In this blog series , We will learn about encryption and decryption basics in a very casual fashion . We will start discussing from origin of cryptography and then learns about the modern techniques
One of the important and main tech in encryption is Cryptography
Cryptography is a tech which is very very common and which is used in everywhere right now weather any software as follows :
Routers we use in our homes
Whatsapp we use to send receive messages
Any site we are opening on https
……. And so on ..
Now , At the same time cryptography is very common , it is extremely complex also . Complex in understanding , implementing and even using it correctly .
Need of Cryptography:
To answer this let’s answer the following
Why we need password on our phone
Why to lock the door of our home when going outside and take keys with ourselves
Same is answer to use cryptography – To assures that the sender or receiver is the right one and they can only see the right form of data
To understand how it works let’s start from old age method known as : Caesar Cipher
Caesar Cipher
The Caesar Cipher is a type of substitution cipher in which each letter in a plaintext is shifted a certain number of places down the alphabet. This simple encryption technique is named after Julius Caesar, who used it to encrypt messages sent to his officials. The process of encryption is simple, a shift value ( also known as key) is chosen and each letter of the plaintext is shifted by that number of positions down the alphabet.
For example, with a shift of 3, A would be replaced by D, B would be replaced by E, and so on.
Plaintext: Sahil
Shift(Key): 3
Ciphertext: Vdklo
To decrypt the message, the shift value is used in the opposite direction.
Ciphertext: Vdklo
Shift(Key): -3
Plaintext: Sahil
It is important to note that the Caesar Cipher is very easy to break and should not be used for any serious encryption purposes as it can be broken by simple methods such as frequency analysis.
Here Algorithm is Simple: shift a letter N number of times and then replace it with that letter and Continue this process till our plain text will be Converted into cipher text .
A Caesar Cipher table is a tool that can be used to manually encrypt and decrypt messages using the Caesar Cipher method. It is a table that lists all of the letters of the alphabet and their corresponding encrypted or decrypted letters, based on a chosen shift value (or key).
Here is an example of a Caesar Cipher table with a shift(Key) value of 3:
Plaintext
Ciphertext
A
D
B
E
C
F
And so on …
With Caesar cipher, someone can easily reverse engineer this Caesar cipher text and decode the messages encrypted using this algorithm by identifying the pattern , one can easily determine the key . This was just an example to get the readers familiar with the cryptography and encryption decryption concepts .
Till Now we have heard about some important terms
Cryptography
Algorithm
Plain Text
Key
Cipher Text
Please keep them in mind as these are the generic terms used everywhere in world of encryption and decryption .
In next Blog we will gossip about some other things like
Making strong Algo as compare to caesar cipher
What is latest Algo used now a days
What type of Cryptography Techniques are present and when one should be used
The new Content-Security-Policy HTTP response header helps you reduce XSS risks on modern browsers by declaring, which dynamic resources are allowed to load.
The core functionality of CSP can be divided into three areas:
Requiring that all scripts are safe and trusted by the application owner (ideally by making sure they match an unpredictable identifier specified in the policy called the CSP nonce),
Ensuring that page resources, such as images, stylesheets, or frames, are loaded from trusted sources,
Miscellaneous other security features: preventing the application from being framed by untrusted domains(frame-ancestors), transparently upgrading all resource requests to HTTPS, and others.
Now the major concerns here are as follows :
What should be the value of csp header to provide utmost security
What should be the value of csp header so that it will be applicable by all vapt vendors and also no major change required if my application is old .
What all things need to take care while deciding the header value , How Strict the header value should be .
How to write code (if someone is making a new application) so that it remains CSP Standards compatible .
In this Blog all the above doubts will be cleared .
Example of a Strict Value of Header which can be applied at Production Setups :
Let’s look at the properties of this policy as interpreted by a modern browser:
object-src ‘none’ Prevents fetching and executing plugin resources embedded using <object>, <embed> or <applet> tags. The most common example is Flash.
script-src nonce-{random} ‘unsafe-inline’ The nonce directive means that <script> elements will be allowed to execute only if they contain a nonce attribute matching the randomly-generated value which appears in the policy. Note: In the presence of a CSP nonce the unsafe-inline directive will be ignored by modern browsers. Older browsers, which don’t support nonces, will see unsafe-inline and allow inline scripts to execute.
script-src ‘strict-dynamic’ https: http: ‘strict-dynamic’ allows the execution of scripts dynamically added to the page, as long as they were loaded by a safe, already-trusted script (see the specification). Note: In the presence of ‘strict-dynamic’ the https: and http: whitelist entries will be ignored by modern browsers. Older browsers will allow the loading of scripts from any URL.
