major way to detect malware first top and see if any process use lot of cpu
- cat /proc/pid/pwd to see which dir it run in and see any suspicious files in it and delete it
rm files <-- if no permission, then chmod, if still no permission then lsattr lsattr files <-- check if have is immutable if yes remove it chattr -i -a files <-- remove immutable flags. then rm again rm files
- 2,load up backup and compare files different.
mkdir /mnt/backfil/ <-- make a dir to mount at ls /dev/vd* <-- list the back up device mount /dev/vdc1 /mnt/backfil <-- mount the backup device to file cd / <-- goes to root dir rsync -avn /mnt/backfil/ ./ | less <--compare file differents, n is important testing mode.
- 3,compare the file different and find any suspisious file , e.g, file in etc/, some service executables, copy the file from backup.
- example /etc/ssh/ has been changed , rsynd it from mounts
cd /etc/ssh/ rsync -av /mnt/backfil/etc/ssh/ ./
- 4, determine where the attact came from run
last <-- show when user last login , look for funny ip //notice the login time of the suspicious ip try to map the time in /var/log/secure //scan /var/log/message and /var/log/secure for the suspicious ip //look at how it get in like ssh? cat /var/log/secure cat /var/log/message //then try to find the domain name of the ip nslookup 'suspicious ip'
- 5, a lot of time malware geting via ssh, and once a ssh and sshd was infected, it will log login and passwd and it will infect the next host's ssh
//few way to determin if sshd was infected 1, ls -al //look at the time is recent then it is suspicious, if the host was not installed long time ago. 2, lsattr //look to see if the files are immutable, as sometime malware make it immutable to stop user deleting it.
- 6, look for cpu usage abnormal in www.creativecomputing.com.au/cacti, compare cpu usage, etc with history data look for abnormal.