Answers to: Detecting A Compromised Host

Answer by memnoch_proxy

memnoch_proxy — Tue, 11 May 2010 06:38:13 -0400

Load monitoring is useful. I've seen attacks come thru outdated installations of Wordpress and start up brute force kernel timing attacks. I noticed this because the cpu on the system was unusually busy. I wouldn't have noticed if I hadn't been graphing the output.

Rootkit checking are useful. Running log analysis on website logs is useful. I've seen file upload forms get circumvented such that PHP botnet scripts get uploaded (to an image upload folder).

Defense in Depth would also encourage application security assessment, not just OS monitoring. So running an application attack test (XSS, XSI, attacks etc), and application-level password audits are just as important. A wordpress login with a weak password is a super wide open door.

(Of course, the most important thing is backing up your system and testing your restore procedure. It might not be an attack that brings your site down, but an over-worked admin, an unexpected fire sprinkler shower, who knows what.)

Answer by Aaron 1

Aaron 1 — Tue, 11 May 2010 02:33:50 -0400

I use ossec extensively. event log correlation, active response, file system integrity checking, along with hardening the host similar to how you describe in your post.

Answer by Sander Marechal

Sander Marechal — Sun, 09 May 2010 19:39:11 -0400

I use Monit. In addition to checking if services are running it also can check checksums of binaries, init scripts, etcetera. Even better, it can prevent restarting compromised binaries. If an attacker manages to compromise your binaries, Monit will see it and alert you about it. It can also refuse to restart the service so the compromised binary doesn't run.

Answer by feinom

feinom — Sun, 09 May 2010 16:57:59 -0400

You could install an IDS like Snort and look for suspicious traffic to/from your different servers. There are a lot of signatures in place to detect malicious traffic, so this could perhaps give an indication of whether a system has been compromised or not.

Answer by Web31337

Web31337 — Sat, 08 May 2010 14:07:24 -0400

This will stop any cracker from using your box, except the one who is aware of all these checks and ready to immidiately bypass all of them replacing with own scripts. Of course it will only work good if you have enabled email notifications so you can react fast. Otherwise this will not make any sense. You need to think about actions to do in such cases. Say, ifconfig eth0 down, a proven way to wipe out any cracker while you are sleeping or afk :)

Don't forget to regularly check for updates. Patching your kernel with grsecurity is a good way too.

Answer by gregularexpressions

gregularexpressions — Sat, 08 May 2010 13:19:09 -0400

Your post there is pretty conclusive.

Something that we find is that once an attacker has any sort of foothold (via a hosted site or whatever) then they tend to start sending spam.

We have scripts in place to monitor the number of emails sent per user per X minutes and the total number in the outbound queue and alert us if either trip the limits.