System Admin Second Level Support Checks & Tasks Form

May 5, 2017 | Views: 3353

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

 

HOW TO READ THIS DOCUMENT

As part of your support contract with CLIENT, we are required to regularly conduct ‘health checks’ on the servers This allows us to catch potential problems early, and ensure your computers are running at their optimum. Engineers need to carry out a number of checks as detailed below, and if they find any problems they give an urgency using a traffic light system (Green / Amber / Red) and will open a support ticket.

 

If all of the items on this report are green, that’s great – it means everything is running like clockwork. Even so, engineers might comment on certain areas and suggest improvements. If there are amber or red areas on this report, we will endeavor to look into these as soon as possible and either resolve them or come back to you with suggestions on how we can fix them.

 

 

01 – PHYSICAL SERVER HOUSE KEEPING

 

ENGINEER’S COMMENTS / ACTIONS

 

MINOR <-> CRITICAL

 

TICKET #

Hardware systems intuitive lights, LEDs. Amber, orange, or red indicators may signal failed or prefailed components.

 

 

 

 

 

Disconnected devices – Network Cable, Monitor, Mouse, Keyboard

Note: Make sure there is no loose cable in the rack.

 

 

 

 

Paper, Paper Clip, Dust, Moist, Humidity, Cabling, Cable Tie (Plastic/Wire)

Note: Make sure the rack is free from these items.

 

 

 

 

 

 

 

 

 

 

02 – BASIC SERVER STANDARD RESOURCE

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

DATE & TIME SYNC:  #date

Mon Feb 16 17:19:13 MYT 2015

 

 

 

 

DISK SPACE:

1.     #df –ha

2.     #df -m

Note: Make sure the “Disk Available” is not less than 20% .

20%

50%

70%

 

MEMORY:

1.     # grep memory /var/run/dmesg.boot

real memory  = 4294967296 (4096 MB)

avail memory = 4082655232 (3893 MB)

 

 

 

 

PROCESSES /LOAD AVERAGE:

1.     # systat -ifstat 1

2.     #uptime

3.     top (shift + m)

4.     ps -def | grep -v grep | wc -l

 

 

 

 

 

Visual Published Error (DMESG/MESSAGES/On-Screen)

 

 

 

 

 

USER LOGIN AUDIT

1.     # who

2.     # lastlogin –t

3.     # last $username | awk ‘/still logged in/ {print $3,$4,$5,$6}’

 

 

 

 

 

 

 

 

 

 

 

03 – SERVER OS CRITICAL SERVICE APPLICATION SERVICE CHECK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

TOP 10 MEMORY CONSUMING PROCESS:

1.     # ps -auxf | sort -nr -k 4 | head -10

 

 

 

 

 

TOP 10 CPU Consuming PROCESS:

1.     # ps -auxf | sort -nr -k 3 | head -10

 

 

 

 

 

CHECK ACTIVE PROCESS

1.     # ps gauxwww

 

 

 

 

 

HTTPD PROCESS:

1.     # ps -def | grep httpd | grep -v grep | wc -l

 

 

 

 

 

SYSTEM DMESG:

1.     # dmesg | sort -nr -k 5 | tail -10

2.      # dmesg | sort -nr -k 5 | head -10

3.     # dmesg | egrep ‘down|up’

 

 

 

 

 

SYSTEM OPEN SOCKET:

1.     # sockstat -4

 

 

 

 

 

 SYSTEM STAT:

1. systat -vmstat 1

 

 

 

 

 

 

 

 

 

 

 

04 – SERVER SYSTEM LOG CHECK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

 

HTTPD-ERROR:

1.     # cat /var/log/httpd-error.log |sort -nr -k 4 | tail -10

2.     #cat /var/log/httpd-error.log | grep error | sort | uniq -c | sort -rn

 

 

 

 

 

SYSTEM MESSAGES:

1.  # cat /var/log/messages | sort -nr -k 5 | tail -10

2.  # tail -n 500 /var/log/messages

 

 

 

 

 

USER LOG BASED:

1.     #less /var/log/userlog

Note: Make sure only authorized user being listed in this log.

