2023-05-16 20:31:31 +00:00
|
|
|
-- Slow query to find root programs with an open socket and few shared libraries
|
|
|
|
--
|
|
|
|
-- false positives:
|
|
|
|
-- * some minimalist daemons
|
|
|
|
--
|
|
|
|
-- references:
|
|
|
|
-- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
|
|
|
|
--
|
|
|
|
-- tags: persistent process state seldom
|
|
|
|
-- platform: linux
|
2024-02-16 22:21:00 +00:00
|
|
|
SELECT
|
|
|
|
pos.protocol,
|
|
|
|
pos.pid,
|
|
|
|
pos.remote_address,
|
|
|
|
pos.local_address,
|
|
|
|
pos.local_port,
|
|
|
|
pos.remote_port,
|
|
|
|
pos.state,
|
|
|
|
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
|
|
|
|
COUNT(DISTINCT pmm.path) AS lib_count,
|
|
|
|
-- Child
|
2024-08-27 22:40:43 +00:00
|
|
|
p0.path AS proc_path,
|
|
|
|
p0.name AS proc_name,
|
|
|
|
p0.start_time AS proc_start,
|
|
|
|
p0.cmdline AS proc_cmd,
|
|
|
|
p0.cwd AS porc_cwd,
|
|
|
|
p0.cgroup_path AS proc_cgroup,
|
|
|
|
p0.euid AS proc_euid,
|
|
|
|
p0_hash.sha256 AS sha256
|
2024-02-16 22:21:00 +00:00
|
|
|
FROM
|
|
|
|
processes p0
|
|
|
|
JOIN process_open_sockets pos ON p0.pid = pos.pid
|
|
|
|
JOIN process_memory_map pmm ON p0.pid = pmm.pid
|
|
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
|
|
WHERE
|
|
|
|
p0.path != '' -- optimization: focus on longer running processes
|
|
|
|
AND p0.start_time < (strftime('%s', 'now') - 900)
|
|
|
|
AND p0.path NOT IN (
|
2024-11-18 21:16:52 +00:00
|
|
|
'/opt/bitnami/redis/bin/redis-server',
|
|
|
|
'/usr/bin/cat',
|
2024-02-16 22:21:00 +00:00
|
|
|
'/usr/bin/containerd',
|
|
|
|
'/usr/bin/dash',
|
|
|
|
'/usr/bin/docker',
|
|
|
|
'/usr/bin/docker-proxy',
|
2024-11-18 21:16:52 +00:00
|
|
|
'/usr/bin/fusermount3',
|
|
|
|
'/usr/bin/i3blocks',
|
|
|
|
'/usr/bin/kas',
|
|
|
|
'/usr/bin/vmalert',
|
2024-02-16 22:21:00 +00:00
|
|
|
'/usr/lib/electron/chrome-sandbox',
|
2024-11-18 21:16:52 +00:00
|
|
|
'/usr/libexec/docker/docker-proxy',
|
|
|
|
'/usr/lib/snapd/snapd',
|
|
|
|
'/usr/local/bin/containerd',
|
|
|
|
'/usr/local/bin/gitary',
|
|
|
|
'/usr/sbin/acpid',
|
|
|
|
'/usr/sbin/mcelog'
|
2024-02-16 22:21:00 +00:00
|
|
|
)
|
|
|
|
AND p0.name NOT IN (
|
|
|
|
'chrome_crashpad',
|
|
|
|
'dhcpcd',
|
2024-07-12 20:55:49 +00:00
|
|
|
'kas',
|
|
|
|
'gitaly',
|
|
|
|
'redis-server',
|
2024-02-16 22:21:00 +00:00
|
|
|
'stern',
|
|
|
|
'Brackets-node'
|
|
|
|
) -- optimization: minimalistic daemons typically only run 1 pid per path
|
|
|
|
AND p0.path NOT LIKE '/home/%/go/bin/%'
|
|
|
|
AND pos.family != 1
|
|
|
|
AND pos.pid > 0
|
|
|
|
AND pos.state != 'LISTEN'
|
|
|
|
AND pmm.path LIKE "%.so.%"
|
2024-07-12 20:55:49 +00:00
|
|
|
AND NOT (
|
|
|
|
pos.local_address = "127.0.0.1"
|
|
|
|
AND pos.remote_address = "127.0.0.1"
|
|
|
|
)
|
2024-02-16 22:21:00 +00:00
|
|
|
GROUP BY
|
|
|
|
pos.pid -- libc.so, ld-linux
|
|
|
|
HAVING
|
|
|
|
lib_count IN (1, 2)
|