‘unsafe-eval’ allows the application to use the eval() JavaScript function. This reduces the protection against certain types of DOM-based XSS bugs, but makes it easier to adopt CSP. If your application doesn’t use eval(), you can remove this keyword and have a safer policy.
base-uri ‘none’ Disables <base> URIs, preventing attackers from changing the locations of scripts loaded from relative URLs. If your application uses <base> tags, base-uri ‘self’ is usually also safe.
frame-ancestorshttps://example.com – This means that your application page can be opened in iframe of application page served by example.com only .
Now , if you have decided some CSP header value and want to check if it is ok to use or not ,
I hope First two concerns listed above are cleared and now moving to next one
Not only setting the correct value makes your application safe , we need to make some changes to client side code also to make the application CSP compatible .
Code Changes
Random Nonce in Code
Above we talk about the random nonce which needs to be set on CSP header , but the question how security can be achieved by setting the random nonce in the header . the answer of this question is as follows :
We also need to set this same nonce in the parent script tag also and when the browser is requesting a page it checks nonce value from script tag and header and matches it and if it does not match then mark script as unsafe .
With ’strict-dynamic’, dynamically generated scripts implicitly inherit the nonce from the trusted script that created them. This way, already- executing, legitimate scripts can easily add new scripts to the DOM without extensive application changes. However, an attacker who finds an XSS bug, not knowing the correct nonce, is not able to abuse this functionality because they are prevented from executing scripts in the first place.
Refactor inline event handlers and javascript: URIs
Inline event handlers (onclick=”…”, onerror=”…”) and <a href=”javascript:…”> links can be used to run scripts, so an attacker who finds an XSS bug could inject such HTML and execute malicious JavaScript. CSP requires refactoring those patterns into safer alternatives.
In most cases the changes will be straightforward. To refactor event handlers, rewrite them to be added from a JavaScript block:
Code before CSP compatability
<script> function doThings() { ... } </script>
<span onclick="doThings();">A thing.</span>
Code after CSP compatability
<span id="things">A thing.</span>
<script nonce="${nonce}">
document.addEventListener('DOMContentLoaded', function () {
document.getElementById('things')
.addEventListener('click', function doThings() { ... });
});
</script>
For javascript: URIs, you can use a similar pattern:
If your application uses eval() to convert JSON string serializations into JS objects, you should refactor such instances to JSON.parse().
If you cannot remove all uses of eval() you can still set a CSP policy, but you will have to use the ‘unsafe-eval’ CSP keyword which will make your policy slightly less secure.
There are many frameworks in this time , where we do not write the html and js instead we write coe in java and framework convert it into js for example GWT . Now in these case the code generated should be CSP compatible is the responsibility of frameworks .
For more knowledge on CSP you can read the following research paper and for knowing what all other options can be added to csp header and browser support visit content-security-policy.com
So, Let’s make your application more safe by including CSP header in your application .
Please comment more suggestions if any related to CSP .
You can checkout the following video for explanation of this blog .
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High: vulnerabilities with a CVSS base score of 7.0–10.0
Medium: vulnerabilities with a CVSS base score of 4.0–6.9
Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
In this Blog , i am writing about High vulnerabilities only and some of Medium and Low if they it feels important to me .
For list of all vulnerabilities you can check CISA Bulletin .
High Vulnerabilities
Primary Vendor — Product
Description
Published
CVSS Score
Source & Patch Info
apache — nuttx
Apache Nuttx Versions prior to 10.1.0 are vulnerable to integer wrap-around in functions malloc, realloc and memalign. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash or a remote code injection/execution.
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the “Import Settings” feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the “Import Settings” functionality to achieve Remote Code Execution.
In the Location Manager WordPress plugin before 2.1.0.10, the AJAX action gd_popular_location_list did not properly sanitise or validate some of its POST parameters, which are then used in a SQL statement, leading to unauthenticated SQL Injection issues.
An issue was discovered in Cleo LexiCom 5.5.0.0. Within the AS2 message, the sender can specify a filename. This filename can include path-traversal characters, allowing the file to be written to an arbitrary location on disk.
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. A buffer overflow vulnerability exists in Contiki-NG versions prior to 4.6. After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offset that is unvalidated. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround.
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. It is possible to cause an out-of-bounds write in versions of Contiki-NG prior to 4.6 when transmitting a 6LoWPAN packet with a chain of extension headers. Unfortunately, the written header is not checked to be within the available space, thereby making it possible to write outside the buffer. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround.