 

 

 

 

SSH LOGING FAILED ATTEMPT:

1.     cat /var/log/auth.log | grep “sshd” | grep -i “failed” | rev  | cut -d  -f 4 | grep ‘[.]’ | rev | sort | uniq -c | awk ‘{ if ($1 >= 10) print $2}’

2.     grep “authentication failure” /var/log/secure | awk ‘{ print $13 }’ | cut -b7-  | sort | uniq -c

 

 

 

 

 

AUTHENTICATION  ERROR:

1.     # grep “authentication error” /var/log/messages  | sort | uniq –c

2.     #  egrep -wi –color ‘warning|error|critical’ /var/log/messages

 

 

 

 

 

 

 

 

 

 

 

 

05 – SERVER NETWORK CONNECTIVITY CHECK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

ACTIVE NETWORK CONNECTIVITY:

1.     # systat -netstat 1

2.     # systat -tcp 1

3.     # systat -ip 1

 

 

 

 

 

NETWORK TRAFFIC THROUGH ACTIVE INTERFACES

1.     #systat -ifstat 1

2.     # netstat -i -b -n -I <network interface>

3.     # netstat –au  (Note: Active Socket state)

 

 

 

 

 

 

 

 

 

 

 

06 – SERVER SECURITY CHECK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

SYSTEM PROCESS:

1.     # ps -eo euser,ruser,suser,fuser,f,comm,label

2.     # ps axZ

3.     # ps –eM

4.     # ps -eo pid,tid,class,rtprio,ni,pri,psr,pcpu,stat,wchan:14,comm

5.     # ps axo stat,euid,ruid,tty,tpgid,sess,pgrp,ppid,pid,pcpu,comm

6.     # ps -eopid,tt,user,fname,tmout,f,wchan

7.      # ps -ef

 

 

 

 

 

WEB SERVER ACCESS LOG

1.     # awk ‘{ print $1″|”$6″|”$7″|”$8″|”$9″|”$4}’ /var/log/httpd-access.log | sort | uniq -c | sort -n | egrep “500” | less

2.     # awk ‘{ print $1″|”$6″|”$7″|”$8″|”$9″|”$4}’ /var/log/httpd-access.log | sort | uniq -c | sort -n | egrep “404” | less

3.     # awk ‘{ print $1″|”$6″|”$7″|”$8″|”$9″|”$4}’ /var/log/httpd-access.log | sort | uniq -c | sort -n | egrep “403” | less

4.     # awk ‘{ print $1″|”$6″|”$7″|”$8″|”$9″|”$4}’ /var/log/httpd-access.log | sort | uniq -c | sort -n | egrep “401” | less

5.      # awk ‘{ print $1″|”$6″|”$7″|”$8″|”$9″|”$4}’ /var/log/httpd-access.log | sort | uniq -c | sort -n | egrep “400” | less

 

 

 

 

 

FILE & DIR THAT ALLOWS WORLD WRITE ACCES:

1.     # find / -perm -0002 -and ( -type f -or -type d )

 

 

 

 

 

SOURCE ROUTING: (make sure its = 0)

1.     # sysctl net.inet.ip.accept_sourceroute

2.     # sysctl net.inet.ip.sourceroute

3.     ICMP : # sysctl net.inet.icmp.bmcastecho

4.     UDP: # sysctl net.inet.udp.log_in_vain

5.      TCP: # sysctl net.inet.tcp.log_in_vain

 

 

 

 

 

PROMISCUOUS MODE:

1.     Ifconfig -a

Lists the status of all network interface cards. If an interface is in promiscuous mode, the output may look something like this:Result: xl0: flags=8843<UP,BROADCAST,RUNNING,PROMISC, SIMPLEX,MULTICAST> mtu 1500. no NIC should be in promiscuous mode

 

 

 

 

sysctl net.inet.icmp.bmcastecho

 

 

 

 

 

MYSQL / MARIADB CHECK:

1.     # mysqladmin -u <root> -p<password> extended-status | grep Max_used_connections

