Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to deal with the attack on the Linux server. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

I. troubleshooting problems

The first reaction is to immediately inform the operation and maintenance staff of the computer room to cut off the external network of the server and check through the internal network connection. But in this way, the traffic will disappear, and it will be difficult to find the source of the attack.

So contact the computer room to help solve the problem, authorize the computer room technology to log in to the system, first check whether there are abnormal users logging in through the w command, and then take a look at the login log / var/log/auth.log, as expected, the log has been emptied; finally, use the tool to find out which connection takes up a lot of traffic, and I used the iftop tool.

Computer room technology sent to take pictures, saw that the local http has been sending data packets to 104.31.225.6 this ip, and continues.

Well, first of all, block this ip and try:

Iptables-An OUTPUT-d 104.31.225.6-j DROP

Miracles occur, instant traffic goes down, and now you can log in to the system normally.

After a while ~ something unfortunate happened, and the traffic came up again, wipe! What happened! The mood suddenly became nervous.

And quickly contact the computer room technology to tell him to perform the last shielding ip operation.

Computer room technology sent to take pictures, this time dumbfounded, the purpose of ip has changed, how to do this, it is impossible to seal it one by one!

Calm down, think carefully, the local package to the outside, then there must be a local program!

Second, find the source of attack

First filter the port through the netstat tool to view the running process ID:

Netstat-atup | grep 15773

As a result, there is nothing, try another port, the same effect!

Let the computer room technology observe the connection status, it turned out to be a short connection, the port will soon be released, so the connection status of the port can not be seen.

For normal persistent connections, you can use lsof-I: 15773 to find PID, and then lsof-p PID to find the relevant open files.

Okay! Decide to cut off the external network first, the intranet SSH enters the system, and first find the program that sends the package!

First use netstat-antup to see if there are any suspicious ports or connections open.

Then use ps-ef to see if there are any suspicious processes.

Cross-check carefully, there is no suspicious situation.

Is the rootkit Trojan program implanted? I don't know. Give it a try.

If you want to judge whether the system has implanted rootkit or not, you can use md5sum check execution file to judge, first find an operating system of the same version, get the md5 value of this tool execution file, and then get the suspicious tool execution file md5 value, compare whether the two values are the same, if the same means that this tool is trustworthy, if different, it is likely to be replaced.

In addition, the general tool executable file size ranges from tens of K to hundreds of K.

In fact, I did not use the md5 method to determine whether the tool can be trusted, because this operating system is relatively old, the same version of the operating system is difficult to find, a little different, the tool may have been updated, different md5 values.

Du-sh / bin/lsof check was performed first, and it was found that the size was 1.2m, which was obviously a problem.

So try to upload the binary files of netstat, ps and other tools in the normal system to the hacked system and replace the original one. Sure enough, a miracle happened.

Third, clean the Trojan horse program

After executing ps-ef, send out a few lines of suspicious programs at the bottom. Here, I wanted to take a screenshot, but unfortunately the SSH client was turned off and did not leave a screenshot.

In my memory, it goes something like this:

Pid / sbin/java.log

Pid / usr/bin/dpkgd/ps-ef

Pid / usr/bin/bsd-port/getty

Pid / usr/bin/.sshd

Next, take a look at these processes step by step.

How can there be an java.log execution file running? Did they run to find colleagues? they said they didn't. Well, kill the process and move the files to another directory before you take a look.

Why does the / usr/bin/dpkgd/ps-ef process look like a command I executed? Take a closer look, there is something wrong with the path of the command, not / bin/ps, go to this directory to check.

Rub, there are a few more, it is almost certain that these tools have been replaced.

There is also a getty execution file, which is not run under the normal system, but is probably left by the hacker again. Kill the process and delete the directory. I'd rather kill a hundred by mistake than let one go!

.sshd process? Obviously very suspicious, is it the back door of ssh, kill!

At present, these abnormal processes have been disposed of.

Then execute the ps-ef command to see, strange, the java.log process is up again, is there a self-startup setting? So check under / etc/init.d, there is an abnormal executable file, there is no in the normal system, open a look, it is sure enough to start the Trojan script automatically.

Delete these two scripts, and then delete the java.log file, the file is no longer generated, and the process is no longer running!

All right, we can turn on the external network and observe that the network traffic is no longer soaring for a while.

IV. Summary

Ls / usr/bin/dpkgd/ # tools replaced by hackers (netstat lsof ps ss). The tools that come with the system are normally not in this directory and are not available.

/ sbin/java.log # determines that it is an outsourced program and will be automatically generated after deletion.

/ usr/bin/bsd-port # determines whether the java.log or backdoor program is automatically generated.

/ usr/sbin/.sshd # determines that it is a backdoor program.

What if there are other Trojans?

If it is a XSS attack, what about application layer vulnerabilities?

To solve these problems, the best way is to back up the data, reinstall the system, and clean and clean.

But from our company's point of view, temporarily can not reinstall the system, the business is more complex, run more business, not yet clear, ready to slowly migrate data, and then observe it!

The reasons for hackers to take advantage of the intrusion are:

The operation and maintenance personnel have low network security awareness and little implementation of security policies.

There is no security scan for exposed applications before going online.

There are no security testers, do not pay attention to the latest developments of vulnerabilities, and cannot find vulnerabilities in time.

Wait for...

In view of this attack, summarize the protection ideas:

After the Linux system is installed, enable the firewall, only allow the trusted source to access the specified service, delete unnecessary users, turn off unnecessary services, etc.

Collect logs, including system logs, login logs, program logs, etc., alarm for abnormal keywords and detect potential risks in time

Real-time collection of user login information, including login time, password retries and user command execution records, etc.

Event monitoring of sensitive files or directory changes, such as / etc/passwd, / etc/shadow, / web, / tmp, etc.

Process status monitoring, monitoring and notification of new processes (non-business and system processes)

Scan the online server system and Web process security vulnerabilities.

The above is how to deal with the attack on the Linux server that Xiaobian shared with you. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.