Recently I got an opportunity to work with certain hacked servers which is compromised due to poor administration. As we know Heartbleed. shellshock and poodle attack are come out recently.
1. Heartbleed vulnerability — due to buggy Openssl relase – resolved by updating the package to latest
2. Shellshock : a buggy and hidden bash shell exception which found lately- resolved by updating the lastest bash version
3. Poodle attack : Hidden bug found on SSLv3 version – resolved by disabling SSLv3 support in webservers as well as for web browsers.
Most of the time we see that certain unwanted files are running on memory which hackers executed. At the very first I want to know in which user that program is being used for.
1. Execute the top command
watch the process currently running. Check the CPU load, disk free space and RAM usuage.
The above screen shows that the command “txma” is running on the user webapp which is created for Tomcat” process. This shows that either hackers used Tomcat security vulnerabilities or application those are hosted in Tomcat is compromised. This might be a poor written coding, they are using outdated libraries or known outdated java framework those having serious security holes.
2. List the files opened by the hackers
Next I need to know which libraries and files are opened by this “txma” program. So I uses ‘lsof’ command.
That time I see that they are establishing outbound connectivity with other servers.
txma 2944 webapp 3u IPv4 267098 0t0 TCP ip-172-31-20-172.ap-southeast-1.compute.internal:50395->188.8.131.52:10771 (SYN_SENT)
When I open the IP on the webserver I see they are using HFS file server to share the files which can be used for hacking.
3. Listing the port activity on the server.
Execute this command
a. for TCP communication netstat -atnpc | grep ESTA
b. For UDP communication DNS attack netstat -aunpc | grep ESTA
This command will be a useful to identify which ports are used currently and list the program used by the port. So that we can identify the programs and the target network which we are access or connecting.
4. How do I find the program location of hackers program
Process id will get from top command
5. List of the process initiated by that program.
6. Find a program in our server
8. List the no. process that user is being executed.
9. Find all the files used for that program
10.Block all the outbound traffic
I used to allow outbound traffic from the port 80,443,25,587 from webservers and blocked all other ports. This time we know the value of AWS security groups. They make it simple. Otherwise you need to use iptables for the same. I have used apf firewall on certain system to do this.
11. Limit the inbound access
Most probably you need to open only the port 80 (most of the sites) and 443 if they uses ssl. You can block all other port from public. I used to open ftp,ssh access ONLY to my office IP and the network where I’m used to connect the Internet.