User Tools

Site Tools


security

Linux

apt-get install chkrootkit lynis rkhunter unhide debsums

*chkrootkit Notes OpenSSH 7 shows Possible Linux/Ebury - Operation Windigo installetd

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

####
“System infected”
# ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips  1 Mar 2016
####
chkrootkit

rkhunter --update; \
rkhunter --propupd; \
rkhunter -c --skip-keypress --pkgmgr dpkg

rkhunter --check --skip-keypress

unhide -f sys; \
unhide -f proc; \
unhide-tcp

lynis update info; \
lynis --quick

debsums -s

Automatically reinstall packages:

dpkg-query -S $(sudo debsums -c 2>&1 | sed -e "s/.*file \(.*\) (.*/\1/g") | cut -d: -f1 | sort -u

Ebury greater than 25k perms 666

# ipcs -m
------ Shared Memory Segments --------
key        shmid      owner     perms      bytes      nattch
0x000006e0 65538      root      666        3283128    0

or smaller less perms

# ipcs -m
------ Shared Memory Segments --------
key        shmid      owner     perms      bytes      nattch
0x0000091a     0      root      600        463084     0

Replacement of the shared library 'libkeyutils' can be identified by looking at the file size. Legitimate versions of the library usually are less than 15 kilobytes in size, while the malicious ones are larger than 25 kilobytes.

If libns2.so exists, you are screwed esp if things are listening with netstat.

find /lib* -type f -name libkeyutils.so* -exec ls -la {} \;; \
find /lib* -type f -name libns2.so; \
netstat -nap | grep "@/proc/udevd"

Snort Rule:

alert udp $HOME_NET any -> $EXTERNAL_NET 53 \
(msg:"Ebury SSH Rootkit data exfiltration";\
content:"|12 0b 01 00 00 01|"; depth:6;\
pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
(([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\
reference:url,https://www.cert-bund.de/ebury-faq;\
classtype:trojan-activity; sid:9000001; rev:1;)

PHP

php.ini

#
# Cause the PHP interpreter to handle files with a .php extension.
#
#AddHandler php5-script .php
#AddType text/html .php

<FilesMatch \.php$>
        SetHandler php5-script
</FilesMatch>

http://sourceforge.net/projects/tripwire/

SSL Cert:

openssl genrsa 2048 > host.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
...[enter *.domain.com for the Common Name]...
openssl x509 -noout -fingerprint -text < host.cert > host.info
cat host.cert host.key > host.pem
chmod 400 host.key host.pem

The Hard Way:

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Wordpress:

Force SSL:

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Allow local updates:

define('FS_METHOD','direct');
security.txt · Last modified: 2016/08/07 21:00 by vinny