NiyasHussain.com

You have to verify if the box is really compromised.

Check etc-passwd and verify the uid of the user news

#grep -i news /etc/passwd

:: Result: news:x:0:0:news:/etc/news:/bin/bash

Shows that the user news is having gid and uid 0 thus have all root privileges and has also got full shell access.

Check the /tmp directory for any suspicious files

#ls -al /etc/tmp

Check the process tree and find if there are any suspicious process

#ps aux –forest

Check for any established connections

#netstat -plan

You will get the description of FIN_WAIT2 & TIME_WAIT in the man page of netstat. Type ‘man netstat’ in the shell. You can minimize those FIN_WAIT2 & TIME_WAIT states by doing the below things :-

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Put following in /etc/sysctl.conf
# Enable TCP SYN cookie protection
net.ipv4.tcp_syncookies = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

Then execute the command :-
# /sbin/sysctl -p

Using IPtables
==============

You can also execute the following commands to minimize the syn attack in the future :-
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

service iptables save
service iptables restart

# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection

iptables -N syn_flood
iptables -A INPUT -p tcp –syn -j syn_flood
iptables -A syn_flood -m limit –limit 1/s –limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

#Limiting the incoming icmp ping request:

iptables -A INPUT -p icmp -m limit –limit  1/s –limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit –limit 1/s –limit-burst 1 -j LOG –log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT

Let us assume that you need to limit incoming connection to ssh server (port 22) no more than 10 connections in a 10 minute:

iptables -I INPUT -p tcp -s 0/0 -d $SERVER_IP –sport 513:65535 –dport 22 -m state –state NEW,ESTABLISHED -m recent –set -j ACCEPT
iptables -I INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 600 –hitcount 11 -j DROP
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 –sport 22 –dport 513:65535 -m state –state ESTABLISHED -j ACCEPT

=================================

the following command should aid you in isolating which
site was responsible for this injection:

find /usr/local/apache/domlogs/ -exec egrep -H ‘(wget|curl|lynx|wget)%20′ {} \;

========================================================

A quick and usefull command for checking if a server is under ddos is:

####  netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

####  netstat -anp | grep SYN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

####  netstat -anp | grep FIN | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server.

=========================================================

to kill perl processess;-

ps auxww | grep perl | awk ‘{print $2}’ | xargs kill -9