Aug 14th, 2008
Quick Intrusion Detection
Note: This is not a Full Security Audit nor a way to track and clean spammers or intruders on your server. If you really need to clean your server from exploits and hackers please contact ServerBuddies team.
Investigating Processes
type:
-
# ps –aux
Get familiar with “normal” processes for the machine. Look for unusual processes. Focus on processes with root (UID 0) and nobody user privileges.
If you find a process that is uncommon, try doing a further research by typing the following:
-
# lsof –p [pid]
Where [pid] is the Process Identifier of the process you would like to track.
lsof will show all files and ports used by the running process.
Investigating Hidden Files
-
# find / -name "…" –print
-
# find / -name ".. " –print
-
# find / -name ". " –print
-
# find / -name " " –print
Note the spaces between the 2th,3th and 4th command.
This will search for hidden files in all the filesystem.
Write them down and research if they are common. Ex: “.bash_profile “.bash_history” “.bashrc” are legit files.
Investigating New Accounts
Look in /etc/passwd for new accounts, especially
with UID 0 or GID 0
-
# less /etc/passwd
grep :0: /etc/passwd
Normal accounts will be there, but look for new, unexpected accounts.
Look at the botton of the passwd file, newer accounts will always be created at the end of this file.
-
# tail -n5 /etc/passwd
Investigating system-wide cron jobs
-
# cat /etc/crontab
-
# ls /etc/cron.*
See if there is any suspicious cronjob running on your system.
Investigating System Logs
-
# cd /var/log
-
# less /var/log/secure & less /var/log/messages
Look for successfully authentications (SSH and FTP) investigate the IP address and see if they are legit.
Look for new uploaded files. Check the files on your browser and see if they are legit.
Installing and performing a Rkhunter scan
-
# cd /usr/local/src/
-
# wget http://www.serverbuddies.com/files/rkhunter-1.3.2.tar.gz
-
# tar -zxf rkhunter-1.3.2.tar.gz
-
# cd rkhunter-1.3.2
-
# ./installer.sh –layout default –install
-
# /usr/local/bin/rkhunter –update
-
# /usr/local/bin/rkhunter -c –createlogfile
Rkhunter log will be placed on /var/log/rkhunter.log - check the log and see if you have any compromised system file or binary and re install it with a clean and legit version.
Rkhunter will show you if there is any common backdoor installed as well.
We recommend all our customers to use a software based firewall and to restrict your open tcp/udp ports, so if someone tries to install a backdoor or a connect back port application, they will be restricted by the firewall.
If you need a more detailed Server Audit, please contact us.
* ServerBuddies Team