Difference between revisions of "Operating Systems/Linux/Ubuntu/Ubuntu 16.04 LTS/Malware-Backdoors"
Jump to navigation
Jump to search
(Created page with "==Backdoors== ===Netstat=== Netstat lets you see which ports are being used by which programs. This is valuable because backdoors may be waiting for a remote hacker to connect...") |
|||
| Line 15: | Line 15: | ||
#* press '/' to start searching for a process, and type in the process name you're suspicious of. | #* press '/' to start searching for a process, and type in the process name you're suspicious of. | ||
#* the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor. | #* the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor. | ||
| − | #* After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run <code>kill <process></code>. If you lose point, try to figure out how to start the process again. If you don't lose points you can remove the program or script from the location found with htop, using <code>sudo rm <program path></code> | + | #* After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run <code>kill <process></code>. If you lose point, try to figure out how to start the process again (rebooting might work). If you don't lose points you can remove the program or script from the location found with htop, using <code>sudo rm <program path></code> |
Revision as of 16:19, 9 February 2024
Backdoors
Netstat
Netstat lets you see which ports are being used by which programs. This is valuable because backdoors may be waiting for a remote hacker to connect to it on your computer.
- Install netstat with
sudo apt install net-tools sudo netstat -tlnpto run netstat.- sudo is required to see the name of all processes using each port
- -t only shows processes using tcp, which is common for backdoors
- -l only shows listening processes, which backdoors will most likely be doing
- -n shows each process's address
- -p displays the process's name
- If you find a process you don't recognize (cupsd and sshd are safe), first Google (or DuckDuckGo) the name to see if it seems like a regular linux thing, or something related to the CyberPatriot competition
- If it seems potentially dangerous, use a program called htop to inspect or kill it.
sudo apt install htophtop- press '/' to start searching for a process, and type in the process name you're suspicious of.
- the command column will tell you where the program or script is located on your computer. This may be useful if a forensics question asks you to locate a backdoor.
- After any forensics question, try to stop the process if you're confidant that it's a malicious program. leave htop (ctrl-c) and run
kill <process>. If you lose point, try to figure out how to start the process again (rebooting might work). If you don't lose points you can remove the program or script from the location found with htop, usingsudo rm <program path>