Detecting outbound attacks:
Check outbound connections:
If you only want outbound tcp connections, I think you can use
netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1'That will show all connections whose destination is not your localhost. You can add your internal ip, say
netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1\|192.168.0.15'netstat -nputw should do the trick. Add c for continuous updating.
To capture the RAW packets
sudo tcpdump -i any -w /tmp/http.log &This will capture all the raw packets, on all ports, on all interfaces and write them to a file, /tmp/http.log
killall tcpdumpTo read the log, use the -A flag and pipe the output to less:
tcpdump -A -r /tmp/http.log | lessThe -A flag prints out the “payload” or ASCII text in the packets. This will send the output to less, you can page up and down.
tcpdump -anvvi ethX port 21 or port 20More detailled: ... use -v or -vv for full protocol decode
Check for Stealth process:
ps -ef | grep stealth
lsof -p 12345 | grep cwd
lsof -p 12345You should also check /tmp directory as stealth processes often run files from there
find /tmp | grep -i stealthStopping outbound attacks:
Clean the directory manually (using your eyes to detect bad files), or plugins (like Wordfence) to scan the site.
Check recently modified files within last 24 hours
find /directorypath -mtime -1 -lsDetecting malware/defacement attacks:
- Check htaccess – open it up and see if there are new lines in there that you didn’t add.
- Check wp-config (or other CMS config) – open it up to see if the site URL was changed in there.
- Check database – if using WordPress, go to the wp_options table and look at the “site address” and “WordPress address” rows. If it’s got the wrong URL in there, change it back. If they changed all the urls in your database (uncommon), you’ll have to manually change all those strings back.
- Check theme files – go into your active theme directory and look around for weird files. Also check the functions.php file to see if any malicious functions were put in there.
- Check plugin files – same thing as above but in your plugin directories. This option is often not realistic if you have too many directories to look through.
- Check uploads directory (or other public directories) – many hacks and scripts will hide (and execute) from these directories because these are open to the public. Would be smart to block php execution from the uploads directory.
- Check plugin settings in WordPress – log into your WordPress admin (or other CMS admin) and check all settings to see if they’ve been changed. What you’re looking for is any place where they might have changed sensitive info, like putting their PayPal email instead of yours, putting their logo or site URL instead of yours, having your backups go to their remote storage instead of yours, etc…the possibilities are endless. Be thorough and check everything over carefully!
- Checking for base 64 encrypted code – hackers use this to hide their code. So you can’t read and see the exact strings to search for.
Use find and grep to search for these strings. (But beware that there are legitimate uses for base64.):
base64_decode
gzinflate(base64_decode
eval(gzinflate(base64_decode
eval(base64_decode
find /home -name "*.php" -exec grep -l "eval(" {} \;tcpdump -A -i eth0 -s 1500 port 80
tcpdump -nn -i eth0 port 80 -A
tcpdump -i eth0 -s 1024 -l -A port 80|grep abc.com
Leave a Comment