Shulou(Shulou.com)06/03 Report--

How to recover a hacked Cloud Virtual Machine? Cloud Virtual Machine system being hacked is a very troublesome thing, not only has the risk of data leakage, but also may cause the server system to be damaged.

Check system exception files

For the intruded system, the intruded information can be traced by checking the abnormal files of the system, such as checking the files of SUID and some blank files.

1 Check the SUID file

# find / -uid 0 -perm 4000 -print

2 Check files larger than 10 MB

# find / -size +10000k -print

3 Check for blank files

# find / -name "…" -print# find / -name ".. " -print# find / -name ". " -print# find / -name " " -print

4 Check the core files in the system

# find / -name core -exec ls -l {} \ （）

Check the integrity of system files

The integrity of system files is an important aspect of cloud host intrusion detection, especially by checking the md5 value of some common system commands, we can judge whether the system has been invaded, such as ls,ping and other common commands tampered with by malicious programs, we are actually executing malicious programs when executing these system commands.

1 Check the integrity of linux system files

Note in particular the following directories/sbin,/bin,/usr/bin

For example: # whereis ls# md5sum /usr/bin/ls

Of course, it can also be written in the form of a script to compare the md5 value of the batch generation system file with the normal system, if the md5 value is different from the normal system. That means your system may have been hacked.

2 Check the integrity of system files with the tool AIDE

By manually checking the md5 aspect of the system file, the efficiency is not very high. You can use AIDE software to assist in checking the integrity of the system file. For details of how to use the software, see the official document.

check the network

The network aspect checks whether the network card is in promiscuous mode, checks the ports of network monitoring in the system, and pays special attention to some non-system and non-service ports.

1 Check network card mode

# ip link |grep PROMISC (normal NIC should not be in promisc promiscuous mode, there may be sniffer) NIC is in promiscuous mode, so traffic passing through NIC will be monitored

2 Check open ports and open files of malicious programs

#netstat -ntlup#lsof -i: port number

The above is an introduction to how to recover the hacked Cloud Virtual Machine. The Cloud Virtual Machine is safe and stable, and has multiple security protection functions, such as ddos high defense, CC security protection, Cloud Monitor, security group, Cloud Net Shield, etc., which can effectively intercept more than 98% of hacker scanning and intrusion behaviors and greatly enhance the security of cloud hosts.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.