shann

Well-Known Member
Jul 5, 2002
366
0
166
cPanel Access Level
Website Owner
Hi,

If some body hack the site, which file is have to look at to track the person.

I have looked at domologs , didn't fidn any info.

any help appreciate.

Thansk
 

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
The following are notes I made to myself after a recent hack...

================
Things to look for after a hack --

FIND a USER AS ROOT
cat /etc/passwd | grep 0:0

(Should see only one user with root access (You!) If more than 1, investigate!!

FIND OPEN PORTS
lsof | grep LISTEN
Look for ports open -- ?

CHECK THESE SERVICES
/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find

The following directories may also be created by a hacker:

cd/.lib
/usr/src/.puta
/usr/info/.t0rn
/dev/.lib

NETSTAT
netstat -l

CHECK MODIFIED FILE TIMES
find / -mtime -1 -print
(Where N is the number of days previously to check

COMPARE OUTPUT OF LS
Inside each modified directory you should compare the output of
echo * with ls. If ls has been trojaned and configured to hide
anything, the echo command will show

The worm keeps itself active during reboots by appending some lines to /etc/rc.d/rc.sysinit
disguised with the comment 'Name Server Cache Daemon..'. It also deletes /etc/hosts.deny and
appends lines to /etc/inetd.conf to leave a root shell on port 1008. Finally, it emails the
contents of /etc/passwd, /etc/shadow and the output from ifconfig -a, to an address in the
china.com domain

/etc/rc.d/rc.sysinit ## Search for &Cache&, ususally at the end of the file
/etc/inetd.conf

Utilities Included in Rootkit IV

Programs That Hide the Cracker's Presence

ls, find, du — will not display or count the cracker's files.

ps, top, pidof — will not display the cracker's processes.

netstat — will not display the attacker's traffic, usually used to hide daemons such as eggdrop, bindshell, or bnc.

killall — will not kill the attacker's processes.

ifconfig — will not display the PROMISC flag when sniffer is running.

crontab — will hide the cracker's crontab entry. The hidden crontab entry is in /dev by default.

tcpd — will not log connections listed in the configuration file.

syslogd - similar to tcpd.

Trojaned Programs That Have Backdoors

chfn — root shell if rootkit password is entered in as new full name.

chsh — root shell if rootkit password is entered as new shell.

passwd — root shell if rootkit password is entered as current password.

login — will allow the cracker to log in under any username with the rootkit password. If root logins are refused, user rewt will work. It also disables history logging.

Trojaned Network Daemons

inetd — root shell listening on port rfe (5002). After connection, the rootkit password must be entered in as the first line.

rshd — trojaned so that if the username is the rootkit password, a root shell is bound to the port (i.e. rsh [hostname] -l [rootkit password]).

Cracker Utilities

fix — installs a trojaned program (e.g., ls) with the same timestamp and checksum information.

linsniffer — a network sniffer for Linux.

sniffchk — checks to make sure a sniffer is still running.

wted — wtmp editor. You can modify the wtmp.

z2 — erases entries from wtmp/utmp/lastlog.

bindshell — binds a root shell to a port (port 31337 by default).

================
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Great list, but I would change one command.

FIND a USER AS ROOT
cat /etc/passwd | grep 0:0

Change that to
cat /etc/passwd |grep x:0

Reason being is you can have a root UID with a different GUID.

We have a few different root accounts for admins and each has there own GUID. So 0:0 will not catch those but x:0 will.

Again great list though.
 

shaun

Well-Known Member
PartnerNOC
Verifed Vendor
Nov 9, 2001
708
1
318
San Clemente, Ca
cPanel Access Level
DataCenter Provider
Twitter
/scripts/hackcheck

will check to make sure some system rpm's match the orig version. If you pass this test it doesnt mean that you havnt been hacked. Just means alot of the utils you'd use to see a hackers utils running are a-ok.