Ubuntu Linux Forensics for Dummies.
Forensics Goal:
Find suspicious,unknown or hidden
:Ports ,Processes and Connections.
[malware on my ubuntu machine,most likely hidden sector rootkit]
[shifting to windows 10 soon ]
1.Check open Ports.
Tool : nmap
sudo apt-get install nmap
nmap -v 127.0.0.1
To close any ports , stop the service related to that Port
sudo service cups stop
(stopped ipp on my system)
2.Check active connections and listening Ports.
Tools : netstat , ss
netstat -t
netstat -u
netstat -lnp
ss -t
ss -u
netstat -tunlp | grep :25
Example:
3.nslookup check the DNS settings
nslookup
best to change DNS servers to some secure DNS servers
opendns servers
4.List of users looged in.
w
who
whoami
users
last (list of last logged in users)
5.List of processes.
TOP
ps
ss -lp
netstat -tulnp
unhide (detects hidden processes)
6.Checking Logs.
sudo gedit /var/log/auth.log
sudo gedit /var/log
7.Check CRON Jobs.
crontab
8.Malware
rkhunter
chkrootkit
clamAV
unhide
9.Ping,traceroute
try ping error-droid or some random strong,even traceroute
helped me find an unknown IP
10.Wireshark
lsof : list open files
To kill a Process
sudo kill -9 1281
or gonome-system-monitor
https://help.ubuntu.com/community/Security
Forensics Goal:
Find suspicious,unknown or hidden
:Ports ,Processes and Connections.
[malware on my ubuntu machine,most likely hidden sector rootkit]
[shifting to windows 10 soon ]
1.Check open Ports.
Tool : nmap
sudo apt-get install nmap
nmap -v 127.0.0.1
To close any ports , stop the service related to that Port
sudo service cups stop
(stopped ipp on my system)
2.Check active connections and listening Ports.
Tools : netstat , ss
netstat -t
netstat -u
netstat -lnp
ss -t
ss -u
netstat -tunlp | grep :25
Example:
3.nslookup check the DNS settings
nslookup
best to change DNS servers to some secure DNS servers
opendns servers
4.List of users looged in.
w
who
whoami
users
last (list of last logged in users)
5.List of processes.
TOP
ps
ss -lp
netstat -tulnp
unhide (detects hidden processes)
6.Checking Logs.
sudo gedit /var/log/auth.log
sudo gedit /var/log
7.Check CRON Jobs.
crontab
8.Malware
rkhunter
chkrootkit
clamAV
unhide
9.Ping,traceroute
try ping error-droid or some random strong,even traceroute
helped me find an unknown IP
10.Wireshark
lsof : list open files
To kill a Process
sudo kill -9 1281
or gonome-system-monitor
https://help.ubuntu.com/community/Security
No comments:
Post a Comment