2.     # mysqladmin -u <root> –p<password>  processlist

3.     # mysqladmin -u <root> –p<password>  -l 1 processlist

4.     # netstat -an | grep :3306 | wc –l

5.     # mysql -u root -ppassword bernama -e “SHOW FULL PROCESSLISTG;”

6.     # mysql -u root -ppassword -e “show status like ‘Conn%’;”

7.     # mysqladmin -u root -p version

8.     # mysqladmin -u root -ppassword ping

9.     # mysqladmin -u root -ppassword status

10.   # mysqladmin -u root -ppassword extended-status

11.   # mysql -u root -ppassword -e “SHOW GLOBAL STATUS LIKE ‘aborted_connects’;”

12.   # mysql -u root -ppassword -e “SHOW GLOBAL STATUS LIKE ‘max_used_connections’;”

13.   # mysql -u root -ppassword -e “SHOW GLOBAL VARIABLES LIKE ‘max_connections’;”

14.   # mysql -u root -ppassword -e “SHOW GLOBAL STATUS LIKE ‘Handler_read%’;”

15.   # mysql -u root -ppassword -e “SHOW GLOBAL STATUS LIKE ‘Threads_connected’;”

16.   # mysql -u root -ppassword -e “SHOW GLOBAL STATUS LIKE ‘Uptime’;”

Note (1). Checking dor DOS Attack Sign with MySQL Connection.

(2). Running multiple mysql command using: # mysqladmin  -u root -p processlist status version ping.

(3). Aborted connects gives the total number of failed attempts to connect to MySQL.

 

 

 

 

APACHE CHECK

1.     # netstat -an | grep :80

2.     # ps auxw | grep httpd | wc –l

3.     # netstat -nu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –nr

4.     # netstat -aln | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort –n

5.     # netstat -an|grep httpd|grep ESTABLISHED

6.     # netstat -ani | grep httpd | grep ESTABLISHED | cut -b45-60 | cut -d’:’ -f1 | sort -rn | uniq -c | sort -t’ ‘ +1

7.     # netstat -an|grep httpd|grep ESTABLISHED|cut -b45-60|cut -d’:’ -f1|sort -rn|uniq -c|sort -t’ ‘ +1

8.     # ps ax | grep httpd | grep -v grep

9.     # netstat -an|awk ‘/tcp/ {print $6}’|sort|uniq –c

10.   # netstat -n | grep TIME_WAIT | wc –l

11.   # netstat -n | grep FIN_WAIT | wc –l

12.   # netstat -n | grep FIN_WAIT2 | wc -l

 

 

 

 

 

CHECKING FOR INTRUSION

1.     # netstat -nal -p tcp

2.     # netstat -nal -p udp

3.     # netstat -nal -p icmp

 

 

 

 

 

FIND BASH HISTORY FILES

1.     # find ‘/’ -iname .bash_history

 

 

 

 

 

SEARCH FOR HIDDEN DIRS.

1.     # locate “…”

2.     # locate “.. “

3.     # rlocate ” ..”

4.     # locate “. “

5.     # locate ” .”

 

 

 

 

 

SEARCH FOR PERL-SCRIPTS RUNNING

1.     # ps -aux | grep perl

 

 

 

 

 

SEARCH FOR  USER EXECUTION FILE PERMISSION

1.     ls -loAFR

 

 

 

 

 

LOOK FOR SUSPICIOUS FILES ON YOUR SYSTEM

1.     # find / -ctime -1 -print

 

 

 

 

 

 

 

 

 

 

 

07 – SERVER SECURITY CHECK WITH TCPDUMP

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

TCPDUMP WRITE

1.     # tcpdump -A -i bce1 -w /root/tcpdump-cam.txt

 

 

 

 

 

TCPDUMP READ

1.     # tcpdump -X -vv -r /root/tcpdump-cam.txt

2.     # tcpdump -nr tcpdump.cap | awk ‘{print }’ | grep -oE ‘[0-9]{1,}.[0-9]{1,}.[0-9]{1,}.[0-9]{1,}’ | sort | uniq -c | sort -n

 

 

