October 25th, 2006 03:29 PM
Linux Server Investigating
Im new to the investigating a linux server to see if it is compermised. Are there any tips that yall could give me on this. Like what commands to use first and what to do when I find how the server was compermised?
October 25th, 2006 03:45 PM
You have asked questions hitting on subjects where many volumes of information have been written. The lack of detail and subjective nature of your query leads me to conclude you may not be the right man for the job.
How about some details..??
October 25th, 2006 03:49 PM
pretty hard to suggest where to start off as you gave no reason why you think it was 'compromised'.
check the ssh, syslog, and or apache or any other logs in the /var/log/.. directories.
see who's logged in 'w' command.
check out the bash_history in users and the root directory.
also find a rootkit scanner if you think its been compromised.
safe thing to do though if you think its been compromised is to just unplug it from the network and rebuild it.
October 25th, 2006 03:56 PM
Aside from running rkhunter and checkrootkit on a server what other measures can I use to detect a root compermise or lets say stop a outbound attack that is currently running. If you know of any threads Im more than willing to read but when I did a search on linux and security I didn't get jack.
October 25th, 2006 03:58 PM
Mostly what im looking for is processes launching outbound attacks, Hosting malware, and botnets.
October 25th, 2006 04:22 PM
Analyze network traffic using a sniffer such as ethereal. The majority of malware is easily spotted in network traffic. Once you've identified out of the ordinary traffic you can typically find specific details on what is causing the traffic using a search engine such as google.
November 5th, 2006 11:07 AM
1- analyze ur /etc/passwd for new users
2- analyze the same file for a root backdoor by making a copy of the ID of root to another user.
3- check ur net traffic.
4- check for unusual file permissions using the command find specially for permissions with SUID and SGID
5- Check ur LOG files
6- check ur iptables r the configured write and dont forget to check the xinetd service too
7- lots of things to check so just keep ur mind and ur system up2date