Shulou(Shulou.com)06/01 Report--

Linux manual intrusion troubleshooting ideas is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

When a security event occurs in a Linux host, we can generally use the common shell commands to confirm whether the host has been invaded by analyzing the abnormal phenomena of the host, process port, startup mode, suspicious files, log records and other information.

01. Check the system account

From the attacker's point of view, after a successful invasion, intruders often leave a back door in order to access the invaded system again, and creating a system account is a more common way of backdoor. When doing intrusion troubleshooting, the user profile / etc/passwd and password profile / etc/shadow are key areas to focus on.

(1) query privileged users (uid is 0)

Awk-F:'$3 print 0 {print $1}'/ etc/passwd

(2) query account information that can be logged in remotely

Awk'/\ $1 |\ $6 / {print $1}'/ etc/shadow

(3) whether sudo permissions exist in other accounts except root accounts. If it is not needed by management, the sudo permission should be deleted from the ordinary account.

More / etc/sudoers | grep-v "^ #\ | ^ $" | grep "ALL= (ALL)"

(4) disable or delete redundant and suspicious accounts

Usermod-L user disable the account, the account cannot log in, the second column of / etc/shadow is! Starting with userdel user deleting the user user userdel-r user deletes the user user and deletes the user directory under the / home directory as well

(5) Information of users who are currently logged in to the current system

Who view current login users (tty local login pts remote login) w view system information, want to know the behavior of users at a certain time uptime to see how long it takes to log in, how many users, load

02. Check for abnormal ports

(1) use the netstat network connection command to analyze suspicious ports, IP, PID and other information.

Netstat-antlp | more

(2) if abnormal network connections are found to require continuous observation, packet analysis can be made.

Tcpdump-c 10-Q / / Compact mode displays 10 packets

03. Check for suspicious processes

(1) use the ps command to list the processes currently running in the system, analyze the abnormal process name, PID, suspicious command line, and so on.

Ps aux / ps-ef

(2) display the resource utilization of each process in the system through the top command, such as finding that the resource consumption is too high.

Top

(3) if an anomaly is found, you can use the following command for further investigation:

View the complete command line of the process startup: ps eho command-p $PID view the directory where the process started: readlink / proc/$PID/cwd check the process file path corresponding to pid: ls-l / proc/$PID/exe view the complete environment variable of the process startup: strings-f / proc/1461/environ | cut-f2-d''list all the files opened by the process: lsof-p $PID

04. Check system services

Linux system service management, CentOS7 uses systemd to control CentOS6 before using chkconfig control.

(1) for systemd Service Manager, you can view self-starting services in the following ways:

Systemctl list-unit-files-- type=service | grep "enabled"

(2) chkconfig is the tool that CentOS6 used to control the system service to check the self-startup status of the service:

Chkconfig-- list chkconfig-- list | grep "3:on\ | 5:on"

05. Check the boot entry

(1) check the startup item script

More / etc/rc.local / etc/rc.d/rc [06.6] .d ls-l / etc/rc.d/rc3.d/

(2) example: when we need to boot up and start our own script, we just need to drop the executable script in the / etc/init.d directory and establish a soft link in / etc/rc.d/rc*.d

Ln-s / etc/init.d/sshd / etc/rc.d/rc3.d/S100ssh

Here, sshd is the script file of a specific service, and S100ssh is its soft link. The script file that starts with S means that it starts when loading. If it is a script file that starts with K, it means that the runtime needs to be closed when loading.

06. Check the planned tasks

Permission maintenance using scheduled tasks can be used by intruders as a persistence mechanism. To check for abnormal scheduled tasks, you need to focus on whether malicious scripts exist in the following directory.

/ var/spool/cron/* / etc/crontab / etc/cron.d/* / etc/cron.daily/* / etc/cron.hourly/* / etc/cron.monthly/* / etc/cron.weekly/ / etc/anacrontab / var/spool/anacron/*

07. Check the exception file

1. Check sensitive directories, such as files in / tmp directory, and hide folders to ".." The folder named has hidden properties

2. How to find out the files created within the same time range when you get the creation time of WEBSHELL and remote control Trojans?

You can use the find command to find it, such as find / opt-iname "*"-atime 1-type f to find the files / opt visited the day before

3. You can use stat to create and modify files for suspicious files.

08. Check history command

Generally speaking, after the intruder obtains the shell, some system commands will be executed to leave a trace on the host. We can query the execution history of the shell command through the history command.

(1) query what commands a user has executed on the system

Log in to the system using the root user and check the. bash_history file of the user's home directory in the / home directory

(2) by default, the system can save 1000 historical commands, do not record the time of command execution, and carry out security reinforcement as needed.

A) Save 10, 000 commands sed-I's / ^ HISTSIZE = 1000 max HISTSIZE 10000 u am i g'/ etc/profileb) add the following line configuration information at the end of the / etc/profile file: # jiagu history xianshi#USER_IP= `who-who 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / g'`if ["$USER_IP" = "] thenUSER_IP= `hostname`fiexport HISTTIMEFORMAT="% F% T $USER_IP `whoami` "shopt-s histappendexport PROMPT_COMMAND=" history-a "# jiagu history xianshi # c) source / etc/profile makes the configuration effective

09. Check the system log

On Linux, system-related logs are placed under / var/log by default. If a problem occurs, users can quickly locate it and solve the problem in time by viewing the log. Common log files are as follows:

/ var/log/btmp: record the error login log. This file is binary and cannot be viewed directly by vi. Instead, use the lastb command to view it. / var/log/lastlog: a log of the last login time of all users in the system. This file is binary and cannot be vi directly. Instead, use the lastlog command to view it. / var/log/wtmp: permanently record the login and logout information of all users, as well as the startup, restart and shutdown events of the system. Again, this file is also a binary file, which cannot be directly vi, but needs to be viewed using the last command. / var/log/utmp: record the information of the currently logged-in user. This file will change with the login and logout of the user, and only record the information of the currently logged-in user. Again, this file cannot be directly vi, but should be queried using commands such as wquarter who users. / var/log/secure: record authentication and authorization information, as long as programs involving accounts and passwords are recorded, such as SSH login, su switching users, sudo authorization, and even adding users and changing user passwords will be recorded in this log file

In general, we need to focus on the secure security log, check the system error login log, count the number of IP retries, the time of successful login, user name and ip, and confirm whether the account is violently cracked or abnormal login.

1 、 Locate how many IP are blasting host's root account: grep "Failed password for root" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more locate which IP is blasting: grep "Failed password" / var/log/secure | grep-E-o "(25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. | | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) "| what is the user name dictionary for uniq-c blasting? Grep "Failed password" / var/log/secure | perl-e'while ($_ =) {/ for (. *?) from/; print "$1\ n";}'| uniq-c | sort-nr2, which IP have successfully logged in: grep "Accepted" / var/log/secure | awk'{print $11}'| sort | uniq-c | sort-nr | more login success date, user name, IP:grep "Accepted" / var/log/secure | awk'{print $1th "

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.