|
Size: 1006
Comment:
|
Size: 1863
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| 2,load up backup and compare files different. | . 2,load up backup and compare files different. |
| Line 20: | Line 20: |
| 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup. example /etc/ssh/ has been changed , rsynd it from mounts |
. 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup. . example /etc/ssh/ has been changed , rsynd it from mounts |
| Line 28: | Line 27: |
| 4, determine where the attact came from run {{{ last <-- show when user last login , look for funny ip //notice the login time of the suspicious ip try to map the time in /var/log/secure //scan /var/log/message and /var/log/secure for the suspicious ip //look at how it get in like ssh? cat /var/log/secure cat /var/log/message //then try to find the domain name of the ip nslookup 'suspicious ip' }}} 5, a lot of time malware geting via ssh, and once a ssh and sshd was infected, it will log login and passwd and it will infect the next host's ssh {{{ //few way to determin if sshd was infected 1, ls -al //look at the time is recent then it is suspicious, if the host was not installed long time ago. 2, lsattr //look to see if the files are immutable, as sometime malware make it immutable to stop user deleting it. }}} |
major way to detect malware first top and see if any process use lot of cpu
- cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it
rm files <-- if no permission, then chmod, if still no permission then lsattr lsattr files <-- check if have is immutable if yes remove it chattr -i -a files <-- remove immutable flags. then rm again rm files
- 2,load up backup and compare files different.
mkdir /mnt/backfil/ <-- make a dir to mount at ls /dev/vd* <-- list the back up device mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file cd / <-- goes to root dir rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode.
- 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup.
- example /etc/ssh/ has been changed , rsynd it from mounts
cd /etc/ssh/ rsync -av /mnt/backfil/etc/ssh/ ./
- 4, determine where the attact came from run
last <-- show when user last login , look for funny ip //notice the login time of the suspicious ip try to map the time in /var/log/secure //scan /var/log/message and /var/log/secure for the suspicious ip //look at how it get in like ssh? cat /var/log/secure cat /var/log/message //then try to find the domain name of the ip nslookup 'suspicious ip'
- 5, a lot of time malware geting via ssh, and once a ssh and sshd was infected, it will log login and passwd and it will infect the next host's ssh
//few way to determin if sshd was infected 1, ls -al //look at the time is recent then it is suspicious, if the host was not installed long time ago. 2, lsattr //look to see if the files are immutable, as sometime malware make it immutable to stop user deleting it.