[CentOS] How to detect botnet user on the server ?

Mon Nov 6 14:27:46 UTC 2017
Leroy Tennison <leroy at datavoiceint.com>

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion Detection Environment), OSSEC or Samhain.  Be prepared to learn a lot about what your OS normally does behind the scenes (and thus a fair amount of initial fine tuning to exclude those things).  Aide seems to work well (I've seen only one odd result) and is quite granular.  However, it is local system based rather than centralized and isn't daemon based so you're left with periodic checks and finding a way to protect the executable, database and configuration.  OSSEC is centralized, daemon based and can check logs for anomalies.  However, it is not nearly as granular as Aide and does produce false positives (for example, if 'detect new files' is used, it will detect based on access time changes rather than modification or change times - but only for a while...).  If you select OSSEC, whatever you do, do NOT put extraneous files in /var/ossec/etc/shared - you can get truly bizarre and baffling results doing so.  I only know about Samhain, if someone has experience I would very much like to hear about it's strengths and weaknesses.

----- Original Message -----
From: "Johnny Hughes" <johnny at centos.org>
To: "centos" <centos at centos.org>
Sent: Monday, November 6, 2017 7:20:22 AM
Subject: Re: [CentOS] How to detect botnet user on the server ?

On 11/06/2017 07:06 AM, marcos valentine wrote:
> Hello guys,
> Whats is the best way to identify a possible user using a botnet with php
> in the server? And if he is using GET commands for example in other server.
> Does apache logs outbound conections ?
> If it is using a file that is not malicious the clam av would not identify.

This sounds like a good place to start:


(look for open ports connections both inbound and outbound with netstat,

But, if someone has completely breached the machine and gotten root on
it, they could put in fake binaries that hide ports and hide processes
from 'top' (or ps, lsof).  So, a look via chkrootkit or rkhunter would
be needed to find that.

The link for rkhunter in the article is bad .. here is the new one:


rkhunter seems to be in EPEL.  chkrootkit is in fedora, it does not seem
to be in EPEL.

CentOS mailing list
CentOS at centos.org