This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
start:auditformalware [2022/11/10 19:56] – peter | start:auditformalware [2023/09/14 20:48] (current) – peter | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | This page needs checking and updating - Pete @ 14/ | ||
+ | |||
+ | |||
This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time. | This is an overview to how one would detect if a system you happened to be working on was rooted or had malware etc. Obviously such a guide cannot be complete or cover all such cases but a general overview is provided here. A typical scenario might be taking over machines for a new customer some of which are linux that you have not used before. Doing a general audit and checking for malicious items is a good idea in such cases as often servers are neglected and not patched for long periods of time. | ||
Line 21: | Line 24: | ||
Dont forget to check open ports which is documented here: [[Start: | Dont forget to check open ports which is documented here: [[Start: | ||
- | You can also lookup how to use yara, and there are singitures | + | You can also lookup how to use yara, and there are signatures |
+ | |||
+ | And last thing to note, as always, if anything malicious is ever found, then its best to totally wipe and start again with a new system rather than fix or attempt to fix a rooted box. Hopefully some of these overviews help you out as a basic starting place :) | ||
+ | |||
+ | - P | ||
+ | |||
+ | |||
+ | Further reading once the basics are no longer helpful: | ||
+ | |||
+ | https:// | ||
+ | |||
+ | https:// | ||
+ | |||
+ | https:// | ||
+ | https:// | ||
+ | https:// | ||
+ | https:// | ||
+ | https:// |