Posted 2 years, 5 months and 2 days ago
In computing, a denialofservice (DoS) or distributed denialofservice (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. A DoS attack generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, distributed denialofservice attacks are sent by two or more people, or bots, and denialofservice attacks are sent by one person or system.
It consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because of the time a bruteforce search takes
How to check or do postmarten
Each Server configuration is unique. If a server got exploited, secured procedure is to create a new server and configure the server, one of like and work on exploited server to know what happened by which one can secure the new server.
Log on to the server which got exploited
Note : If you find anything suspicious in this step that could lead to a similar compromise on your new server, take steps to prevent the issue from recurring.
Find Processes, an unfamiliar process running:
This command, if installed, shows programs holding open a network socket:
This command will show all running processes:
At this point, you may have a process or two that you want to investigate. Make a note of the
process ID for each one, which is a string of numbers.
Next we want to find the malicious files on your system.
You can use this command to locate the executable file that is the origin of a particular process. Replace XXXX with the process ID (PID) you found earlier:
ls al /proc/ XXXX /exe
You can repeat this command for any suspicious processes you noted earlier.You can also search for suspicious files yourself. Common places trojans hide are:
You can use this command to list all content in a particular folder, including dot files . This example is for the /boot directory:
ls al /boot
If you find something foreign, check the ownership of the files for hints on what user was used to install the malicious code. Review your log files to try to find out how the code was installed so that you can work on preventing it from happening again. Some programs that may also help to find something foreign
>rkhunter, chkrootkit, maldet, clamscan
Now you can kill any malicious processes and remove the files.
A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer. The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool). The term "rootkit" has negative connotations through its association with malware.
To check rootkits, chkrootkit can be used. It can be installed from ubuntu package manager(aptget)
chkrootkit -r directory -r : rootdir
if we supply / as directory it will scan entire system and report whether files are infected or not
Output messages of chkrootkit:
A trojaned command has been found
here, biggest problem is that machine has been compromised and this bad guy has root privileges.Can be solved by just replacing the trojaned command the best way is to reinstall the machine from a safe media and to follow security recommendations.