Results 1 to 2 of 2

Thread: How-to detect a possible intruder ¿? (Linux Server)

Threaded View

Previous Post Previous Post   Next Post Next Post
  1. #1
    g0d! Contributing Member siosios's Avatar
    Join Date
    Oct 2006
    Location
    In a cardboard box
    Age
    51
    HlStats

    HLStatsX Ranking for STEAM_0:1:13488560
    Posts
    13.569
    Blog Entries
    12
    Rep Power
    10

    Default How-to detect a possible intruder ¿? (Linux Server)

    Advise: this are steps recompiled from the network and a from some books, these were not done by me.

    Hello..

    I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

    1.- Download and run Rkhunter & Chkrootkit
    2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
    3.- Search for ssh and ftp accepted logins.

    Code:
    Code:
    last
    cat /var/log/secure* | grep ssh | grep Accept
    cat /var/log/secure* |grep ftp |grep Accept
    less /var/log/messages | grep ftp
    4.- Watch current connections and scan your ports.

    Code:
    Code:
    netstat -nalp
    nmap 1-65535 localhost
    5.- Search for suspicious content on common explotable dirs.

    Code:
    Code:
    rm -rf /tmp/sess*
    rm -rf /var/dos-*
    rm -rf /var/tmp/ssh-*
    rm -rf /var/tmp/dos-*
    ls /tmp -lab
    ls /var/tmp -labR
    ls /dev/shm -labR
    ls /usr/local/apache/proxy -labR
    ls /usr/local/samba -labR
    6.- Checking for anomalies on this files.

    Code:
    Code:
    less /etc/passwd 
    less /etc/shadow
    less /etc/groups
    7.- Search for new users at sudoers, check wtmp and telnet is not running.

    Code:
    Code:
    cat /etc/sudoers
    who /var/log/wtmp
    cat /etc/xinetd.d/telnet
    8.- Find bash history files

    Code:
    Code:
    find '/' -iname .bash_history
    9 .- Verify the Crontab table

    Code:
    Code:
    crontab -l
    10 .- Update the slocate database and search for exploits.

    Code:
    Code:
    updatedb &
    For cPanel servers:

    Code:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
    For Ensim servers:

    Code:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
    Search for shell code:

    Code:
    Code:
    cat /path/of/your/web/logs/* |grep "/x90/"
    11.- Search for hidden dirs

    Code:
    Code:
    locate "..."
    locate ".. "
    rlocate " .."
    locate ". "
    locate " ."
    12.- Search for perl-scripts running

    Code:
    Code:
    ps -aux | grep perl
    13 .- Checking nobody user and open files.

    Code:
    Code:
    service httpd stop
    lsof -u nobody
    Please, add your tips and tricks about this
    Last edited by siosios; 12-08-2008 at 06:00 PM.
    ------------------------------------------------

    |W0rd|SexualTurtletara420ת/ύ: Hey there daddy..

    ------------------------------------------------
    \\\ ///
    ( @ @ )
    .....o00o.(_).o00o.....


    ------------------------------------------

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. How-to detect a possible intruder ¿? (Linux Server)
    By siosios in forum Server Tech Talk
    Replies: 0
    Last Post: 12-08-2008, 06:27 PM
  2. Cloning Linux drives (notes for sio)
    By siosios in forum Server Tech Talk
    Replies: 6
    Last Post: 12-08-2008, 06:10 PM
  3. Replies: 0
    Last Post: 09-01-2008, 10:18 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •