How do you find exploits using the *NIX shell? - Revision history

JoomlaWikiBot: clean up categories with tags

2012-09-01T20:36:00Z

clean up categories with <noinclude> tags

Terry81 at 20:11, 29 November 2010

2010-11-29T20:11:52Z

Batch1211 at 10:29, 5 October 2010

2010-10-05T10:29:08Z

Jabama: New page: '''Check the active processes''' Use the "ps" command to look for odd or unknown processes, if you aren't sure what to look for there, user "netstat -ae | grep irc" and/or "netstat -ea | ...

2008-10-11T22:56:34Z

New page: '''Check the active processes''' Use the "ps" command to look for odd or unknown processes, if you aren't sure what to look for there, user "netstat -ae | grep irc" and/or "netstat -ea | ...

New page

'''Check the active processes'''

Use the "ps" command to look for odd or unknown processes, if you aren't sure what to look for there, user "netstat -ae | grep irc" and/or "netstat -ea | grep 666" and look for ports 6666, 6667, 6668, 6669, these are common ports used for running IRC bots, they may have the name "irc" listed against them, or may have "httpd" or sometimes other regular services names.

'''Check crontab'''

Check your crontab and see if there is a strange entry, these are used in many exploits to restart IRC bots, even when admins or automated process monitors are used to kill a rogue process.

'''Check for hidden files or directories'''

Check for hidden files or directories you dont expect to see, those starting with "." (dots) and also look for ". " (dot, space) often favored to try and catch searches for hidden directories.

Other examples of searches that may help pin down exploits and/or unexpected files and folders:

find /home -type f | xargs grep -l MultiViews
find . -type f | xargs grep -l base64_encode <<< this can produce false positives, it is valid in many mail/graphics scripts
find . -type f | xargs grep -l error_reporting
find / -name "[Bb]itch[xX]"
find / -name "psy*"
ls -lR | grep rwxrwxrwx > listing.txt

[[Category:FAQ]]
[[Category:Administration FAQ]]
[[Category:Installation FAQ]]
[[Category:Version 1.5 FAQ]]

← Older revision		Revision as of 10:29, 5 October 2010
Line 24:		Line 24:
	[[Category:Installation FAQ]]		[[Category:Installation FAQ]]
	[[Category:Version 1.5 FAQ]]		[[Category:Version 1.5 FAQ]]
		+	[[Category:Security]]

@@ Line 20: / Line 20: @@
   ls -lR | grep rwxrwxrwx > listing.txt
-[[Category:FAQ]]
+<noinclude>[[Category:FAQ]]
 [[Category:Administration FAQ]]
 [[Category:Installation FAQ]]
 [[Category:Version 1.5 FAQ]]
-[[Category:Security]]
+[[Category:Security]]</noinclude>

@@ Line 14: / Line 14: @@
   find /home -type f | xargs grep -l MultiViews
-  find . -type f | xargs grep -l base64_encode <<< this can produce false positives, it is valid in many mail/graphics scripts
+  find . -type f | xargs egrep -l 'base64_encode|gzinflate' <<< this can produce false positives, it is valid in many mail/graphics scripts
   find . -type f | xargs grep -l error_reporting
   find / -name "[Bb]itch[xX]"