Reply With QuoteVery nice, Sios. Linux ftw.
Oh by the way, if you plan on making a hosting company or know a hosting company, give them this: http://www.corecp.com
We just opened our BETA friday and we're all excited about it. It's gonna be ownage. ^_^
How-to detect a possible intruder ¿? (Linux Server)
Advise: this are steps recompiled from the network and a from some books, these were not done by me.
Hello..
I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.
1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.
Code:
4.- Watch current connections and scan your ports.Code:last cat /var/log/secure* | grep ssh | grep Accept cat /var/log/secure* |grep ftp |grep Accept less /var/log/messages | grep ftp
Code:
5.- Search for suspicious content on common explotable dirs.Code:netstat -nalp nmap 1-65535 localhost
Code:
6.- Checking for anomalies on this files.Code:rm -rf /tmp/sess* rm -rf /var/dos-* rm -rf /var/tmp/ssh-* rm -rf /var/tmp/dos-* ls /tmp -lab ls /var/tmp -labR ls /dev/shm -labR ls /usr/local/apache/proxy -labR ls /usr/local/samba -labR
Code:
7.- Search for new users at sudoers, check wtmp and telnet is not running.Code:less /etc/passwd less /etc/shadow less /etc/groups
Code:
8.- Find bash history filesCode:cat /etc/sudoers who /var/log/wtmp cat /etc/xinetd.d/telnet
Code:
9 .- Verify the Crontab tableCode:find '/' -iname .bash_history
Code:
10 .- Update the slocate database and search for exploits.Code:crontab -l
Code:
For cPanel servers:Code:updatedb &
Code:
For Ensim servers:Code:egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/* egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Code:
Search for shell code:Code:egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Code:
11.- Search for hidden dirsCode:cat /path/of/your/web/logs/* |grep "/x90/"
Code:
12.- Search for perl-scripts runningCode:locate "..." locate ".. " rlocate " .." locate ". " locate " ."
Code:
13 .- Checking nobody user and open files.Code:ps -aux | grep perl
Code:
Please, add your tips and tricks about thisCode:service httpd stop lsof -u nobody
Last edited by siosios; 12-08-2008 at 06:00 PM.
------------------------------------------------
|W0rd|SexualTurtletara420ת/ύ: Hey there daddy..
------------------------------------------------
\\\ ///
( @ @ ).....o00o.(_).o00o.....
------------------------------------------
Very nice, Sios. Linux ftw.
Oh by the way, if you plan on making a hosting company or know a hosting company, give them this: http://www.corecp.com
We just opened our BETA friday and we're all excited about it. It's gonna be ownage. ^_^
AKA suttoN on the n/u servers
There are currently 3 users browsing this thread. (0 members and 3 guests)
Posting Permissions
Bookmarks