0

I have a Linux server which is compromised, I can see nasty looking perl scripts executing with root privileges. I want to get some data off it before I wipe it. How can I block all inbound and outbound traffic except for my ip? It's a Centos server I assume i can do this with iptables?

I'm aware a the server is rooted there is a possibility that attackers could have made changes on the server that would prevent this from working. Ill be testing to make sure and only have the server online for a couple of hours before it is nuked.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
ollybee
  • 568
  • 2
  • 10

1 Answers1

3

Replace X.X.X.X with your IP address and this should work:

iptables -I INPUT ! -s X.X.X.X -j DROP
iptables -I OUTPUT ! -d X.X.X.X -j REJECT
iptables -I FORWARD -j DROP
fukawi2
  • 5,327
  • 3
  • 30
  • 51
  • While this answer may theoretically work you ***SHOULD NOT*** trust any functionality on a compromised server: You have no way of knowing if `iptables` has been affected. You should *physically disconnect the machine from the network*, and grab any data you need from the compromised host using either a crossover cable or a USB stick. – voretaq7 Jul 01 '13 at 16:57
  • The above comment is true, although most of the time it should be fairly reasonable mitigation. I've never come across a script kiddie who goes to the trouble of altering netfilter functionality, but there's no guarantee it's a script kiddie who's compromised your box. If you have customers details, credit cards etc on that box, disconnect it. If it's just a web server with minimal sensitive data, you could make the call to just use the above. – fukawi2 Jul 01 '13 at 22:47