this should work with setuid executables too).

After that, all you've got to do is move that ./lib directory along with the executable.

Why does this executable still execute after I deleted it

To run a program, it is opened by the kernel (or its interpreter). As long as it is running, the file is kept open.

Deleting a file that is open in Unix deletes its name from the disk, the file itself is only deleted when it is closed.

Add the above two, and you see that the running program continues to use its program file, and that one will be deleted only when the program exits.

Best Answer

Related Solutions

Linux – Join the executable and all its libraries

Why does this executable still execute after I deleted it

Related Question