 

 

 

TCP DUMP  REQUEST

1.     # tcpdump -i bce0

 

 

17:42:48.865388 ARP, Request who-has namnewsnetwork.org tell 192.168.1.6, length 46

17:42:48.865390 ARP, Request who-has 192.168.1.55 tell 192.168.1.6, length 46

17:42:48.989088 IP 192.168.1.41.57827 > 192.168.1.255.vlsi-lm: UDP, length 145

17:42:49.036236 00:1f:28:cf:72:60 (oui Unknown) > 09:00:09:00:00:67 (oui Unknown) Unknown DSAP 0xf8 Unnumbered, ui, Flags [Command], length 109

17:42:49.373696 ARP, Request who-has 192.168.1.38 (Broadcast) tell web1.bernama.com, length 46

17:42:49.865379 ARP, Request who-has 192.168.6.11 tell 192.168.1.6, length 46

 

 

 

 

2.     # tcpdump -D

 

1.bce0

2.usbus0

3.bce1

4.usbus1

5.usbus2

6.usbus3

7.lo0

 

 

 

 

3.     # tcpdump -n -tttt -i bce0

 

listening on bce0, link-type EN10MB (Ethernet), capture size 65535 bytes

2015-02-15 17:45:27.977023 IP 192.168.1.41.57827 > 192.168.1.255.1500: UDP, length 145

2015-02-15 17:45:30.000552 ARP, Request who-has 192.168.40.54 tell 192.168.1.6, length 46

2015-02-15 17:45:30.976762 IP 192.168.1.41.57827 > 192.168.1.255.1500: UDP, length 145

2015-02-15 17:45:30.994858 ARP, Request who-has 192.168.40.54 tell 192.168.1.6, length 46

2015-02-15 17:45:31.326572 IP6 fe80::e61f:13ff:fe95:b0eb > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28

2015-02-15 17:45:31.994854 ARP, Request who-has 192.168.40.54 tell 192.168.1.6, length 46

2015-02-15 17:45:33.000755 ARP, Request who-has 192.168.40.54 tell 192.168.1.6, length 46

 

 

 

 

4.     # tcpdump -n -tttt -i bce0 port [ Port No]

5.     # tcpdump -n -i {INTERFACE} -s 0 -w {OUTPUT.FILE.NAME} src or dst port 80

6.     # tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80

7.     # tcpdump -i eth1 ‘udp port 53’

 

To display all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets, enter:

# tcpdump ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’

 

To display all FTP session to 202.54.1.5, enter:

# tcpdump -i eth1 ‘dst 202.54.1.5 and (port 21 or 20’

 

To display all HTTP session to 192.168.1.5:

# tcpdump -ni eth0 ‘dst 192.168.1.5 and tcp and port http’

 

Use wireshark to view detailed information about files, enter:

# tcpdump -n -i eth1 -s 0 -w output.txt src or dst port 80

 

 

 

 

8.     # tcpdump -i bce0 not arp and not rarp

17:50:48.954935 IP 192.168.1.41.57827 > 192.168.1.255.vlsi-lm: UDP, length 145

17:50:48.989576 IP 192.168.4.53.netbios-ns > 192.168.255.255.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST

17:50:51.108663 IP6 fe80::5ef3:fcff:fef1:2795.dhcpv6-client > ff02::1:2.dhcpv6-server: dhcp6 solicit

17:50:51.577483 IP 192.168.4.53.netbios-dgm > 192.168.255.255.netbios-dgm: NBT UDP PACKET(138)

17:50:51.954713 IP 192.168.1.41.57827 > 192.168.1.255.vlsi-lm: UDP, length 145

17:50:52.880594 IP 192.168.4.53.netbios-dgm > 192.168.255.255.netbios-dgm: NBT UDP PACKET(138)

 

 

 

 

9.     # tcpdump -i wlan0 -n ip | awk ‘{ print gensub(/(.*)..*/,”\1″,”g”,$3), $4, gensub(/(.*)..*/,”\1″,”g”,$5) }’ | awk -F ” > ” ‘{print $1″n”$2}’

sniff network traffic  and displays the IP addresses of the machines communicating with the current host (one IP per line).

