Security Guideance

Tue Feb 23 20:51:49 UTC 2010

These tools will relate IP flow to UID in Linux:

# Get the sockets that are open
netstat -an
# lsof (as root) sockets to pid and owner uid.
lsof

If netstat doen't show it, it could be a raw socket... Or your root-kit's
still there. Raw sockets will still show in lsof.

Alex

On Tue, Feb 23, 2010 at 02:39:41PM -0600, Dan White wrote:
> Date: Tue, 23 Feb 2010 14:39:41 -0600
> From: Dan White <dwhite at olp.net>
> To: Ronald Cotoni <setient at gmail.com>
> Subject: Re: Security Guideance
> Cc: nanog at nanog.org
> 
> On 23/02/10 15:19 -0500, Ronald Cotoni wrote:
> >Quick suggestion BUT you may want to have Parallels look into it if
> >you can't seem to find it since you pay for the support anyways.  You
> >may also want to check to see if it is a cron job that is doing it (if
> >the machine was root kitted, you may have accidentally copied a cron
> >job over.  Another suggestion would be simply move half the accounts
> >to one server and half to another and see if it ddoses again and keep
> >doing that until you find the problem account.
> 
> I'll second that. I've found a few interesting items in my
> /var/spool/cron/crontab before.
> 
> Also check your web server logs. If someone has compromised an account via
> an apache/php vulnerability, it might show up in your access/error log
> (I saw 'wget' in my logs once).
> 
> I assume you've checked 'last' to make sure they're not getting in via a
> remote shell.
> 
> ls -ltra is your friend when finding the most recently created files in your
> filesystem.
> 
> If you suspect there's a running process doing it, look through your /proc
> directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc.
> 
> -- 
> Dan White
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100223/48e1c089/attachment.sig>