nanog mailing list archives
Re: Security Guideance
From: acv <acv () miniguru ca>
Date: Tue, 23 Feb 2010 15:51:49 -0500
These tools will relate IP flow to UID in Linux: # Get the sockets that are open netstat -an # lsof (as root) sockets to pid and owner uid. lsof If netstat doen't show it, it could be a raw socket... Or your root-kit's still there. Raw sockets will still show in lsof. Alex On Tue, Feb 23, 2010 at 02:39:41PM -0600, Dan White wrote:
Date: Tue, 23 Feb 2010 14:39:41 -0600 From: Dan White <dwhite () olp net> To: Ronald Cotoni <setient () gmail com> Subject: Re: Security Guideance Cc: nanog () nanog org On 23/02/10 15:19 -0500, Ronald Cotoni wrote:Quick suggestion BUT you may want to have Parallels look into it if you can't seem to find it since you pay for the support anyways. You may also want to check to see if it is a cron job that is doing it (if the machine was root kitted, you may have accidentally copied a cron job over. Another suggestion would be simply move half the accounts to one server and half to another and see if it ddoses again and keep doing that until you find the problem account.I'll second that. I've found a few interesting items in my /var/spool/cron/crontab before. Also check your web server logs. If someone has compromised an account via an apache/php vulnerability, it might show up in your access/error log (I saw 'wget' in my logs once). I assume you've checked 'last' to make sure they're not getting in via a remote shell. ls -ltra is your friend when finding the most recently created files in your filesystem. If you suspect there's a running process doing it, look through your /proc directory, like in /proc/<pid>/environ, /proc/<pid>/cmdline, etc. -- Dan White
Attachment:
_bin
Description:
Current thread:
- Security Guideance Paul Stewart (Feb 23)
- Re: Security Guideance Ronald Cotoni (Feb 23)
- RE: Security Guideance Matt Sprague (Feb 23)
- Message not available
- Re: RE: Security Guideance Paul Bosworth (Feb 23)
- Re: Security Guideance Michael Holstein (Feb 23)
- Re: Security Guideance Chris Adams (Feb 23)
- RE: Security Guideance Adam Stasiniewicz (Feb 23)
- Re: Security Guideance Aaron L. Meehan (Feb 24)
- RE: Security Guideance Matt Sprague (Feb 23)
- Re: Security Guideance Ronald Cotoni (Feb 23)
- Re: Security Guideance Dan White (Feb 23)
- Re: Security Guideance acv (Feb 23)
- Re: Security Guideance Nathan Ward (Feb 23)
- RE: Security Guideance Joe (Feb 23)
- Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance Valdis . Kletnieks (Feb 23)
- Re: Security Guideance Joel Esler (Feb 23)