PDA

View Full Version : How-to detect a possible intruder ¿? (Linux Server)



siosios
12-08-2008, 06:27 PM
Advise: this are steps recompiled from the network and a from some books, these were not done by me.

Hello..

I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.

Code:

last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp

4.- Watch current connections and scan your ports.

Code:

netstat -nalp
nmap 1-65535 localhost

5.- Search for suspicious content on common explotable dirs.

Code:

rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR

6.- Checking for anomalies on this files.

Code:

less /etc/passwd
less /etc/shadow
less /etc/groups
7.- Search for new users at sudoers, check wtmp and telnet is not running.

Code:

cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet

8.- Find bash history files

Code:

find '/' -iname .bash_history

9 .- Verify the Crontab table

Code:

crontab -l

10 .- Update the slocate database and search for exploits.

Code:

updatedb &

For cPanel servers:

Code:

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*

For Ensim servers:

Code:

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*

Search for shell code:

Code:

cat /path/of/your/web/logs/* |grep "/x90/"

11.- Search for hidden dirs

Code:

locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
12.- Search for perl-scripts running

Code:

ps -aux | grep perl

13 .- Checking nobody user and open files.

Code:

service httpd stop
lsof -u nobody

Please, add your tips and tricks about this