 

 

 

 

10.   # tcpdump src port 6697 (Tracking from source)

 

 

 

 

 

11.   # tcpdump -ni bce0 -c 10

This will limit number of packets that tcpdump will receive to 10. Once received 10 packets, tcpdump will exit.

 

 

 

 

12.   # tcpdump -i bce0 -nN -vvv -xX -s 1500 port not 22

 

 

 

 

 

13.  # tcpdump -n -i bce0 -w tcpdump.cap -v tcp or udp and ‘not host 192.168.4.52’

Capture all tcp and udp packets in LAN, except packets coming to localhost

 

 

 

 

 

 

08 – SERVER SECURITY CHECK DOS ATTACK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

List all Finish (FIN) packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 1 != 0’

 

 

 

 

 

List all SYN and SYN-ACK packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 2 != 0’

 

 

 

 

 

List all Reset (RST) packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 4 != 0’

 

 

 

 

 

List all Push (PSH) packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 8 != 0’

 

 

 

 

 

Monitor all DNS queries and responses

1.     # tcpdump -i en0 ‘udp port 53’

 

 

 

 

 

List all acknowledge (ACK) packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 16 != 0’

 

 

 

 

 

List all null packets

1.     # tcpdump -Nnn -i any -s0 ‘tcp[13] & 0xff = 0’

2.     # tcpdump -Nnn -i any -s0 ‘tcp[13] = 0

 

 

 

 

 

List all packets for your destination port 80 (assuming you are on destination host)

1.     # tcpdump -Nnn -i any -s0 ‘tcp[2:2] = 80

 

 

 

 

 

List count of TCP connections by IP address

1.     # netstat -npt | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

   554  X.175.191.23

      5      Y.49.92.30

      3      Z.225.121.76

      2     A.219.69.149

      2     B.152.24.254

 

 

 

 

List count of TCP connections by IP address on specific service port

1.     # netstat -npt | grep <port>  | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

      554  X.175.191.23

      5      Y.49.92.30

      3      Z.225.121.76

      2     A.219.69.149

      2     B.152.24.254

 

 

 

 

List count of Established TCP connections by IP address  on specific service port and are in ESTABLISHED state

1.     #  netstat -npt | grep <port> | grep ESTABLISHED | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

      413  X.175.191.23

      2      Y.49.92.30

      2      Z.225.121.76

      2     A.219.69.149

      2     B.152.24.254

 

 

 

 

List count of connections by state

1.     #  netstat -npt | awk ‘{print $6}’ | sort | uniq -c | sort -nr | head

   1749 ESTABLISHED

    118 TIME_WAIT

      6 LAST_ACK

      5 SYN_RECV

      4 FIN_WAIT2

      1 Foreign

      1 FIN_WAIT1

      1 CLOSE_WAIT

 

 

 

 

 

 

 

 

09 – SERVER SECURITY CHECK SYNC FLOOD ATTACKS

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

Detect if you are having SYN flood:

 

1.     #  netstat -npt | awk ‘{print $6}’ | sort | uniq -c | sort -nr | head

SYN_RECV state it means your server has received the initial SYN packet, it has sent it’s own SYN+ACK packet and is waiting on the ACK from the external machine to complete the TCP handshake.

 

   1749 SYN_RECV

   18 ESTABLISHED

   6 LAST_ACK

 

Command clearly shows you have lot many connections in SYN_RECV state and possible SYN flood attack.

