Perl/Calfbot
The presence of a However if the server is rebooted
or the C&C server sends a
/tmp/... file
reveals if a server is infected and the file creation timestamp will
accurately reflect the infection time. KILL command,
the file will still be present but the malware will not be running
anymore. In order to confirm an active infection, one must test the
presence of a lock on /tmp/... using the following command:flock --nb /tmp/...echo "System clean" || echo "System infected"
If one is infected,
lsof lsof /tmp/...
The following can also validate that the targets of the
/proc/$pid/exe symbolic links are the real crond pgrep -x "crond" | xargs -I '{}' ls -la "/proc/{}/exe"
Anything looking like
"/tmp/ " (with a space) in the output is very suspicious.pgrep procps pgrep -xcrond
ps -ef | grep crond | grep -v grep | awk '{print $2}'
0 comments:
Post a Comment