Differences between revisions 7 and 8
Revision 7 as of 2023-02-03 01:58:19
Size: 2060
Editor: cpe-58-167-147-38
Comment:
Revision 8 as of 2023-02-03 02:00:51
Size: 2287
Editor: cpe-58-167-147-38
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
     0, first fine offending process using top and find out the user  . 0, first fine offending process using top and find out the user

{{{
top //<--find the user and pid of the malware, normally taking up a lot of cpu
rm /var/spool/cron/<user> --stop cron from respawn just incase can restore from backup
kill -9 pid --this should stop the malware
}}}
 .

major way to detect malware first top and see if any process use lot of cpu

  • 0, first fine offending process using top and find out the user 

top //<--find the user and pid of the malware, normally taking up a lot of cpu
rm /var/spool/cron/<user>  --stop cron from respawn just incase can restore from backup
kill -9 pid --this should stop the malware
  • cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it 

rm files <-- if no permission, then chmod, if still no permission then lsattr
lsattr files <-- check if have is immutable if yes remove it
chattr -i -a files <-- remove immutable flags. then rm again
rm files
  • 2,load up backup and compare files different. 

mkdir /mnt/backfil/ <-- make a dir to mount at
ls /dev/vd* <-- list the back up device
mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file
cd  / <-- goes to root dir
rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode.
  • 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup.
    • example /etc/ssh/ has been changed , rsynd it from mounts 

cd /etc/ssh/
rsync -av /mnt/backfil/etc/ssh/ ./
  • 4, determine where the attact came from run 

last <-- show when user last login , look for funny ip
//notice the login time of the suspicious ip try to map the time in /var/log/secure
//scan /var/log/message and /var/log/secure for the suspicious ip
//look at how it get in like ssh?
cat /var/log/secure
cat /var/log/message
//then try to find the domain name of the ip
nslookup 'suspicious ip'
  • 5, a lot of time malware geting via ssh, and once a ssh and sshd was infected, it will log login and passwd and it will infect the next host's ssh 

//few way to determin if sshd was infected
1, ls -al //look at the time is recent then it is suspicious, if the host was not installed long time ago.
2, lsattr //look to see if the files are immutable, as sometime malware make it immutable to stop user deleting it.
  • 6, look for cpu usage abnormal in www.creativecomputing.com.au/cacti/, compare cpu usage, etc with history data look for abnormal.

detect_malware (last edited 2023-02-27 01:01:55 by 220-240-208-8)