server compromised?
Hi all,
I found out that there was http traffic leaving my server to a domain I knew nothing about, so I ran Code:
tcpdump -i eth0 -xXNvvv port 80 -w dump.hack Is there a way for me to see what was going through this by analysing the content of the dump. I had a look through it but can't seem to find much info in there. Any hack known that sends data through port 80 that I should be looking for on my box? Any thoughts/advice are welcome! :) |
I think we're going to need some more details about what is going on. By the way, in the case of suspected compromises, this forum tends to work rather differently than others you may have seen. Here we put a high emphasis on gathering facts about the machine in question rather than speculating about what might be going on. So, with that in mind, here are some things to think about.....
- What is this machine used for and why do you think this traffic was suspect? - What distro is running on it, and how well patched/maintained is it? - Are there any existing intrusion detection systems in place? - Have you examined your log files for anything out of the ordinary? Some potentially helpful information can be obtained from: lsof -Pwn ps -axfwwwe netstat -pane With these, you are looking for anythign suspicious, and feel free to post outputs. In addition, if you feel the machine has been compromised, I'd strongly suggest pulling the network cable, but do NOT reboot/turn off the machine. If you don't have physical access, you might use iptables to cut off all access except SSH from a trusted IP Also, have a look at the CERT Checklist for a good process to develop more facts about the machine. |
Hi Hangdog42,
Thanks for your reply and sorry for my late reply. Quote:
I suspected an intrusion when my very limited upload bandwidth started being saturated by an http(80) upload to a domain name I did not recognise. Quote:
Quote:
Quote:
I suppose the three commands you mention are only any good during the attack. If it's a bot, I could reopen the port, run the commands, get the data and close it again. Although, the less gets out, the happier I am obviously. Thank you for your link, I'll have a look at it over the weekend and run some tests. I took down all non critical VMs. Is there a short learning curve intrusion detection software or am I going to have to accept snort is the one and get on with it? Thanks for your help. |
Quote:
Quote:
Quote:
Quote:
Quote:
By the way, am I safe in assuming that the suspect machine is a VM? Also, if some of the logs/outputs/evidence is too large to post, let us know and we'll get a place where it can be stored and shared. There are several people in this forum who like doing this sort of investigation, so you will get help if you develop evidence. |
All times are GMT -5. The time now is 03:50 AM. |