There are many simple methods for detecting an intrusion. Though they would only help you identify intruders who do not bother covering up their activities and traces.

In real scenario’s, you might need tools that are capable of doing much more. Many of these tools are to be installed in a clean OS and you need to constantly keep track of its reports, and act accordingly.

So, what if you do not have these intrusion detection tools installed already, and suspect something is wrong in your server. Some simple steps might help you here.

Look for unusual processes and programs.

Think you could trust all your existing system tools and binaries? This is not likely the case if the server is compromised to root level. Otherwise, you could use tools like

ps

and

 lsof

to analyze the active running processes.

Command

ps –aux

will help you see active processes. However the output is of no use if you are not familiar with all “normal” processes that run in your server!

A simple command

lsof –i

would help you identify ports that are open and listening. Here again, you should have an idea as to which all ports are normally open.

Look for unusual usage of system resources.

Usage of system resources like CPU, memory, and disk space could change much, when some malicious activities happen in your server. Also in some cases the original binaries are replaced with malicious utilities, which would give wrong/unrealistic outputs for common commands.
If you are aware of the normal resource usages of your server, then you can easily check this. Simple commands like

uptime, top, free –m and  df –h

would help you identify if something is abnormal.

Look for strange files and binaries.

Look for malicious files in /tmp and other world writable folders. Many exploits are named with characters like spaces and dots. Looking at the output of

ls –al

would help you see the obvious.
Look for recently modified files with

 find / -mtime -7 –print

Look for unusual SUID root files

find / -uid 0 –perm -4000 –print

Here again, a fair idea of normal files which has special permissions, is needed to pinpoint a malicious file.
Look for files that do not belong to any existing user of the server with

find / -nouser -print

If you find binaries that you are not sure about, run strings against it to understand it better. Also use the tool

readelf

to check the executable.

Look for new/suspicious user accounts.

Look for new user accounts, particularly the uig/gid of existing normal as well as system accounts. Mostly, usernames that have “resemblance in name with a system account” are added by the intruder, and you are likely to miss them if you are not really careful.

Look for open ports and interfaces in promiscuous mode.

Simple usage of

 netstat –nap

would give you a picture of listening ports. Look for the word promiscuous in the output of command

dmesg

. Also check the firewall logs to see if there were attacks to any specific ports or services.

Look for suspicious activities in the server logs.

Look for unaccounted reboots, login failures, large number of errors in various error logs. Look for missing logs as well. You might even get some traces in the command-line history.

Using standard tools.

There are many tools for intrusion detection that are up to-date and give very useful reports which can help you to manage security of numerous servers.

–> Tools like Tripwire and Advanced Intrusion Detection Environment creates a baseline snapshot of a system when it is in a known good state, then makes comparisons against this baseline.

–> Nessus and Openvas are widely employed by system administrators for validating the integrity of mission critical systems.

–> Tools like rkhunter and chkrootkit comes in handy as well.

---

About the Author :

Sankar works as a Senior Software Engineer in Bobcares. He joined Bobcares back in April 2006. He loves grooming/mentoring people. During his free time, he listens to music, and enjoys singing..

---