Diff for "detect_malware"

major way to detect malware first top and see if any process use lot of cpu

• 0, first fine offending process using top and find out the user

1. cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it

rm files <-- if no permission, then chmod, if still no permission then lsattr
lsattr files <-- check if have is immutable if yes remove it
chattr -i -a files <-- remove immutable flags. then rm again
rm files

• 2,load up backup and compare files different.

mkdir /mnt/backfil/ <-- make a dir to mount at
ls /dev/vd* <-- list the back up device
mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file
cd  / <-- goes to root dir
rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode.

• 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup.
  • example /etc/ssh/ has been changed , rsynd it from mounts

cd /etc/ssh/
rsync -av /mnt/backfil/etc/ssh/ ./

• 4, determine where the attact came from run

last <-- show when user last login , look for funny ip
//notice the login time of the suspicious ip try to map the time in /var/log/secure
//scan /var/log/message and /var/log/secure for the suspicious ip
//look at how it get in like ssh?
cat /var/log/secure
cat /var/log/message
//then try to find the domain name of the ip
nslookup 'suspicious ip'

• 5, a lot of time malware geting via ssh, and once a ssh and sshd was infected, it will log login and passwd and it will infect the next host's ssh

//few way to determin if sshd was infected
1, ls -al //look at the time is recent then it is suspicious, if the host was not installed long time ago.
2, lsattr //look to see if the files are immutable, as sometime malware make it immutable to stop user deleting it.

• 6, look for cpu usage abnormal in www.creativecomputing.com.au/cacti/, compare cpu usage, etc with history data look for abnormal.