Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to quickly judge whether the Linux server has been hacked or not, the content is detailed and easy to understand, the operation is simple and fast, and it has a certain reference value. I believe you will gain something after reading this article on how to quickly judge whether the Linux server has been hacked or not. Let's take a look.

Symptoms of a compromised server

When servers are invaded by inexperienced attackers or automatic attack programs, they tend to consume 100% of their resources. They may consume CPU resources for digital currency mining or spam, or they may consume bandwidth to launch DoS attacks.

So the first sign of a problem is that the server "slows down". This may show that the page of the site opens slowly, or it takes a long time for e-mail to be sent.

So what things should you check?

Check 1-who is currently logged in?

First of all, you need to see who is currently logged on to the server. It is not complicated to find that an attacker logs in to the server to perform operations.

The corresponding command is w. Running w will output the following result:

08:32:55 up 98 days, 5:43, 2 users, load average: 0.05, 0.03, 0.00USER TTY FROM LOGIN@ IDLE JCPU PCPU WHATroot pts/0 113.174.161.1 08:26 0.00s 0.03s 0.02s ssh root@coopeaa12root pts/1 78.31.109.1 08:26 0.00s 0.01s 0.00s w

The first IP is IP in the UK, while the second IP is IP in Vietnam. This is not a good sign.

Stop and take a deep breath. Don't panic and just kill their SSH connection. Unless you can prevent them from accessing the server again, they will quickly come in and kick you out in case you go back again.

Please refer to the section "what happens after being invaded" at the end of this article to see what to do after finding the evidence of being invaded.

The whois command can take an IP address and tell you all the information about the organization to which the IP is registered, including the country, of course.

Check 2-who has logged in?

The Linux server records which users, from which IP, when and how long they logged in. You can view this information using the last command.

The output looks like this:

Root pts/1 78.31.109.1 Thu Nov 30 08:26 still logged inroot pts/0 113.174.161.1 Thu Nov 30 08:26 still logged inroot pts/1 78.31.109.1 Thu Nov 30 08:24-08:26 (00:01) root pts/0 113.174.161.1 Wed Nov 29 12:34-12:52 Root pts/0 14.176.196.1 Mon Nov 27 13:32-13:53 (00:21)

Here you can see IP in the UK and IP in Vietnam alternating, and the top two IP are still logged in. If you see any unauthorized IP, please refer to the last section.

The history after login is recorded in the binary / var/log/wtmp file, so it is easy to delete. Usually attackers delete this file directly to cover up their attacks. Therefore, if you run the last command and only see your current login, then this is a bad sign.

If you do not have a login history, please be careful and continue to pay attention to other clues of the invasion.

Check 3-Review command history

Attackers at this level usually don't pay attention to masking the history of commands, so running the history command shows everything they've done. Be on the lookout for unconventional software such as spam robots or mining programs using wget or curl commands.

The command history is stored in the ~ / .bash_history file, so some attackers delete the file to conceal what they are doing. Like login history, if you run the history command and don't output anything, the history file has been deleted. This is also a bad sign, you need to check the server very carefully. LCTT, if there is no command history, it may be your configuration error. )

Check 4-which processes are consuming CPU?

The kind of attackers you often encounter don't usually cover up what they do. They run processes that consume a lot of CPU. This makes it easy to find these processes. Just run top and look at the first few processes.

This can also show attackers who have not logged in. For example, someone may be using unprotected mail scripts to send spam.

If you don't know anything about the top process, you can Google the process name, or use losf and strace to see what it does.

Using these tools, the first step is to copy the process's PID from top, and then run:

Strace-p PID

This shows all system calls called by the process. It will produce a lot of content, but this information can tell you what the process is doing.

Lsof-p PID

This program lists the files opened by the process. You can get a good understanding of what it is doing by looking at the files it accesses.

Check 5-check all system processes

Unauthorized processes that consume less CPU may not be exposed in top, but they can still be listed through ps. The command ps auxf will display enough clear information.

You need to check every process you don't know. