Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to write a shell script for checking the backdoor program of CentOS under Linux". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to write a shell script for checking the backdoor program of CentOS under Linux".

Each process will have a PID, and each PID will have a corresponding directory under the / proc directory, which is the implementation of the linux (current kernel 2.6) system.

General backdoor programs can not be found in ps and other process viewing tools, because these common tools and even system libraries have basically been tampered with after the system has been invaded (there are a lot of rootkit circulating on the Internet. If it is a kernel-level Trojan horse, then this method is invalid.

Because the modification of the system kernel is relatively complex (if the kernel has been modified, or a kernel-level Trojan horse, it is more difficult to find), so the traces of Trojans can basically be found under / proc.

Train of thought:

There must be a problem with the process ID that exists in / proc and cannot be seen (hidden) in ps.

#! / bin/bashstr_pids= "`ps-A | awk'{print $1}'`"; for I in/ proc/ [[: digit:]] *; do if echo "$str_pids" | grep-qs `basename "$I"`; then: else echo "Rootkit's PID: $(basename" $I ")"; fidone

Discussion:

The complexity of checking whether the Linux is hacked depends largely on whether the intruder has done enough "clean-up work". For a well-done intrusion, getting rid of it will be a delicate and painful thing, which usually requires the use of professional third-party tools (open source, such as tripwire, such as aide) to do this.

Professional tools are relatively troublesome to deploy and use, and not all administrators can use them skillfully.

In fact, the Linux system itself has provided a set of "verification" mechanism, and the program on the check system has not been modified. For example, the-V function provided by the rpm package management system:

Rpm-Va

You can verify all the packages on the system and output the files and related information that have been modified during installation. But the rpm system may also be broken, such as modified.

Thank you for your reading, the above is the content of "how to write the shell script of the CentOS backdoor search program under Linux". After the study of this article, I believe you have a deeper understanding of how to write the shell script of the CentOS backdoor search program under Linux, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.