FAQ: How to find exploits using the *NIX shell

This is the archive off all FAQ related threads.
User avatar
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway

FAQ: How to find exploits using the *NIX shell

Post by rliskey » Fri Sep 29, 2006 6:43 am

Check the active processes
Use the "ps" command to look for odd or unknown processes, if you aren't sure what to look for there, user "netstat -ae | grep irc"    and/or  "netstat -ea | grep 666" and look for ports 6666, 6667, 6668, 6669, these are common ports used for running IRC bots, they may have the name "irc" listed against them, or may have "httpd" or sometimes other regular services names.

Check crontab
Check your crontab and see if there is a strange entry,  these are used in many exploits to restart IRC bots, even when admins or automated process monitors are used to kill a rogue process. 

Check for hidden files or directories
Check for hidden files or directories you dont expect to see, those starting with "." (dots) and also look for ". " (dot, space) often favored to try and catch searches for hidden directories.

Other examples of searches that may help pin down exploits and/or unexpected files and folders:

    find /home -type f | xargs grep -l MultiViews
    find . -type f | xargs grep -l base64_encode    listing.txt

Originally posted by Wizzie in the Security Forum

Back to Security FAQ Table of Contents

Search Keywords: security, schell, script, processes, crontab, hidden files
Last edited by rliskey on Mon Nov 06, 2006 1:38 am, edited 1 time in total.


Return to “FAQ Archive”