Really these are ways for finding the spoor left by rootkits and such… and partially dealing with them. Best practise is to rebuild the server once it’s been rooted, but these techniques may give you the breathing space necessary to get a new server built.
To kill processes that won’t die try..
# kill -s 9 [PID]
For processes that keep reappearing check..
# cat /var/spool/cron/*
List active internet connections
( just servers )
# netstat -l
( without servers )
# netstat -tup
or try the useful script noted here
Temp folders are normally the first stop off for rootkits. Check for hidden files folders..
# ll -aR /tmp /var/tmp
Search for all suspicious files owned by your webserver ( e.g. apache, nobody ). Look for files/directories beginning with ‘.’ Maybe even named ‘…’
# find / -user apache
Bad scripting is the major vulnerability on your server, so search for these unfortunate culprits and make sure their parent applications are the latest revisions..
# locate -u
# locate awstats.pl
# locate main.php
# locate xmlrpc.php
# locate error.php
# locate config_settings.php
# locate calendar.php
# locate protection.php
# locate send_reminders.php
# locate functions_admin.php
# locate admin_styles.php
# locate upgrade_album.php
# locate displayCategory.php
# locate graph_image.php
# locate theme.php
# locate forumpollrenderer.php
# locate moblog_lib.php
# locate classes.php
# locate signin.php
( Mambo CMS - these maybe within a Mambo directory, or a webroot )
# locate index2.php
# locate index.php
The following is useful particularly on Ensim managed servers. To quickly scan your web server logs for known exploitable files, rootkits, known malicious hosts ( by IP address ) or to search for dates/times you know the exploit occurred, tweak the number of virtual hosts variable to match your server and the path to the log files within this script, then pass it your search string as an argument.
#!/bin/bash
e.g.
# Find Baddies entries in http logs by IP address
num_sites=12 # Number of sites on server
i=1 # iteration variable
echo "-------------------------------------------------------------------"
echo "Checking main httpd log file"
cat /var/log/httpd/access_log | grep $1
while [ $i -le $num_sites ]
do
echo " "
echo "-------------------------------------------------------------------"
echo "Checking httpd log file for site ${i}"
cat /home/virtual/site${i}/fst/var/log/httpd/access_log | grep $1
i=$((i+1))
done
# ./find_baddies.sh xxx.xxx.xxx.xxx
You should also get hold of Root Kit Hunter ( rkhunter ) and Check Root Kit ( chkrootkit ) and update and run them regularly.
I hope that helps someone.