Shulou(Shulou.com)06/01 Report--

This article to share with you is about how to conduct Linux intrusion investigation, Xiaobian feel quite practical, so share to everyone to learn, I hope you can read this article after some harvest, not much to say, follow Xiaobian to see it.

I. Foreword

After receiving the leader's notice, I will go directly to a certain company for Incident Response Service tomorrow. After going to inquire about the situation, I found that four CPUs have been full all the time. The remote port (22) is directly mapped to the external network. The password is 123456, which has been at the top of the list for many years. Isn't it obvious that people wear it every day?!!

II. Event Analysis

First of all, the public network IP address full port scan, here using ScanPort, nmap although good but still slow compared. The scanning result does not match the intranet port mapping table provided by the customer. After asking the customer, it is known that some public network ports accessed from the intranet are blocked due to the router.

Use VPS to scan all ports of the public IP address. The result of this scan is consistent. Log in to the server successfully with a weak password. Now that the source of the attack has been identified, the server is analyzed. First, let me introduce you to the Xshell tool, which can manage multiple servers simultaneously.

Connect to all four servers at once and use the top command to see which processes are using the most CPU. Sysmd process anomaly found by comparison.

A search for sysmd files found under/use/bin, looking for creation dates for February. Sysmd does not depend on any process via the pstree command.

By looking at the system log file, February logs have been deleted.

Check the command history records, found that two of the command history records have been deleted, in one of them found to search for sysmd, and edit the boot script/etc/rc.local.

Check the network links, sysmd respectively connected to different foreign ip addresses.

A query on one of the ip addresses is a discovery of the taifang mine pool.

Check the system user files, password files, user home directory, kernelsys user ID 0 is not created by the customer himself. Check kernelsys user login log no login found, check users with sudo permission no exception found.

Check startup script, scheduled tasks, startup service, etc. sysmd exists in rc.lcal file.

The general situation has been confirmed through troubleshooting. Download the sysmd file for subsequent analysis. Modify the boot script to delete the sysmd boot auto-start. Modify the user password to a complex password. Disable the kernelsys user. Delete the execution permission of the sysmd file. Restart and observe the server operation. Organize the report!

The above is how to conduct Linux intrusion investigation, Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.