 

 

Detect if its from single IP(DOS attack) or multiple IPs(DDOS attack):

Single IP attack:

1.     #  netstat -npt  | grep SYN_RECV | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

      413  X.175.191.23

      2      Y.49.92.30

      2      Z.225.121.76

      2     A.219.69.149

      2     B.152.24.254

 

Solution:

Drop packets using ip command:

# ip route add blackhole X.175.191.23/32

 

 

 

 

Multiple IP attack (common subnet):

1.     # netstat -npt  | grep SYN_RECV | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

      345  X.175.191.13

      243  X.175.190.27

      34  X.175.181.33

      78  X.175.41.24

      2  Y.42.91.30

      2   Z.125.121.76

Drop subnet using ip command:

#  ip route add blackhole X.175.0.0/16

 

 

 

 

Multiple IP attack (different subnet):

1.     # netstat -npt  | grep SYN_RECV | awk ‘{print $5}’ | grep -Eo ‘([0-9]{1,3}.){3}[0-9]{1,3}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

      3  X.175.191.23

      2  Y.42.91.30

      2   Z.125.121.76

      2   A.219.69.149

      2   B.152.24.254

     2   C.142.44.254

     2   D.52.54.214

     1   E.15.27.250

 

 

 

 

Detecting and preventing SYN Flood attacks on web servers running Linux

1.     # netstat -tuna | grep :80 | grep SYN_RECV

tcp  0  0 1.1.1.1:80  70.56.83.204:1609       SYN_RECV

tcp  0  0 1.1.1.1:80  2.2.2.2:1723            SYN_RECV

tcp  0  0 1.1.1.1:80  209.112.192.126:4988    SYN_RECV

tcp  0  0 1.1.1.1:80  2.2.2.2:1724            SYN_RECV

tcp  0  0 1.1.1.1:80  2.2.2.2:1727            SYN_REC

Solution:

1.     sysctl -w net.ipv4.tcp_syncookies=1

2.     Add the following line to the /etc/sysctl.conf file to make make it persist across reboots:

“net.ipv4.tcp_syncookies = 1 “

3.     Increase the size of the SYN backlog queue as well, from a default of 1024, to 2048, using the following command:

              # sysctl -w net.ipv4.tcp_max_syn_backlog=2048

4.     Add this to /etc/sysctl.conf:

“net.ipv4.tcp_max_syn_backlog = 2048”

Result:

[1116377.589736] possible SYN flooding on port 80. Sending cookies.

[1116439.567828] possible SYN flooding on port 80. Sending cookies.

[1116500.631623] possible SYN flooding on port 80. Sending cookies.

 

 

 

 

 

 

 

 

 

 

 

10 – SERVER PASSWORD SECURITY CHECK

 

ENGINEER’S COMMENTS

 

MINOR <-> CRITICAL

 

TICKET #

List the User/Apps Users setting in the system.

1.     # less /etc/passwd

 

johnsmith:naVwowMManasMMo:10:200:John Smith:/users/johnsmith:/bin/bash

 

                     ^      ^     ^  ^    ^      ^      ^

 

                     |      |     |  |    |      |      +- User’s

 

                     |      |     |  |    |      |      shell program

 

                     |      |     |  |    |      +—- User’s home directory

 

                     |      |     |  |    +—————– User’s real name

 

                     |      |     |  +————————- User number

 

                     |      |     +—————————– User’s group number

 

                     |      +————————————— Hash of user’s password

 

                     +————————————————— Username

 

 

 

 

Check your system and network configuration files for unauthorized entries.

1.     #  find / -name “.. ” -print –xdev

2.     # find / -name “.*” -print -xdev | cat -v

note: /tmp/… and /etc/… are most commonly used for “script kiddies” favourite tool dir.

 

 

 

 

Finding setuid & setgid files:

1.     # find / -user root -perm -4000 –print

2.     # find / -group kmem -perm -2000 –print

3.     # find / -user root -perm -4000 -print -xdev

Look for setuid and setgid files (especially setuid root files) everywhere on your system. Intruders often leave setuid copies of /bin/sh or /bin/time around to allow them root access at a later time.

 

 

 

 

find all your writable directories:

1.     # find / -perm -0777 -type d -ls

 

 

 

 

 

Find out what files are installed on your system as suid or guid:

1.     #  find / -perm -2000 –ls

2.     #  find / -perm -4000 -ls

Note: This is NOT a total secure system audit. This is only a a safety precautions.

 

 

 

 

 

 

 

 

 

 

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
1 Comment
  1. This is a great list. For a mixed environment, do you happen to have a windows equivalent?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel