Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Anyone, Pls give me some step by step procedure on doing forensics for my suspected compromised server. I have been researching this for sometimes and i cant find a step by step procedure on doing that. Also i want to use any open source tools that are avialable for doing this procedure.
The security references thread also has an extensive number of links to forensic tools and utils that should help you out. If you have any specific questions or need advice on doing the analysis, feel free to post them.
Mcalizo, I think forensics could be easier when you tap into the collective power of LQ, so could you at least tell us the symptoms the box displays or alerts you've gotten?
unSpawn i got a RH9.0 web server, last week i run chkrootkit (as i always do daily), i found that su is infected. I also run rkhunter to verify the result and the same output comes out. But the worse case is there's a lot of spoof IP trying to connect to that server when i run iptstate and iptraf. So i isolated that server and replace another "hardened" server, but still i can monitor a lot of attempted connection using port 80. Those connection ( though not sucessfull) make our bandwitdh utilization to maximum.
last week i run chkrootkit (as i always do daily), i found that su is infected.
If you check Chkrootkit it'll do a grep. Could you please post the output of running:
strings -an1 | egrep -ie "(satori|vejeta|conf)"
This should rule out false positives.
I also run rkhunter to verify the result and the same output comes out.
If you check Rootkit Hunter it'll do a md5sum check, and that may not match your su version. Could you please post the output of running this, it's a quick way of checking md5sum with rpm contents (sh-utils from running "rpm -q --whatprovides /bin/su"):
rpm -q --dump sh-utils | grep "n/s"
md5sum /bin/su
So i isolated that server
How did you isolate it (yank/reconnect network cable, power down, other)? Where is it located (isolated subnet?)? Is it still up without reboot? Any chance of getting account, process and network details? Logs? If you powered it down I hope you didn't reboot it.
[EDIT]
I mean a dead server should be left dead until the coroner has done it's job. Resurrection could result in all sorts of weirdness (or nothing, but are you willing to take the chance...).
[/EDIT]
but still i can monitor a lot of attempted connection using port 80. Those connection ( though not sucessfull) make our bandwitdh utilization to maximum.
Do you run an IDS (like Snort or Prelude)? Or Ethereal or tcpdump? Any chance of getting tcpdump output?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.