Make Debian Fun Again And Learn How To Do Other Cool Stuff Too

User Tools

Site Tools

Trace:
start:auditformalware

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
start:auditformalware [2022/11/10 19:50] peterstart:auditformalware [2023/09/14 20:48] (current) peter
Line 1: Line 1:
 +This page needs checking and updating - Pete @ 14/09/2023 
 +
 +
 This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time.  This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time. 
  
Line 19: Line 22:
 Another tool is **maldet** which you can install, however its not currently in the debian repos. It is best to check how to install it from the github page as its maintained by the author: https://github.com/rfxn/linux-malware-detect Another tool is **maldet** which you can install, however its not currently in the debian repos. It is best to check how to install it from the github page as its maintained by the author: https://github.com/rfxn/linux-malware-detect
  
 +Dont forget to check open ports which is documented here: [[Start:Firewall|Install A Simple Software Firewall]]
 +
 +You can also lookup how to use yara, and there are signatures here (https://github.com/Yara-Rules/rules) but personally I have not had to use yara and cant comment much on it. You can research it as a tool, I believe its widly used especially in the kali community.
 +
 +And last thing to note, as always, if anything malicious is ever found, then its best to totally wipe and start again with a new system rather than fix or attempt to fix a rooted box. Hopefully some of these overviews help you out as a basic starting place :)
 +
 +- P
 +
 +
 +Further reading once the basics are no longer helpful:
 +
 +https://www.sans.org/posters/intrusion-discovery-cheat-sheet-for-linux/
 +
 +https://fahmifj.github.io/blog/linux-forensics-command-cheat-sheet/
  
 +https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
  
 +https://s3.amazonaws.com/acmelabs-galleries/48/0000/2352/forensic_cheatsheet.pdf
  
 +https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems_Ch3.pdf
  
 +https://www.jaiminton.com/cheatsheet/DFIR/#linux-cheat-sheet
  
 +https://github.com/trimstray/the-book-of-secret-knowledge#black_small_square-auditing-tools
start/auditformalware.1668109851.txt.gz · Last modified: 2022/11/10 19:50 by peter

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki