Quote:
Originally Posted by windstory
If system files were contaminated, please let me know how to cure it.
|
Let me first tell you that's not the goal of this thread. The goal is to find out if your system was compromised, how and how to avoid that
next time, meaning you'll prepare yourself to rebuild the machine from scratch should we find enough evidence of a root compromise. Oh, and BTW, your CentOS version isn't up to date either: CentOS 5.9 was released a month or so ago.
So. What are you going to do? Here's what:
0.
Do nothing on the system. First read the Intruder Detection Checklist (CERT):
http://web.archive.org/web/200801092...checklist.html. While old it will still provide you with steps to take if you're not accustomed to performing analysis.
Do not remove, update or install anything on the web server. If you already did stuff do let us know what exactly.
1. Notify any users of that system to avoid using it (no logging in, no uploading, no nothing) until you have verified the system was or was not compromised.
2. Save listings for later use:
Code:
( \ps axfwwwe -opid,ppid,gid,uid,cmd 2>&1; \lsof -Pwln 2>&1; \netstat -anTpe 2>&1; \lastlog 2>&1; \last -wai 2>&1; \who -a 2>&1 ) > /tmp/output.txt
3. Mitigate the situation by stopping any (publicly) accessible services like the web server, database, FTP. Keep SSH running if the machine is in a remote location or only accessible over the network. If necessary raise the firewall to only allow traffic to and from your (management) IP (range).
4. Build an understanding of the situation:
- what services are (publicly) accessible?
- what applications and what version of them run in the web stack other than XAMPP? (Include web-based management panels, statistics, web log, forum, shopping cart, plugins, themes, homebrewn scripts and other software if any),
- apart from XAMPP, was any software kept up to date?
- which access restrictions are in place and what hardening was performed?
- how far back do your system and daemon logs go?
- have security incidents happened before on this server?
- have you, apart from the zone files, found any other suspicious files?
- depending on where you found the zone files run 'find' on that and other common directories holding temporary files, docroots, user-owned files: (example showing /var/www, /var/tmp, /tmp and /home: adjust it):
Code:
find /var/www /var/tmp /tmp /home -printf "%T@ %A@ %C@ %u %g %m %y \"%p\"\n" 2>&1 >> /tmp/output.txt
and save the /tmp/output.txt file to your log analysis workstation.
- get all the system and daemon logs off of the system and onto a physically different machine you will use for log analysis.
- on your log analysis workstation run all log files from the host through Logwatch with the "--detail High --service All --range All --archives --numeric --save /tmp/logwatch.txt" args.
Now attach (or pastebin) "output.txt" and "/tmp/logwatch.txt".
*Please be complete and verbose in your reply, please stay with the thread until completion, respond as soon as replies are posted and ask questions if unsure beforehand.
