5 Responses to “rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised”

  1. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    It is also useful to use ssanother utility to investigate sockets together with netstat. ss just dumps socket statistics.
    Some sample use of ss:

    # ss -lp
    # ss -l | grep 1048


    ss tool is part of iproute package which also contains ip command/

    View CommentView Comment
  2. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    To display all listening ports on a machine with ss:

    # ss -l
    State Recv-Q Send-Q Local Address:Port Peer Address:Port
    LISTEN 0 128 127.0.0.1:spamd *:*
    LISTEN 0 128 :::imap2 :::*
    LISTEN 0 128 *:sunrpc *:*
    LISTEN 0 511 *:www *:*
    LISTEN 0 20 *:ssmtp *:*
    LISTEN 0 128 *:46962 *:*
    LISTEN 0 5 :::ftp :::*
    LISTEN 0 20 *:domain *:*
    LISTEN 0 128 *:munin *:*
    LISTEN 0 128 :::ssh :::*
    LISTEN 0 128 *:ssh *:*
    LISTEN 0 128 *:8022 *:*
    LISTEN 0 512 *:8888 *:*
    LISTEN 0 20 *:smtp *:*
    LISTEN 0 128 :::2207 :::*
    LISTEN 0 128 *:2207 *:*
    LISTEN 0 128 :::imaps :::*
    LISTEN 0 512 *:9001 *:*
    LISTEN 0 50 127.0.0.1:mysql *:*

    View CommentView Comment
  3. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    To Auto kill hidden processes with ‘unhide’

    for P in `unhide sys | grep -v “\*” | grep -i HIDEEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;

    View CommentView Comment
  4. admin says:
    Firefox 36.0 Firefox 36.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

    Here is more ss usage examples:

    ss -t -a
    Display all TCP sockets.

    ss -u -a
    Display all UDP sockets.

    ss -o state established ‘( dport = :ssh or sport = :ssh )’
    Display all established ssh connections.

    ss -x src /tmp/.X11-unix/*
    Find all local processes connected to X server.

    ss -o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 193.233.7/24
    List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.

    View CommentView Comment

Leave a Reply

CommentLuv badge