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In verions prior to 4.6, an attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively shut down the operation of the system because of the cooperative scheduling used for the main parts of Contiki-NG and its communication stack. The problem has been patched in Contiki-NG 4.6. Users can apply the patch for this vulnerability out-of-band as a workaround.
Contiki-NG is an open-source, cross-platform operating system for internet of things devices. In versions prior to 4.5, buffer overflow can be triggered by an input packet when using either of Contiki-NG’s two RPL implementations in source-routing mode. The problem has been patched in Contiki-NG 4.5. Users can apply the patch for this vulnerability out-of-band as a workaround.
In updateDrawable of StatusBarIconView.java, there is a possible permission bypass due to an uncaught exception. This could lead to local escalation of privilege by running foreground services without notifying the user, with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-169255797
In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181860042
In the Settings app, there is a possible way to disable an always-on VPN due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-179975048
In p2p_process_prov_disc_req of p2p_pd.c, there is a possible out of bounds read and write due to a use after free. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-181660448
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulnerable.
Secure 8 (Evalos) does not validate user input data correctly, allowing a remote attacker to perform a Blind SQL Injection. An attacker could exploit this vulnerability in order to extract information of users and administrator accounts stored in the database.
The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High: vulnerabilities with a CVSS base score of 7.0–10.0
Medium: vulnerabilities with a CVSS base score of 4.0–6.9
Low: vulnerabilities with a CVSS base score of 0.0–3.9
In this Blog , i am writing about High vulnerabilities only and some of Medium and Low if they it feels important to me .
For list of all vulnerabilities you can check CISA Bulletin .
High Vulnerabilities
Primary Vendor — Product
Description
Published
CVSS Score
Source & Patch Info
bloofox — bloofoxcms
bloofoxCMS 0.5.2.1 is infected with Unrestricted File Upload that allows attackers to upload malicious files (ex: php files).
In avrc_msg_cback of avrc_api.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-8.1 Android-9 Android-10Android ID: A-177611958
In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183464866
In memory management driver, there is a possible memory corruption due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183461321
In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183461320
In memory management driver, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183467912
In memory management driver, there is a possible out of bounds write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183459083
In memory management driver, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183461318
In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183461317
In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183459078
In memory management driver, there is a possible escalation of privilege due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183461315
In memory management driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-183464868
In onCreate of CalendarDebugActivity.java, there is a possible way to export calendar data to the sdcard without user consent due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174046397
In onActivityResult of EditUserPhotoController.java, there is a possible access of unauthorized files due to an unexpected URI handler. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-172939189
In getMinimalSize of PipBoundsAlgorithm.java, there is a possible bypass of restrictions on background processes due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-174302616
In notifyScreenshotError of ScreenshotNotificationsController.java, there is a possible permission bypass due to an unsafe PendingIntent. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-178189250
An improper input validation vulnerability in sflacfd_get_frm() in libsflacextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
An improper input validation vulnerability in sdfffd_parse_chunk_FVER() in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
An improper input validation vulnerability in sdfffd_parse_chunk_PROP() in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
An improper input validation vulnerability in sdfffd_parse_chunk_PROP() with Sample Rate Chunk in libsdffextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
An improper input validation vulnerability in scmn_mfal_read() in libsapeextractor library prior to SMR MAY-2021 Release 1 allows attackers to execute arbitrary code on mediaextractor process.
In on_l2cap_data_ind of btif_sock_l2cap.cc, there is possible memory corruption due to a use after free. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-10Android ID: A-175686168
In rw_t3t_process_error of rw_t3t.cc, there is a possible double free due to uninitialized data. This could lead to remote code execution over NFC with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-9 Android-10 Android-11 Android-8.1Android ID: A-179687208
An improper access control vulnerability in genericssoservice prior to SMR JUN-2021 Release 1 allows local attackers to execute protected activity with system privilege via untrusted applications.
In last article we described List of Checks which can determine if system is compromised or hacked . In this article we will talk about preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure . There are many directions in which we can secure our application as follows :
OS hardening (Infra Level Security)
Secure Coding guidelines
Encryption Of Sensitive Data .
Ensure No Vulnerability exists in system .
In this Blog we will be concerned about OS hardening (Infra Level Security) in Linux systems(CentOS/Redhat). We will Cover Other parts in Future Blogs .
Now Let’s go to the System Part. It has following things to be taken care of :
SSH Configuration :
In linux based system SSH default port is 22 . This Defaut port should be changed to some unused port to enhance security .
