EXAMINING USER COMMAND HISTORY

The bash (Bourne Again Shell) shell is the most popular option among Linux users. It is frequently the default shell. Bash stores users’ command histories in the hidden .bash_history file in their home directories. The following script uses the find utility to search for these history files in home directories, including the root user’s home directory of /root. A sophisticated attacker will delete theses files and/or set their maximum size to zero. Fortunately for the investigator, not all attackers know to do this.

send-history.sh

# Simple script to send all user bash history files as part of # initial live incident response. # by Dr. Phil Polstra (@ppolstra) as developed for # PentesterAcademy.com. usage () { echo “usage: $0 “ echo “Simple script to send user history files to a log listener” exit 1

}

if [ $# -gt 0 ] ; then

usage fi # find only files, filename is .bash_history # execute echo, cat, and echo for all files found

send-log.sh find /home -type f -regextype posix-extended -regex \

‘/home/[a-zA-Z.]+/.bash_history’ \

-exec echo -e “–dumping history file {} –\n” \; \

-exec cat {} \; -exec echo -e “–end of dump for history file {} –\n” \; # repeat for the admin user send-log.sh find /root -type f -maxdepth 1 -regextype posix-extended \

-regex ‘/root/.bash_history’ \

-exec echo -e “–dumping history file {} –\n” \; \

-exec cat {} \; -exec echo -e “–end of dump for history file {} –\n” \;

This code requires a little explanation. The easiest new thing to explain is the \ characters at the end of some lines. These are line continuation characters. This allows the script to be more readable, especially when printed in this book. This same line continuation character can be used in other scripting languages such as Python, although it is not necessarily the preferred method for those languages.

Now that we have described the \ characters, let’s tackle some of the harder parts of this script. We’ll break down the find command piece by piece. Find has the ability to search by file type. The command find /home -type f instructs find to search under

/home for regular files (not directories, devices, etc.).

In addition to finding files by name, find allows regular expressions to be used for the filename. If you are not familiar with regular expressions, they are powerful ways of defining patterns. A complete tutorial on regular expressions, also called regexs, is well beyond the scope of this book. There are a number of online resources, such as http://www.regular-expressions.info/, for those wanting to know more. The book Mastering Regular Expressions by Jeffrey E. F. Friedl (O’Reilly, 2006) is a great resource for those that prefer a book.

In regular expressions we have characters that match themselves (literals) and those with special meaning (metacharacters). Within the set of metacharacters we have things that match, anchors, and quantity specifiers. Occasionally we want to treat metacharacters as literals and we do this by escaping them. Escaping a character is as simple as prepending the \ character before it.

Some of the more common matching metacharacters are character classes (lists of characters inside square brackets) and the period which match any character in the list and any character except a newline, respectively. Because the period is a metacharacter, it must be escaped when you want to match a period, as is the case with the regular expression in this script.

Some of the most used quantity specifiers include *, +, and ? which indicate zero or more, one or more, and zero or one, respectively. Quantity specifiers apply to the thing (literal character, metacharacter, or grouping) just before them. For example, the regular expression A+ means one or more capital A’s. As another example, [A-Z]?[a-z]+ would match any word that is written in all lower case letters with the possible exception of the first letter (breaking it down it is zero or one upper case letters followed by one or more lower case letters).

It is easy to understand the regular expression in our script if we break it down into three parts. The first part “/home/” is a literal string that matches the main directory where users’ home directories are stored. The second part “[a-zA-Z.]+” matches one or more lower case letters or upper case letters or a period. This should match valid usernames. The final portion is another literal string, but this time with a period escaped. In other words, the regular expression “/.bash_history” matches the literal string “/.bash_history”.

The remainder of the find command runs three commands for each file found using the -exec option. Anywhere you see “{}” the find command will replace it with the name of the file found. Once you know that, it is easy to understand how this works. First we echo a header that includes the filename. Then we cat (type) the file with the second exec. Finally, a footer is added to the output. After all of the regular user home directories have been scanned, a slightly modified find command is run to print out the root user’s bash history if it exists.

A portion of the john users bash history is shown in Figure 3.6. It would appear that the attacker tried to use sed (scripted editor) to modify the /etc/passwd file. It seems that he or she had some trouble as they also looked at the man page for sed and ultimately just used vi. A few lines down in this history file we see the Xing Yi Quan rootkit being installed and the ls command being used to verify that the directory into which it was downloaded is hidden.

FIGURE 3.6

Part of john user’s bash history. The lines near the top indicate an attempt to modify the new johnn account information. Further down we see commands associated with the installation of a rootkit.