Comment on rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised by admin.
To Auto kill hidden processes with ‘unhide’
for P in `unhide sys | grep -v “*” | grep -i HIDEEN | cut -f2 -d’:’ | awk ‘{print $1}’`; do kill -9 $P; done;
admin Also Commented
rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
Here is more ss usage examples:
ss -t -a
Display all TCP sockets.
ss -u -a
Display all UDP sockets.
ss -o state established ‘( dport = :ssh or sport = :ssh )’
Display all established ssh connections.
ss -x src /tmp/.X11-unix/*
Find all local processes connected to X server.
ss -o state fin-wait-1 ‘( sport = :http or sport = :https )’ dst 193.233.7/24
List all the tcp sockets in state FIN-WAIT-1 for our apache to network 193.233.7/24 and look at their timers.
rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
To display all listening ports on a machine with ss:
# ss -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:spamd *:*
LISTEN 0 128 :::imap2 :::*
LISTEN 0 128 *:sunrpc *:*
LISTEN 0 511 *:www *:*
LISTEN 0 20 *:ssmtp *:*
LISTEN 0 128 *:46962 *:*
LISTEN 0 5 :::ftp :::*
LISTEN 0 20 *:domain *:*
LISTEN 0 128 *:munin *:*
LISTEN 0 128 :::ssh :::*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 *:8022 *:*
LISTEN 0 512 *:8888 *:*
LISTEN 0 20 *:smtp *:*
LISTEN 0 128 :::2207 :::*
LISTEN 0 128 *:2207 *:*
LISTEN 0 128 :::imaps :::*
LISTEN 0 512 *:9001 *:*
LISTEN 0 50 127.0.0.1:mysql *:*
rkhunter, chkrootkit and unhide three Linux handy tools to find out if a Linux server is compromised
It is also useful to use ss – another utility to investigate sockets together with netstat. ss just dumps socket statistics.
Some sample use of ss:
# ss -lp
# ss -l | grep 1048
ss tool is part of iproute package which also contains ip command/
Recent Comments by admin
От архива: Христовата любов побеждава дори смъртта, твърдеше приживе патриарх Неофит
Българският Патриарх Неофит в Москва на 8 Март 2016 г. ЧАСТ 2
Christ is Risen Eastern Orthodox Resurrection Paschal Greeting in Different Languages
Hi Stan,
I guess you cannot read the writtings on the icon as it is in cyrillic.
This is not Saint Mary and Saint Peter but Adam and Eve written in cyrillic on top of the icon.
Actually in orthodoxy it is a requirement for the depicted personalities, especially saints to have
written on the names of the saint and have the Halo. If you look closely at the picture you will notice
the two Adam and Eve are missing a Halo. The only person with a Halo in the icon is Saint John the Baptist.
Best Regards
Georgi
Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
–rwo, –report-warnings-only
This option causes only warning messages to be displayed. This can be useful when rkhunter is run via cron. Other options may
be used to force other items of information to be displayed.
–sk, –skip-keypress
When the –check command option is used, after certain sections of tests, the user will be prompted to press the return key
in order to continue. This option disables that feature, and rkhunter will run until all the tests have completed.
Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
As rkhunter check, can be pretty annoying and ask you to press keypresses multiple times and spit you a lot of unnecessery data a very good useful option arguments are:
–rwo and –sk
# rkhunter -c –rwo –sk
Warning: The SSH and rkhunter configuration options should be the same:
SSH configuration option 'PermitRootLogin': yes
Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
