Check the active processesUse the "ps" command to look for odd or unknown processes, if you aren't sure what to look for there, user "
netstat -ae | grep irc" and/or "
netstat -ea | grep 666" and look for ports
6666, 6667, 6668, 6669, these are common ports used for running IRC bots, they may have the name "
irc" listed against them, or may have "
httpd" or sometimes other regular services names.
Check crontabCheck your
crontab and see if there is a strange entry, these are used in many exploits to restart IRC bots, even when admins or automated process monitors are used to kill a rogue process.
Check for hidden files or directoriesCheck for hidden files or directories you dont expect to see, those starting with "." (dots) and also look for ". " (dot, space) often favored to try and catch searches for hidden directories.
Other examples of searches that may help pin down exploits and/or unexpected files and folders:
find /home -type f | xargs grep -l MultiViews
find . -type f | xargs grep -l base64_encode <<< this can produce false positives, it is valid in many mail/graphics scripts
find . -type f | xargs grep -l error_reporting
find / -name "[Bb]itch[xX]"
find / -name "psy*"
ls -lR | grep rwxrwxrwx > listing.txt
Originally posted by Wizzie in the Security ForumBack to Security FAQ Table of ContentsSearch Keywords: security, schell, script, processes, crontab, hidden files
Login
Register
Rules
FAQ
The team