Use SSH Protocol 2 Version
Ensure SSH X11 forwarding is disabled
Port Configuration at Firewall : Generally , in any application there are many applications running on set of servers and each running on some different ports , Say for example :
Application server at 8080 port
Database Server at 5432 port
So, as in above Case Users need to login through 8080 port so only this port should be opened for public as Database needs to interact generally with application server so 5432 port should be allowed from Application Server’s IP .
Multi Factor Authentication for SSH should be enabled — For setting up Google Authentication on CentOS or Redhat you can follow the link
Root login for any server must be disabled
Server Login Policies
Ensure password expiration is 365 days or less
Ensure minimum days between password changes is 7 or more
Ensure password expiration warning days is 7 or more
Ensure inactive password lock is 30 days or less
Ensure Password should be strong enough when user change its password
Application and Database should be on different Servers : this is because of that if due to some vulnerability application hacked than acces to database in that case is protected .
Regular package updates : Configure Auto update or regularly update packages on all configured servers .
Tune Network Kernel Parameters :
IP forwarding should be disabled on all servers
Do the following entry in sysctl.conf
net.ipv4.ip_forward = 0
Packets Redirecting should be diabled on all servers .
Do the following entry in sysctl.conf
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
Selinux should be enabled and configured .
Antivirus must be installed on all servers .
All Above are basic minimum checklists which should be applied to all the servers in any production environment . For implementing in-depth OS Hardening specially for CentOS based Systems , one need to follow the latest CIS CentOS Benchmarklatest CIS .
You can also check the below benchmark list from CIS for CentOS hardening : Below doc also explain how to implement things on CentOS .
As in my previous Blog where i explained how i came to know if my system is hacked or compromized (link here). Here in this blog i will explain what basic things we can check on our system when we have doubt if our system is compromized .
This Blogs have 3 parts
List of Checks which can determine if system is compromised or hacked – Part 1
List of checks which can give a direction how system is compromised or hacked – Part 2
What preventive steps (specially infra related) can be taken care to avoid hacking or to make system more secure – Part 3
Here , i am assuming system is Linux system with Centos installed .
List of Checks which can determine if system is compromised or hacked
Generally when hacker break into a linux system it is high chance that it will alter you main packages like openssh,kernel etc.. , So first if of please check if these packages are altered or there are some changes in the files or binaries provided by these packages . Following are commands to check on Centos
In above output you can see the rhost from where login attempt are made . If you see lots of entries like this then also check if at some point of time some login attempt will be successful from any of attempting rhosts . In secure logs accepted logs will looks something like as follows :
Apr 25 12:53:10 localhost sshd[3551]: Accepted password for root from 192.168.29.14 port 36362 ssh2
Check in Processes if some unusual process is running and consuming high CPU using top and ps commands .
Command to list all process running in system : ps aux | less
Also check using top command if some unusual process trying to utiize high cpu
Check if there is some unusual entry in crontab of all users made on system
crontab -u <user> -l . by default user is root
Check if in id_rsa.pub , if some attacker has somehow made its entry in .ssh folder in every users’s home directory .
This was the Part 1 of the Blog , In later Parts i will explain some further checklist to ensure that you system will remain less hackable .
In Debugging any issue or any dealing any problem or circumstance two things are important
Observation — Observation not only at the time of issue but in general times also .
Combining your general observations and Observations at the time of issue to conclude something .
In this Blog , I will explain the following :
What was happening on my machine
How i came to know my machine is broken into — Power of observation
What was happening on my machine
Load on my machine is going very high
On top command one process ./kwsapd0 is consuming around 3000% cpu
From here we get to know that kswapd is consuming process , The process kswapd0 is the process that manages virtual memory . So I thought that may be our some process is consuming more RAM and Virtual Memory is being used due to which kswapd process is doing its work but after hours of debugging we found no process is consuming RAM and around 80% RAM was free .
How i came to know my machine is broken into — Power of observation
There were two general observation which i observed and helped my geeting know what was the issue
1st is kswapd process looks in top command like [kswapd] not ./kswapd
Kswapd0 can only consume 100% as it uses only one core in the machine .
From there I got to know that this kswapd0 is something unusual . On further debugging
I found ./.configrc/a/kswapd0 in root users directory .
So , From all of this i got to know that my system was compromised .
Yet I was unable to find out how my system was broken into . But in my future Blog i will explain what things one can check if your system is compromised and how it is compromised and what all security we can apply to our system to make it less hackable .
helloworlds 