0

I have a Linux server which is compromised, I can see nasty looking perl scripts executing with root privileges. I want to get some data off it before I wipe it. How can I block all inbound and outbound traffic except for my ip? It's a Centos server I assume i can do this with iptables?

I'm aware a the server is rooted there is a possibility that attackers could have made changes on the server that would prevent this from working. Ill be testing to make sure and only have the server online for a couple of hours before it is nuked.

Shane Madden
  • 115,228
ollybee
  • 568

1 Answers1

3

Replace X.X.X.X with your IP address and this should work:

iptables -I INPUT ! -s X.X.X.X -j DROP
iptables -I OUTPUT ! -d X.X.X.X -j REJECT
iptables -I FORWARD -j DROP
fukawi2
  • 5,436
  • While this answer may theoretically work you *SHOULD NOT* trust any functionality on a compromised server: You have no way of knowing if iptables has been affected. You should physically disconnect the machine from the network, and grab any data you need from the compromised host using either a crossover cable or a USB stick. – voretaq7 Jul 01 '13 at 16:57
  • The above comment is true, although most of the time it should be fairly reasonable mitigation. I've never come across a script kiddie who goes to the trouble of altering netfilter functionality, but there's no guarantee it's a script kiddie who's compromised your box. If you have customers details, credit cards etc on that box, disconnect it. If it's just a web server with minimal sensitive data, you could make the call to just use the above. – fukawi2 Jul 01 '13 at 22:47