Make Debian Fun Again And Learn How To Do Other Cool Stuff Too

User Tools

Site Tools

Trace:
start:auditformalware

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
start:auditformalware [2022/11/10 19:52] peterstart:auditformalware [2023/09/14 20:48] (current) peter
Line 1: Line 1:
 +This page needs checking and updating - Pete @ 14/09/2023 
 +
 +
 This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time.  This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time. 
  
Line 21: Line 24:
 Dont forget to check open ports which is documented here: [[Start:Firewall|Install A Simple Software Firewall]] Dont forget to check open ports which is documented here: [[Start:Firewall|Install A Simple Software Firewall]]
  
 +You can also lookup how to use yara, and there are signatures here (https://github.com/Yara-Rules/rules) but personally I have not had to use yara and cant comment much on it. You can research it as a tool, I believe its widly used especially in the kali community.
 +
 +And last thing to note, as always, if anything malicious is ever found, then its best to totally wipe and start again with a new system rather than fix or attempt to fix a rooted box. Hopefully some of these overviews help you out as a basic starting place :)
 +
 +- P
 +
 +
 +Further reading once the basics are no longer helpful:
 +
 +https://www.sans.org/posters/intrusion-discovery-cheat-sheet-for-linux/
 +
 +https://fahmifj.github.io/blog/linux-forensics-command-cheat-sheet/
 +
 +https://www.sandflysecurity.com/blog/compromised-linux-cheat-sheet/
  
 +https://s3.amazonaws.com/acmelabs-galleries/48/0000/2352/forensic_cheatsheet.pdf
  
 +https://cdn.ttgtmedia.com/rms/security/Malware%20Forensics%20Field%20Guide%20for%20Linux%20Systems_Ch3.pdf
  
 +https://www.jaiminton.com/cheatsheet/DFIR/#linux-cheat-sheet
  
 +https://github.com/trimstray/the-book-of-secret-knowledge#black_small_square-auditing-tools
start/auditformalware.1668109953.txt.gz · Last modified: 2022/11/10 19:52 by peter

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki