Linux Server Investigating
Results 1 to 7 of 7

Thread: Linux Server Investigating

  1. #1
    Member
    Join Date
    Nov 2002
    Posts
    36

    Linux Server Investigating

    Im new to the investigating a linux server to see if it is compermised. Are there any tips that yall could give me on this. Like what commands to use first and what to do when I find how the server was compermised?

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    You have asked questions hitting on subjects where many volumes of information have been written. The lack of detail and subjective nature of your query leads me to conclude you may not be the right man for the job.

    How about some details..??

  3. #3
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    pretty hard to suggest where to start off as you gave no reason why you think it was 'compromised'.
    check the ssh, syslog, and or apache or any other logs in the /var/log/.. directories.
    see who's logged in 'w' command.
    check out the bash_history in users and the root directory.
    also find a rootkit scanner if you think its been compromised.
    safe thing to do though if you think its been compromised is to just unplug it from the network and rebuild it.

  4. #4
    Member
    Join Date
    Nov 2002
    Posts
    36
    Aside from running rkhunter and checkrootkit on a server what other measures can I use to detect a root compermise or lets say stop a outbound attack that is currently running. If you know of any threads Im more than willing to read but when I did a search on linux and security I didn't get jack.

  5. #5
    Member
    Join Date
    Nov 2002
    Posts
    36
    Mostly what im looking for is processes launching outbound attacks, Hosting malware, and botnets.

  6. #6
    Member
    Join Date
    Feb 2005
    Posts
    45
    Analyze network traffic using a sniffer such as ethereal. The majority of malware is easily spotted in network traffic. Once you've identified out of the ordinary traffic you can typically find specific details on what is causing the traffic using a search engine such as google.

  7. #7
    Junior Member
    Join Date
    Oct 2006
    Posts
    1
    1- analyze ur /etc/passwd for new users
    2- analyze the same file for a root backdoor by making a copy of the ID of root to another user.
    3- check ur net traffic.
    4- check for unusual file permissions using the command find specially for permissions with SUID and SGID
    5- Check ur LOG files
    6- check ur iptables r the configured write and dont forget to check the xinetd service too
    7- lots of things to check so just keep ur mind and ur system up2date

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides