On Mon, November 6, 2017 8:27 am, Leroy Tennison wrote:
Another alternative is to use a FIMS/HIDS such as Aide (Advanced
Intrusion
Detection Environment), OSSEC or Samhain. Be prepared to learn a lot
about what your OS normally does behind the scenes (and thus a fair amount
of initial fine tuning to exclude those things). Aide seems to work
well
(I've seen only one odd result) and is quite granular. However, it is
local system based rather than centralized and isn't daemon based so you're left with periodic checks and finding a way to protect the executable, database and configuration. OSSEC is centralized, daemon based and can check logs for anomalies. However, it is not nearly as granular as Aide and does produce false positives (for example, if 'detect
new files' is used, it will detect based on access time changes rather
than modification or change times - but only for a while...). If you select OSSEC, whatever you do, do NOT put extraneous files in
/var/ossec/etc/shared - you can get truly bizarre and baffling results d oing so. I only know about Samhain, if someone has experience I would very
much
like to hear about it's strengths and weaknesses.
----- Original Message ----- From: "Johnny Hughes" johnny@centos.org To: "centos" centos@centos.org Sent: Monday, November 6, 2017 7:20:22 AM Subject: Re: [CentOS] How to detect botnet user on the server ?
On 11/06/2017 07:06 AM, marcos valentine wrote:
Hello guys, Whats is the best way to identify a possible user using a botnet with php in the server? And if he is using GET commands for example in other
server.
Does apache logs outbound conections ? If it is using a file that is not malicious the clam av would not
identify.
This sounds like a good place to start:
https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-ser...
(look for open ports connections both inbound and outbound with netstat,
etc.)
And never trust anything executed on potentially compromised machine. Paranoia is your friend.
( Say with open ports: see what internally executed command netstat gives you, and compare that with external port scan from sane machine: say, using nmap, make sure to turn off internal firewall, and have nothing that filters packets between two boxes. Anything that you see externally and don't see internally is a big red flag. However, the machine may be listening to one or few pinpoint "mother" IPs, so do not expect necessarily external scan detect those. )
But, if someone has completely breached the machine and gotten root on
it, they could put in fake binaries that hide ports and hide processes from 'top' (or ps, lsof). So, a look via chkrootkit or rkhunter would be needed to find that.
The link for rkhunter in the article is bad .. here is the new one:
http://rkhunter.sourceforge.net/
rkhunter seems to be in EPEL. chkrootkit is in fedora, it does not seem
to be in EPEL.
And after you follow all great advises people gave here, and finish with forensics: learn what led to compromise. Then do real recovery from compromise, which is: back up data, wipe compromised system, install fresh new latest system, fully update, configure it taking into consideration what you learned about compromise, install one of the host based or central "intrusion detection systems" that were recommended by others on this list. Then, update, update, update...
Good luck!
Valeri
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++