8 Responses to “rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised”

  1. baltimore yoga says:
    Internet Explorer 6.0 Internet Explorer 6.0 Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727)

    What?s Happening i’m new to this, I stumbled upon this I have discovered It absolutely useful and it has helped me out loads. I’m hoping to give a contribution & aid other users like its helped me. Great job.

    View CommentView Comment
    • admin says:
      Epiphany 2.30.6 Epiphany 2.30.6 Debian GNU/Linux x64 Debian GNU/Linux x64
      Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6

      Glad it helped you will be seeing you around 😉

      View CommentView Comment
  2. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    It is also useful to use ssanother utility to investigate sockets together with netstat. ss just dumps socket statistics.
    Some sample use of ss:

    # ss -lp
    # ss -l | grep 1048


    ss tool is part of iproute package which also contains ip command/

    View CommentView Comment
  3. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    To display all listening ports on a machine with ss:

    # ss -l
    State Recv-Q Send-Q Local Address:Port Peer Address:Port
    LISTEN 0 128 127.0.0.1:spamd *:*
    LISTEN 0 128 :::imap2 :::*
    LISTEN 0 128 *:sunrpc *:*
    LISTEN 0 511 *:www *:*
    LISTEN 0 20 *:ssmtp *:*
    LISTEN 0 128 *:46962 *:*
    LISTEN 0 5 :::ftp :::*
    LISTEN 0 20 *:domain *:*
    LISTEN 0 128 *:munin *:*
    LISTEN 0 128 :::ssh :::*
    LISTEN 0 128 *:ssh *:*
    LISTEN 0 128 *:8022 *:*
    LISTEN 0 512 *:8888 *:*
    LISTEN 0 20 *:smtp *:*
    LISTEN 0 128 :::2207 :::*
    LISTEN 0 128 *:2207 *:*
    LISTEN 0 128 :::imaps :::*
    LISTEN 0 512 *:9001 *:*
    LISTEN 0 50 127.0.0.1:mysql *:*

    View CommentView Comment
  4. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    To Auto kill hidden processes with ‘unhide’

    for P in `unhide sys | grep -v “\*” | grep -i HIDEEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;

    View CommentView Comment
  5. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    Here is more ss usage examples:

    ss -t -a
    Display all TCP sockets.

    ss -u -a
    Display all UDP sockets.

    ss -o state established ‘( dport = :ssh or sport = :ssh )’
    Display all established ssh connections.

    ss -x src /tmp/.X11-unix/*
    Find all local processes connected to X server.

    ss -o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 193.233.7/24
    List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.

    View CommentView Comment

Leave a Reply

CommentLuv badge