Scribd Logo
Upload

Welcome to Scribd!

  • 16 views

    230 PDF

    Uploaded by

    Chirri Corp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    230 PDF

    Uploaded by

    Chirri Corp
    16 views2 pages

    Original Title

    230.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    16 views2 pages

    230 PDF

    Uploaded by

    Chirri Corp

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 2

    Unusual Accounts

    Additional Supporting Tools Intrusion Discovery


    Look in /etc/passwd for new accounts in sorted list by
    Cheat Sheet v2.0
    UID: The following tools are often not built into the
    # sort –nk3 –t: /etc/passwd | less Linux
    Linux operating system, but can be used to POCKET REFERENCE GUIDE

    Normal accounts will be there, but look for new, analyze its security status in more detail. SANS Institute
    www.sans.org and isc.sans.org
    unexpected accounts, especially with UID < 500. Each is available for free download at the Download the latest version of this sheet from
    http://www.sans.org/resources/linsacheatsheet.pdf

    Also, look for unexpected UID 0 accounts:


    listed web site.
    # egrep ':0+:' /etc/passwd
    DISCLAIMER: The SANS Institute is not Purpose
    On systems that use multiple authentication methods:
    # getent passwd | egrep ':0+:' responsible for creating, distributing, System Administrators are often on the front
    warranting, or supporting any of the lines of computer security. This guide aims
    to support System Administrators in finding
    Look for orphaned files, which could be a sign of an following tools.
    attacker's temporary account that has been deleted. indications of a system compromise.
    # find / -nouser -print
    Chkrootkit looks for anomalies on systems What to use this sheet for
    Unusual Log Entries introduced by user-mode and kernel-mode
    On a periodic basis (daily, weekly, or each time you
    Look through your system log files for suspicious
    RootKits – www.chkrootkit.org logon to a system you manage,) run through these
    events, including: quick steps to look for anomalous behavior that
    Tripwire looks for changes to critical system might be caused by a computer intrusion. Each of
    "entered promiscuous mode" files – www.tripwire.org - free for Linux for these commands runs locally on a system.
    Large number of authentication or login non-commercial use This sheet is split into these sections:
    failures from either local or remote access • Unusual Processes and Services
    tools (e.g., telnetd, sshd, etc.) • Unusual Files
    AIDE looks for changes to critical system files
    Remote Procedure Call (rpc) programs with a • Unusual Network Usage
    log entry that includes a large number (> 20) http://www.cs.tut.fi/~rammer/aide.html • Unusual Scheduled Tasks
    strange characters (such as ^PM-^PM-^PM- • Unusual Accounts
    ^PM-^PM-^PM-^PM-^PM) The Center for Internet Security has released • Unusual Log Entries
    For systems running web servers: Larger than a Linux hardening guide for free at • Other Unusual Items
    normal number of Apache logs saying "error" www.cisecurity.org. • Additional Supporting Tools
    Reboots and/or application restarts
    If you spot anomalous behavior: DO NOT PANIC!
    Other Unusual Items The free Bastille Script provides automated Your system may or may not have come under
    security hardening for Linux systems, attack. Please contact the Incident Handling Team
    Sluggish system performance:
    $ uptime – Look at "load average"
    available at www.bastille-linux.org. immediately to report the activities and get further
    assistance.
    Excessive memory use: $ free
    Sudden decreases in available disk space:
    $ df
    Unusual Processes and Services Unusual Files Continued Unusual Network Usage Continued

    Look at all running processes: Look for processes running out of or accessing files Look for unusual port listeners:
    # ps –aux that have been unlinked (i.e., link count is zero). An # netstat –nap
    attacker may be hiding data in or running a backdoor
    Get familiar with "normal" processes for the machine. from such files: Get more details about running processes listening
    Look for unusual processes. Focus on processes with # lsof +L1 on ports:
    root (UID 0) privileges. # lsof –i
    On a Linux machine with RPM installed (RedHat,
    If you spot a process that is unfamiliar, investigate in Mandrake, etc.), run the RPM tool to verify packages: These commands require knowledge of which TCP
    more detail using: # rpm –Va | sort and UDP ports are normally listening on your
    # lsof –p [pid] This checks size, MD5 sum, permissions, type, system. Look for deviations from the norm.
    owner, and group of each file with information from
    This command shows all files and ports used by the RPM database to look for changes. Output includes: Look for unusual ARP entries, mapping IP address to
    running process. S – File size differs MAC addresses that aren’t correct for the LAN:
    M – Mode differs (permissions) # arp –a
    If your machine has it installed, run chkconfig to see 5 – MD5 sum differs
    which services are enabled at various runlevels: D – Device number mismatch This analysis requires detailed knowledge of which
    # chkconfig --list L – readLink path mismatch addresses are supposed to be on the LAN. On a
    U – user ownership differs small and/or specialized LAN (such as a DMZ), look
    Unusual Files G – group ownership differs for unexpected IP addresses.
    T – modification time differs
    Look for unusual SUID root files:
    # find / -uid 0 –perm -4000 –print Pay special attention to changes associated with Unusual Scheduled Tasks
    This requires knowledge of normal SUID files. items in /sbin, /bin, /usr/sbin, and /usr/bin.
    Look for cron jobs scheduled by root and any other
    Look for unusual large files (greater than 10 In some versions of Linux, this analysis is automated UID 0 accounts:
    MegaBytes): by the built-in check-packages script.
    # find / -size +10000k –print
    # crontab –u root –l
    Unusual Network Usage
    This requires knowledge of normal large files.
    Look for promiscuous mode, which might indicate a Look for unusual system-wide cron jobs:
    Look for files named with dots and spaces ("...", ".. ", sniffer:
    # cat /etc/crontab
    ". ", and " ") used to camouflage files: # ls /etc/cron.*
    # find / -name " " –print # ip link | grep PROMISC
    # find / -name ".. " –print
    # find / -name ". " –print Note that the ifconfig doesn’t work reliably for
    # find / -name " " –print detecting promiscuous mode on Linux kernel 2.4, so
    please use "ip link" for detecting it.

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy