55 lines
1.7 KiB
SQL
55 lines
1.7 KiB
SQL
-- Slow query to find root programs with an open socket and few shared libraries
|
|
--
|
|
-- false positives:
|
|
-- * some minimalist daemons
|
|
--
|
|
-- references:
|
|
-- * https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game
|
|
--
|
|
-- tags: persistent process state seldom
|
|
-- platform: linux
|
|
SELECT pos.protocol,
|
|
pos.pid,
|
|
pos.remote_address,
|
|
pos.local_address,
|
|
pos.local_port,
|
|
pos.remote_port,
|
|
pos.state,
|
|
GROUP_CONCAT(DISTINCT pmm.path) AS libs,
|
|
COUNT(DISTINCT pmm.path) AS lib_count,
|
|
-- Child
|
|
p0.pid AS p0_pid,
|
|
p0.path AS p0_path,
|
|
p0.name AS p0_name,
|
|
p0.start_time AS p0_start,
|
|
p0.cmdline AS p0_cmd,
|
|
p0.cwd AS p0_cwd,
|
|
p0.cgroup_path AS p0_cgroup,
|
|
p0.euid AS p0_euid,
|
|
p0_hash.sha256 AS p0_sha256
|
|
FROM processes p0
|
|
JOIN process_open_sockets pos ON p0.pid = pos.pid
|
|
JOIN process_memory_map pmm ON p0.pid = pmm.pid
|
|
LEFT JOIN hash p0_hash ON p0.path = p0_hash.path
|
|
WHERE p0.path != '' -- optimization: focus on longer running processes
|
|
AND p0.start_time < (strftime('%s', 'now') - 900)
|
|
AND p0.path NOT IN (
|
|
'/usr/bin/containerd',
|
|
'/usr/bin/fusermount3',
|
|
'/usr/sbin/acpid',
|
|
'/usr/bin/dash',
|
|
'/usr/bin/docker',
|
|
'/usr/sbin/mcelog',
|
|
'/usr/libexec/docker/docker-proxy',
|
|
'/usr/bin/docker-proxy',
|
|
'/usr/bin/cat',
|
|
'/usr/lib/electron/chrome-sandbox',
|
|
'/usr/bin/i3blocks'
|
|
)
|
|
AND p0.name NOT IN ('chrome_crashpad', 'dhcpcd', 'Brackets-node') -- optimization: minimalistic daemons typically only run 1 pid per path
|
|
AND pos.family != 1
|
|
AND pos.pid > 0
|
|
AND pos.state != 'LISTEN'
|
|
AND pmm.path LIKE "%.so.%"
|
|
GROUP BY pos.pid -- libc.so, ld-linux
|
|
HAVING lib_count IN (1, 2) |