[CentOS] How to detect botnet user on the server ?

Mon Nov 6 13:20:22 UTC 2017
Johnny Hughes <johnny at centos.org>

On 11/06/2017 07:06 AM, marcos valentine wrote:
> Hello guys,
> 
> 
> Whats is the best way to identify a possible user using a botnet with php
> in the server? And if he is using GET commands for example in other server.
> 
> Does apache logs outbound conections ?
> 
> If it is using a file that is not malicious the clam av would not identify.

This sounds like a good place to start:

https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-server/

(look for open ports connections both inbound and outbound with netstat,
etc.)

But, if someone has completely breached the machine and gotten root on
it, they could put in fake binaries that hide ports and hide processes
from 'top' (or ps, lsof).  So, a look via chkrootkit or rkhunter would
be needed to find that.

The link for rkhunter in the article is bad .. here is the new one:

http://rkhunter.sourceforge.net/

rkhunter seems to be in EPEL.  chkrootkit is in fedora, it does not seem
to be in EPEL.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20171106/e85832c3/attachment-0004.sig>