Results 1 to 7 of 7

Thread: Linux Server Investigating

  1. October 25th, 2006, 03:29 PM #1
    Professor Teile
    Professor Teile is offline
    Member
    Join Date
    Nov 2002
    Posts
    34

    Linux Server Investigating

    Im new to the investigating a linux server to see if it is compermised. Are there any tips that yall could give me on this. Like what commands to use first and what to do when I find how the server was compermised?
    Reply With Quote Reply With Quote
  2. October 25th, 2006, 03:45 PM #2
    ss2chef
    ss2chef is offline
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    You have asked questions hitting on subjects where many volumes of information have been written. The lack of detail and subjective nature of your query leads me to conclude you may not be the right man for the job.

    How about some details..??
    Reply With Quote Reply With Quote
  3. October 25th, 2006, 03:49 PM #3
    deftones12
    deftones12 is offline
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    pretty hard to suggest where to start off as you gave no reason why you think it was 'compromised'.
    check the ssh, syslog, and or apache or any other logs in the /var/log/.. directories.
    see who's logged in 'w' command.
    check out the bash_history in users and the root directory.
    also find a rootkit scanner if you think its been compromised.
    safe thing to do though if you think its been compromised is to just unplug it from the network and rebuild it.
    Reply With Quote Reply With Quote
  4. October 25th, 2006, 03:56 PM #4
    Professor Teile
    Professor Teile is offline
    Member
    Join Date
    Nov 2002
    Posts
    34
    Aside from running rkhunter and checkrootkit on a server what other measures can I use to detect a root compermise or lets say stop a outbound attack that is currently running. If you know of any threads Im more than willing to read but when I did a search on linux and security I didn't get jack.
    Reply With Quote Reply With Quote
  5. October 25th, 2006, 03:58 PM #5
    Professor Teile
    Professor Teile is offline
    Member
    Join Date
    Nov 2002
    Posts
    34
    Mostly what im looking for is processes launching outbound attacks, Hosting malware, and botnets.
    Reply With Quote Reply With Quote
  6. October 25th, 2006, 04:22 PM #6
    stevel
    stevel is offline
    Member
    Join Date
    Feb 2005
    Posts
    45
    Analyze network traffic using a sniffer such as ethereal. The majority of malware is easily spotted in network traffic. Once you've identified out of the ordinary traffic you can typically find specific details on what is causing the traffic using a search engine such as google.
    Reply With Quote Reply With Quote
  7. November 5th, 2006, 12:07 PM #7
    B!n@ry
    B!n@ry is offline
    Junior Member
    Join Date
    Oct 2006
    Posts
    1
    1- analyze ur /etc/passwd for new users
    2- analyze the same file for a root backdoor by making a copy of the ID of root to another user.
    3- check ur net traffic.
    4- check for unusual file permissions using the command find specially for permissions with SUID and SGID
    5- Check ur LOG files
    6- check ur iptables r the configured write and dont forget to check the xinetd service too
    7- lots of things to check so just keep ur mind and ur system up2date
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules