1. Basic Support Features of BusyBox1.Advantages of Static Compilation
- Does not rely on system dynamic link libraries (such as glibc), avoiding the risk of malicious dynamic library hijacking through LD_PRELOAD
- Provides a trusted command execution environment, preventing attackers from tampering with system commands like ls, ps, netstat, leading to erroneous information
2.Lightweight Tool Integration
- Packs over 300 commonly used Unix tools (such as top, vi, grep), forming an emergency response toolbox
- A single executable file occupies less than 1MB, supporting quick deployment to compromised systems
2. Core Investigation Ideas3.Replacing Tampered System CommandsWhen the original system commands (such as ls/ps/top) are hijacked by malicious shared libraries, using the statically compiled version of BusyBox can bypass the dynamic link library preloading mechanism🥇wget https://busybox.net/downloads/binaries/ -O /tmp/busybox chmod +x /tmp/busybox 4.Abnormal Process DetectionDirectly view process information through the /proc directory:🚅busybox ls -al /proc | grep -E ‘exe|cmdline’ # View process execution paths and parameters Compare /proc/[pid]/exe with the command hash value to locate the replaced binary files3. Key Investigation Steps1.System Command Integrity VerificationHash verification core commands🍞busybox sha1sum /bin/ls /usr/bin/top /bin/ps # Compare with official package hash values 2.LD_PRELOAD HijackingCheck environment variable configurations:📌busybox cat /etc/ld.so.preload busybox grep -r ‘LD_PRELOAD’ /etc/profile.d/ /etc/bash*3.Log Deep AnalysisKernel log review✏️busybox dmesg | grep -i ‘error\|busybox\|segfault’System log correlation analysis🥖busybox grep -E ‘cron|ssh|su’ /var/log/syslog # Focus on reviewing scheduled tasks and login behaviors 4.Malicious File DetectionHidden file scanning🎉busybox find / -name “.. *” -o -name “…*” # Detect unconventional named files Special timestamp tracking🎁busybox find / -mtime -1 # Find files modified within the last 24 hours 5.Network Behavior AnalysisRaw socket detection🥖busybox netstat -antp | busybox awk ‘$6==”LISTEN” || $6==”ESTABLISHED”‘Hidden connection investigationDirectly read network information through /proc/net:🎹busybox cat /proc/net/tcp # Analyze hexadecimal IP/PORT 4. Advanced Countermeasures1.Rootkit DetectionUse BusyBox in conjunction with chkrootkit/rkhunter tools:💡/tmp/busybox wget http://example.com/chkrootkit.tar.gz/tmp/busybox tar zxvf chkrootkit.tar.gz && cd chkrootkit-* /tmp/busybox make && ./chkrootkit 42.Memory Horse DetectionScan web middleware processes using BusyBox scripts:👍for pid in $(busybox pgrep java); do busybox ls -l /proc/$pid/fd | busybox grep ‘\.jar$’ done 5. Repair Recommendations1.System IsolationImmediately disable external network access for infected servers:🥇/tmp/busybox iptables -A OUTPUT -j DROP 2.Persistence DetectionInvestigate scheduled tasks and startup items:🌰/tmp/busybox crontab -l /tmp/busybox ls -l /etc/init.d/ /etc/rc*.d/3.Security Hardening Use statically compiled tools to replace system commands:❤️/tmp/busybox cp /tmp/busybox /bin/ /bin/busybox –install -s # Create links for commonly used commands