November 2014
« Oct   Dec »

Useful commands to find the hacker programs and OS behavior

Recently I got an opportunity to work with certain hacked servers which is compromised due to poor administration. As we know Heartbleed. shellshock and poodle attack are come out recently.

1. Heartbleed vulnerability — due to buggy Openssl relase – resolved by updating the package to latest
2. Shellshock : a buggy and hidden bash shell exception which found lately- resolved by updating the lastest bash version
3. Poodle attack : Hidden bug found on SSLv3 version – resolved by disabling SSLv3 support in webservers as well as for web browsers.

Most of the time we see that certain unwanted files are running on memory which hackers executed. At the very first I want to know in which user that program is being used for.

1. Execute the top command
watch the process currently running. Check the CPU load, disk free space and RAM usuage.



The above screen shows that the command “txma” is running on the user webapp which is created for Tomcat” process. This shows that either hackers used Tomcat security vulnerabilities or application those are hosted in Tomcat is compromised. This might be a poor written coding, they are using outdated libraries or known outdated java framework those having serious security holes.

2. List the files opened by the hackers

Next I need to know which libraries and files are opened by this “txma” program. So I uses ‘lsof’ command.

#lsof  | grep "txma"

That time I see that they are establishing outbound connectivity with other servers.

 $ lsof  | grep "txma" | grep ""
txma       2944   webapp    3u     IPv4             267098       0t0     TCP ip-172-31-20-172.ap-southeast-1.compute.internal:50395-> (SYN_SENT)

When I open the IP on the webserver I see they are using HFS file server to share the files which can be used for hacking.

3. Listing the port activity on the server.
Execute this command
a. for TCP communication netstat -atnpc | grep ESTA
b. For UDP communication DNS attack netstat -aunpc | grep ESTA

This command will be a useful to identify which ports are used currently and list the program used by the port. So that we can identify the programs and the target network which we are access or connecting. hack-process-3

4. How do I find the program location of hackers program

 ls -l /proc/"proess id"/exe

Process id will get from top command

5. List of the process initiated by that program.

 ps aux | grep "txma"


6. Find a program in our server

 find / -type f -iname "txma"

7. Check the user home directory and find any files copied.
Hackers usually changed the time stamp of the files they were used.

8. List the no. process that user is being executed.

ps -efl | grep "txma"

9. Find all the files used for that program

 pstree webapp

10.Block all the outbound traffic

I used to allow outbound traffic from the port 80,443,25,587 from webservers and blocked all other ports. This time we know the value of AWS security groups. They make it simple. Otherwise you need to use iptables for the same. I have used apf firewall on certain system to do this.

11. Limit the inbound access

Most probably you need to open only the port 80 (most of the sites) and 443 if they uses ssl. You can block all other port from public. I used to open ftp,ssh access ONLY to my office IP and the network where I’m used to connect the Internet.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>