Linux , InfoSec , Technology and Everything Else

Published: 6 months ago

Catching hackers on your linux system

I wrote this very brief guide on detecting intrusion on your linux machines , It includes basic steps that system administrators follow to detect if that linux box was comprised or not

[*] Suspicious Processes and Services

Look at all running processes on the system
~# ps -aux
Look for unusual processes. Pay attention on processes with root (UID 0) privileges.
If you spot a process that is unfamiliar, investigate in more detail using:
~# lsof -p <process id>
chkconfig can be used to moniter services that are configured to start automatically during the system startup.
you can install it by
~# sudo apt-get install chkconfig #for ubuntu boxes
~# sudo yum install chkconfig #for rpm based boxes
This command shows all files and ports being used by the running process.
you can install chkconfig to see which services are enabled at various runlevels:
~# chkconfig --list

[*] Suspicious Files

Look for unusual SUID root files:
~# find / -uid 0 -perm -4000

Look for unusual large files (greater than 10MB):

~# find / -size +10000k -print

Look for files named with dots and spaces (“…”,”..”,”.”, and “”) used to camouflage files:

~# find / -name ” ” -print
~# find / -name “..” -print
~# find / -name “. ” -print
~# find / -name ” ” -print

Look for processes running of of or accessing files that have been unlinked (ie., link count is zero). An attacker may be hiding data in or running a backdoor from such files:

~# lsof +L1

[*] Suspicious Network Usage

Look for promiscuous mode, which might indicate a sniffer:
~# ip link | grep PROMISC
Look for unusual port listeners are binded for hackers to connect to your server at later time
~# netstat -nap
Get more details about running processes listening on ports:
~# lsof -i
Look for unusual ARP entries, mapping IP addresses to MAC addresses that aren’t correct for the LAN;
~# arp -a

This analysis requires detailed knowledge of which addresses are supposed to be on the LAN (such as a DMZ), look for unexpected IP addresses.

[*] Specious Scheduled Tasks

Look for cron jobs scheduled by root and any other UID 0 accounts:
~# crontab -u root -l

Look for unusual system-wide cron jobs:

~# cat /etc/crontab
~# ls /etc/cron.*


[*] Suspicious Accounts

Look in /etc/passwd for new accounts in sorted list by UID:
~# sort -nk3 -t: /etc/passwd | less

Normal accounts will be there, but look for new, unexpected accounts, especially with UID < 500.

Also, look for unexpected UID 0 accounts:
~# egrep `:0+` /etc/passwd

On systems that use multiple authentication methods:

~# getent passwd | egrep `:0+:`

Look for orphaned files, which could be a sign of an attacker’s temporary account that has been deleted.

~# find / -nouser

[*] Suspicious Log Entries

Look through your system log files for suspicious events, including:
  • Look into Apache Access Logs (Path depends on your configuration)
  • Look into Apache Error Logs (Path depends on your configuration)
  • Look for the last logins from
     ~# last -f /var/log/wtmp
  • Look for executed commands from
    ~# cat ~/.bash_history
  1. I’d love to see something about mitigating hackers gaining entry in the first place — like checking your IP tables rules, only enabling SSH login with keys, etc. Great post!

  2. There should be double-dashes at ‘chkconfig -list’, like chkconfig –list

Have a Comment?

Some HTML is OK