Jun 29th, 2010
Security Checks During Server Compromise
Security Checks During Server Compromise
We can use some techniques and tools to investigate our server if we suspect they’ve been compromised.
Compromised as a result of various factors: weak passwords, weak iptables rules, older versions of software with known exploits, and more.
Below command helps you check for any “backdoors” which have been opened on your server.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 117.214.112.13:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.1:3128 192.168.1.2:53704 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53705 ESTABLISHED
tcp 0 0 192.168.1.1:22 192.168.1.2:33097 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53703 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:53702 ESTABLISHED
tcp 0 0 192.168.1.1:3128 192.168.1.2:35523 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
Sniff for any connections to a particular port using tcpdump
07:58:07.756470 IP (tos 0×0, ttl 64, id 20876, offset 0, flags [DF], proto TCP (6), length 52) laptop.ss.com.3128 > dell.local.36737: ., cksum 0×130f (correct), ack 3466497798 win 482
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel
This will capture all the packets with destination port 3128.
To list all the open IP sockets associated with your SSH server run the following command:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2701 root 3u IPv4 7109 TCP laptop.ss.com:ssh (LISTEN)
sshd 3891 root 3r IPv4 12124 TCP laptop.ss.com:ssh->dell.local:33097 (ESTABLISHED)
lsof can be used to display all his running processes for a particular user.
More example can be found in the man pages for lsof.
