[a / b / c / d / e / f / g / gif / h / hr / k / m / o / p / r / s / t / u / v / vg / vm / vmg / vr / vrpg / vst / w / wg] [i / ic] [r9k / s4s / vip / qa] [cm / hm / lgbt / y] [3 / aco / adv / an / bant / biz / cgl / ck / co / diy / fa / fit / gd / hc / his / int / jp / lit / mlp / mu / n / news / out / po / pol / pw / qst / sci / soc / sp / tg / toy / trv / tv / vp / vt / wsg / wsr / x / xs] [Settings] [Search] [Mobile] [Home]
Board
Settings Mobile Home
/g/ - Technology

[Advertise on 4chan]


Thread archived.
You cannot reply anymore.


[Advertise on 4chan]


File: Htop_3.0.1_screenshot.png (190 KB, 1387x633)
190 KB
190 KB PNG
how do people locate malware on infected computers?
inb4
>common sense™
>antivirus
>>
just format the whole thing and reinstall the os
>>
>>84472484
what if i don't want to reinstall?
>>
>>84472465
which operating system?
>>
>>84472606
just do it
>>
>>84472609
windows, as an example
>>
common sense
antivirus
>>
>>84472649
Your OS is malware. Install Gentoo.
>>
>>84472667
fpbp
Verification not required.
>>
On unix OS's i've seen tools that check for rootkits. Probably against a database of hashes of known malware.

I've felt extreme paranoia at times that some of my vps running extremely data sensitive applications may be compromised but I don't have the sysadmin chops to give a concrete answer, would be interested to hear some other anons opinions.

Some things I've done:
ensure ssh password auth is disabled
disable root login
check for failed ssh login attempts in var/log, install fail2ban to block IPs
check for ports that are being listened on using lsof
>>
>>84472465
You can monitor what is being used, network activity, logging activity.
>>
>>84472718
makes sense, but that only indicate the existence of malware on the machine of interest
>>
>>84472465
If this was circa 2000 A.D., you could spot it by watching for high CPU usage in task manager. Or check your DLLs for corruption. You might still be able to find it by booting Kali Linux and using malware detection programs, but I doubt it.
>>
>>84472750
>how do people locate malware on infected computers?
>that only indicate the existence of malware on the machine of interest
fucking what
>>
>>84472848
let me rephrase it for you
>how do people know which file is malware on infected computers?
>>
>>84472925
they don't, that's the point
>>
>>84472677
>SEVENTH post
>FIRST post best post
>>
>>84473019
that's like, all relative man.
>>
>>84472465
>>
>>84472700
so, looking in var/log, I do not see a file regarding ssh login attempts.
I'm concerned about running fail2ban because I'm worried that it may block/interrupt gameplay or something.
redpill me on fail2ban
>>
>>84473271
on debian/ubuntu the ssh login log file should be at /var/log/auth.log. Fail2ban lets you define "jails" for certain services that expose your machine. I only have the ssh jail enabled and all it basically does is ban IP's if they fail to ssh login more than X times. You can define very complex rules for various services but I don't do that

Could also just use denyhosts which I also use
>>
>>84473271
auth.log
>>
>>84473334
what would I be looking for in the auth.log file?
everything pretty much looks the same
would it be obvious?
>>
>>84473388
>>
>>84473388
anybody that isn't you, or any user that is, to your knowledge, accessing something not in relation to it's task.
>>
>>84473415
well that's just the obvious china-bot blasting on full force
>>
>>84472649
>uses malware OS
>asks how to locate malware
kek
>>
>>84473426
Correct. Now I'll ask a question. I'm not really interested in knowing about failed login attempts. I am interested in knowing about successful login attempts that aren't me. Should I use an alert system? Or maybe 2fa with a service like Teleport?
>>
>>84472700
Ordered by increasing complexity. Most of this has been touched on.

1. Maintain list of known bad hashes. Compare and terminate offenders with extreme prejudice.

2. Most malware samples operate using 'known channels' and you/your organization probably aren't being targeted by state intelligence services.

Make a list and check the obvious stuff first. This is actually a really solid approach that hasn't changed much over the years. It's just an arms race and you have to keep up with what is hot at any given time. Odd accounts, privileges, changes to certain registry keys on windows, leave tripwire files and check for unexpected reads/accesses etc.

3. Packet capture, core dumps or virtualization all have the ability to give a very low level look at what your machine is doing. Arguably you can go deeper but that isn't relevant here.

You still need to have some sort of baseline behavior in hand for your processors or network interfaces, but assuming you do, then you've got the ability to compare the two (statistical analysis/ml hoodoo) so that you eventually work back up to processes / memory segments that appear to be highly likely to be engaging in suspect activity. There are a couple antivirus systems in the corporate world that use this technique and it is a pretty good base line of defense.
>>
>>84473496
Arguably isn't the right word. You can go deeper, resources required just start going up exponentially.
>>
>>84472700
Unix-like OS's*
>>
>>84473476
successful logins are in auth.log as well
2fa for ssh seems retarded to me.
if you really must, use port knocking to make it more effort
>>
>>84472700
kldstat, modprobe and dmesg can all come in handy if stuff is trying to add bullshit kernel modules.
>>
bump



Delete Post: [File Only] Style:
[Disable Mobile View / Use Desktop Site]

[Enable Mobile View / Use Mobile Site]

All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.