Prevent RL Injection attacks

RL Injection attacks typically mean the server for which the IP address of the attacker is bound is a compromised server.

What can we do?
Check the server for suspicious files in /tmp, /var/tmp, /dev/shm, /var/spool/samba, /var/spool/vbox, /var/spool/squid, and /var/spool/cron
You should use "ls -lab" for checking directories as sometimes compromised servers will have hidden files that a regular "ls" will not show.

Use:
# ps -efl or # ps -auwx
to find suspicious processes. Verify Apache processes.

Clam Anti-virus can also be used to find commonly used PHP and Perl-based hacks, including various php shells, on a server using the “--infected” and “--recursive” options.
Use clamscan command
Also check root kit detection tools:
http://www.chkrootkit.org/
http://www.rootkit.nl/
http:// http://www.ossec.net/en/rootcheck.html

Read our security articles.

12:34 PM | Tags: |

This entry was posted on 12:34 PM and is filed under security . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

0 Comments:

Post a Comment

Subscribe to: Post Comments (Atom)