CentOS - Nov 2017 - How to detect botnet user on the server ?

Hello guys,


Whats is the best way to identify a possible user using a botnet with php
in the server? And if he is using GET commands for example in other server.

Does apache logs outbound conections ?

If it is using a file that is not malicious the clam av would not identify.

Thanks




<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On 11/06/2017 07:06 AM, marcos valentine wrote:
> Hello guys,
> 
> 
> Whats is the best way to identify a possible user using a botnet with php
> in the server? And if he is using GET commands for example in other server.
> 
> Does apache logs outbound conections ?
> 
> If it is using a file that is not malicious the clam av would not identify.
This sounds like a good place to start:

https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-server/

(look for open ports connections both inbound and outbound with netstat,
etc.)

But, if someone has completely breached the machine and gotten root on
it, they could put in fake binaries that hide ports and hide processes
from 'top' (or ps, lsof).  So, a look via chkrootkit or rkhunter would
be needed to find that.

The link for rkhunter in the article is bad .. here is the new one:

http://rkhunter.sourceforge.net/

rkhunter seems to be in EPEL.  chkrootkit is in fedora, it does not seem
to be in EPEL.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20171106/e85832c3/attachment-0001.sig>

Another alternative is to use a FIMS/HIDS such as Aide (Advanced Intrusion
Detection Environment), OSSEC or Samhain.  Be prepared to learn a lot about what
your OS normally does behind the scenes (and thus a fair amount of initial fine
tuning to exclude those things).  Aide seems to work well (I've seen only
one odd result) and is quite granular.  However, it is local system based rather
than centralized and isn't daemon based so you're left with periodic
checks and finding a way to protect the executable, database and configuration. 
OSSEC is centralized, daemon based and can check logs for anomalies.  However,
it is not nearly as granular as Aide and does produce false positives (for
example, if 'detect new files' is used, it will detect based on access
time changes rather than modification or change times - but only for a
while...).  If you select OSSEC, whatever you do, do NOT put extraneous files in
/var/ossec/etc/shared - you can get truly bizarre and baffling results doing so.
I only know about Samhain, if someone has experience I would very much like to
hear about it's strengths and weaknesses.

----- Original Message -----
From: "Johnny Hughes" <johnny at centos.org>
To: "centos" <centos at centos.org>
Sent: Monday, November 6, 2017 7:20:22 AM
Subject: Re: [CentOS] How to detect botnet user on the server ?

On 11/06/2017 07:06 AM, marcos valentine wrote:
> Hello guys,
> 
> 
> Whats is the best way to identify a possible user using a botnet with php
> in the server? And if he is using GET commands for example in other server.
> 
> Does apache logs outbound conections ?
> 
> If it is using a file that is not malicious the clam av would not identify.
This sounds like a good place to start:

https://major.io/2011/03/09/strategies-for-detecting-a-compromised-linux-server/

(look for open ports connections both inbound and outbound with netstat,
etc.)

But, if someone has completely breached the machine and gotten root on
it, they could put in fake binaries that hide ports and hide processes
from 'top' (or ps, lsof).  So, a look via chkrootkit or rkhunter would
be needed to find that.

The link for rkhunter in the article is bad .. here is the new one:

http://rkhunter.sourceforge.net/

rkhunter seems to be in EPEL.  chkrootkit is in fedora, it does not seem
to be in EPEL.


_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos