Useful Linux commands

Published by Jonathan Adjei on

Really these are ways for finding the spoor left by rootkits and such… and partially dealing with them. Best practise is to rebuild the server once it’s been rooted, but these techniques may give you the breathing space necessary to get a new server built.

To kill processes that won’t die try..
# kill -s 9 [PID]

For processes that keep reappearing check..
# cat /var/spool/cron/*

List active internet connections
( just servers )
# netstat -l
( without servers )
# netstat -tup
or try the useful script noted here

Temp folders are normally the first stop off for rootkits. Check for hidden files folders..
# ll -aR /tmp /var/tmp

Search for all suspicious files owned by your webserver ( e.g. apache, nobody ). Look for files/directories beginning with ‘.’ Maybe even named ‘…’
# find / -user apache

Bad scripting is the major vulnerability on your server, so search for these unfortunate culprits and make sure their parent applications are the latest revisions..
# locate -u
# locate awstats.pl
# locate main.php
# locate xmlrpc.php
# locate error.php
# locate config_settings.php
# locate calendar.php
# locate protection.php
# locate send_reminders.php
# locate functions_admin.php
# locate admin_styles.php
# locate upgrade_album.php
# locate displayCategory.php
# locate graph_image.php
# locate theme.php
# locate forumpollrenderer.php
# locate moblog_lib.php
# locate classes.php
# locate signin.php
( Mambo CMS - these maybe within a Mambo directory, or a webroot )
# locate index2.php
# locate index.php

The following is useful particularly on Ensim managed servers. To quickly scan your web server logs for known exploitable files, rootkits, known malicious hosts ( by IP address ) or to search for dates/times you know the exploit occurred, tweak the number of virtual hosts variable to match your server and the path to the log files within this script, then pass it your search string as an argument.

#!/bin/bash
# Find Baddies entries in http logs by IP address
num_sites=12 # Number of sites on server
i=1 # iteration variable
echo "-------------------------------------------------------------------"
echo "Checking main httpd log file"
cat /var/log/httpd/access_log | grep $1
while [ $i -le $num_sites ]
do
echo " "
echo "-------------------------------------------------------------------"
echo "Checking httpd log file for site ${i}"
cat /home/virtual/site${i}/fst/var/log/httpd/access_log | grep $1
i=$((i+1))
done
 e.g.
# ./find_baddies.sh xxx.xxx.xxx.xxx

You should also get hold of Root Kit Hunter ( rkhunter ) and Check Root Kit ( chkrootkit ) and update and run them regularly.

I hope that helps someone.

Categories: LAMP

Jonathan Adjei

Jon's expertise in web development is legendary and he oversees all technical aspects of our projects from development to hosting (all through the command line!) Jon is excited by the latest techniques and keeps the company on track by finding ways to adopt new practices into our workflow.

Related Posts

Distilling billing
LAMP

Distilling billing

I’ve been working on a jbilling install whenever I’ve had a moment over the past few nights. From what I’ve seen, this is a very promising piece of open source work that is remarkably simple Read more…

Magento optimisations
LAMP

Magento optimisations

Things to tweak on your Magento installations gleaned from the Magento forums. Magento ver. 1.0.19870.4 Install APC # pecl install apc edit php.ini to use apc extension extension=apc.so Switch mysql query caching on in my.cnf Read more…

A Pound for free
LAMP

A Pound for free

I’ve setup a more resilient web service for a good client of mine.. http://www.practicalaction.org/ By using 2 servers and ‘pound’ they now have some load balancing but most importantly some resilience.. so if one server Read more…