[122941] in North American Network Operators' Group
Re: Security Guideance
daemon@ATHENA.MIT.EDU (acv)
Tue Feb 23 15:47:28 2010
Date: Tue, 23 Feb 2010 15:51:49 -0500
From: acv <acv@miniguru.ca>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <20100223203941.GF4844@dan.olp.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--mXDO3udm/xYWQeMQ
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
These tools will relate IP flow to UID in Linux:
# Get the sockets that are open
netstat -an
# lsof (as root) sockets to pid and owner uid.
lsof
If netstat doen't show it, it could be a raw socket... Or your root-kit's
still there. Raw sockets will still show in lsof.
Alex
On Tue, Feb 23, 2010 at 02:39:41PM -0600, Dan White wrote:
> Date: Tue, 23 Feb 2010 14:39:41 -0600
> From: Dan White <dwhite@olp.net>
> To: Ronald Cotoni <setient@gmail.com>
> Subject: Re: Security Guideance
> Cc: nanog@nanog.org
>=20
> On 23/02/10=A015:19=A0-0500, Ronald Cotoni wrote:
> >Quick suggestion BUT you may want to have Parallels look into it if
> >you can't seem to find it since you pay for the support anyways. You
> >may also want to check to see if it is a cron job that is doing it (if
> >the machine was root kitted, you may have accidentally copied a cron
> >job over. Another suggestion would be simply move half the accounts
> >to one server and half to another and see if it ddoses again and keep
> >doing that until you find the problem account.
>=20
> I'll second that. I've found a few interesting items in my
> /var/spool/cron/crontab before.
>=20
> Also check your web server logs. If someone has compromised an account via
> an apache/php vulnerability, it might show up in your access/error log
> (I saw 'wget' in my logs once).
>=20
> I assume you've checked 'last' to make sure they're not getting in via a
> remote shell.
>=20
> ls -ltra is your friend when finding the most recently created files in y=
our
> filesystem.
>=20
> If you suspect there's a running process doing it, look through your /proc
> directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc.
>=20
> --=20
> Dan White
--mXDO3udm/xYWQeMQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
iEYEARECAAYFAkuEP+UACgkQpAIhpmBPguMsvgCeLzVsobfG5rmrjuDFPqUh4tUm
Zf8AoISLaJOuylmVquKPPHaXsSsJuXhb
=YU9X
-----END PGP SIGNATURE-----
--mXDO3udm/xYWQeMQ--
