Our Work

Server Exploitations what need to be done after it?

Posted 1 year, 6 months and 4 days ago

DDOS:

In computing, a denialofservice (DoS) or distributed denialofservice (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, distributed denialofservice attacks are sent by two or more people, or bots, and denialofservice attacks are sent by one person or system.

Brute-force Attack

It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a bruteforce search takes

How to check or do postmarten

Each Server configuration is unique. If a server got exploited, secured procedure is to create a new server and configure the server, one of like and work on exploited server to know what happened by which one can secure the new server.

Log on to the server which got exploited

Note : If you find anything suspicious in this step that could lead to a similar compromise on your new server, take steps to prevent the issue from recurring.

Find Processes, an unfamiliar process running:

This command, if installed, shows programs holding open a network socket:

lsof i

This command will show all running processes:

ps ef

At this point, you may have a process or two that you want to investigate. Make a note of the
process ID for each one, which is a string of numbers.

Find Files

Next we want to find the malicious files on your system.

You can use this command to locate the executable file that is the origin of a particular process. Replace XXXX with the process ID (PID) you found earlier:

ls al /proc/ XXXX /exe

You can repeat this command for any suspicious processes you noted earlier.You can also search for suspicious files yourself. Common places trojans hide are:

  • /boot
  • /tmp
  • /run
  • /root

You can use this command to list all content in a particular folder, including dot files . This example is for the /boot directory:

ls al /boot

If you find something foreign, check the ownership of the files for hints on what user was used to install the malicious code. Review your log files to try to find out how the code was installed so that you can work on preventing it from happening again. Some programs that may also help to find something foreign

>rkhunter, chkrootkit, maldet, clamscan

Wrapping Up

Now you can kill any malicious processes and remove the files.

chkrootkit:

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.

To check rootkits, chkrootkit can be used. It can be installed from ubuntu package manager(aptget)

chkrootkit -r directory

-r : rootdir

if we supply / as directory it will scan entire system and report whether files are infected or not
infected.

Output messages of chkrootkit:

  • "INFECTED": the test has identified a command probably modified by a known rootkit;
  • "not infected": the test didn't find any known rootkit signature
  • "not tested": the test was not performed this could happen in the following situations
    •  the test is OS specific;
    •  the test depends on an external program that is not available;
    •  some specific command line options are given. (e.g. -r).
  • "not found": the command to be tested is not available;
  •  "Vulnerable but disabled": the command is infected but not in use.(not running or commented in inetd.conf)

A trojaned command has been found

here, biggest problem is that machine has been compromised and this bad guy has root privileges.Can be solved by just replacing the trojaned command the best way is to reinstall the machine from a safe media and to follow security recommendations.

References:

https://www.digitalocean.com/community/tutorials/how-to-recover-from-a-compromised-droplet-sending-an-outgoing-flood-or-ddos
http://www.chkrootkit.org/
http://en.wikipedia.org/wiki/Rootkit

Tags

Related Posts