Detecting the first signs of a compromise

Tuesday, 29 September 2009

When logging into a server, the first few seconds at the command prompt can offer general health information. Did it take a long time to get a command prompt after authenticating? Are there delays when typing in characters at the prompt? Are you getting disconnected often?

If you have even the inkling of suspicion, there’s no harm in getting a “feel” for your environment. Note anything that feels unusual; look for anything that stands out. Unless it’s root compromised, there are always breadcrumbs.

Document the environment as it is active:

mkdir /home/rack/ticketnumber
cd !!$
script !!$.out
ps auxwww >> psauxwww.out
pstree >> pstree.out
netstat -plan >> netstat-plan.out
lsof -i >> lsof-i.out
lsof >> lsof.out

Here we determine what kind of compromise it is.

The entry 'Detecting the first signs of a compromise' was posted on September 29th, 2009 at 5:32 am and last modified on October 2nd, 2009 at 9:17 am, and is filed under Apache. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Apache Compromises »