Views
some snippets after server got compromised
- some snippets after server got compromised
- just a collection for beginners ppl who got compromised
Got pwned? Ok first of all calm down!
Some easy to use tools to start are rkhunter, chkrootkit and unhide.
Check /var/tmp and /tmp for suspicious files and .directories.
save current memory to a loghost 2 commands:
on $loghost
netcat -v -l -p 9000 | dd of=mem.dd
on $compromised
dd if=/dev/mem | netcat $ip_loghost 9000
no loghost? Just dd memory:
dd if=/dev/mem of=/mem.dd
show commandline for $PID of suspicious process
cat /proc/$PID/cmdline
tr '\0' '\n' < /proc/$PID/environ | grep PWD
print the memory map of a process in the extended format.
pmap -x $PID
or in the device format
pmap -d $PID
show systemcalls of suspicious process
strace -p $PID
display open file handles of a process.
lsof -p $PID
show user who accesses file or partition
fuser -v $FILE
fuser -m $PARTITION
check for sockets/connections
netstat -tanp
netstat -patune
what uses tcpport?
lsof -i tcp:<portnumber>
check for suspicious scripts (php) could generally give you many false postivies!
grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" $directory
find baseencoded phpshells and malicious scripts:
find rootdir -name '*.php' -print | xargs grep 'eval(base64_decode'
a great perlscript I found on abuseat.org: usage: ./cblfind $directory (./cblfind /var/www/)
#!/usr/bin/perl
# The above line may need to be changed to point at your version of Perl
# Very simple web malware detection module.
# Author: CBL Team <cbl@cbl.abuseat.org>
# Version 0.02
# Change history:
# .01->.02: search 100 lines, add socket to scriptpat (2011/11/25)
# List of access-control files to check
my $access = '(\.htaccess)';
# Patterns to look for in access-control files
my $accesspat = '(RewriteRule)';
my $MAXLINES = 100;
# List of files to check
my $scripts = '\.(php|pl|cgi)$';
# Patterns to look for
my $scriptpat = '(socket|r57|c99|web shell|passthru|shell_exec|phpinfo|base64_decode|edoced_46esab|PHPShell)';
for my $dir (@ARGV) {
&recursion($dir, $access, $accesspat);
&recursion($dir, $scripts, $scriptpat);
}
sub recursion {
my ($dir, $filepat, $patterns) = @_;
my (@list);
opendir(I, "$dir") || die "Can't open $dir: $!";
@list = readdir(I);
closedir(I);
for my $file (@list) {
next if $file =~ /^\.\.?$/; # skip . and ..
my $currentfile = "$dir/$file";
if (-d $currentfile) {
&recursion($currentfile, $filepat, $patterns);
} elsif ($currentfile =~ /$filepat/) {
#print $currentfile, "\n";
open(I, "<$currentfile") || next;
my $linecount = 1;
while(<I>) {
chomp;
if ($_ =~ /$patterns/) {
my $pat = $1;
my $string = $_;
if ($string =~ /^(.*)$pat(.*)$/) {
$string = substr($1, length($1)-10, 10) .
$pat .
substr($2, 0, 10);
}
#$string =~ s/^.*(.{,10}$pat.{,10}).*$/... $1 .../;
print "$currentfile: Suspicious($pat): $string\n";
last;
}
last if $linecount++ > $MAXLINES;
}
close(I);
#print $currentfile, "\n";
}
}
}
find setuid files
find / -xdev \( -perm -4000 \) -type f -print0 | xargs -0 ls -l
Learn more about forensics with good scenarios on windows, linux and mac.
BlogMarks
del.icio.us
digg
Slashdot
