Sunday, March 16, 2008

Exploit Removal Guide

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.

1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-

2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

shfor x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- grep -E "^$^/ apache nobody unknown www web htdocs " grep -E "^$^//$\*$\.pl$" grep -Ev "sess_" tee exploits.txt; done; echo -e "\n\nPossible Exploit Files and Directories: `grep -Ev "^$^/" exploits.txt wc -l tr -d ' '`" tee -a exploits.txtexit

Lines ending with an asterisk '*', '.pl', or a slash '/' are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.

3. You should also install and run the progam called rkhunter.
Rootkit Hunter is scanning tool to ensure you for about 99.9% you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5/SHA1 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter;
rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

No comments: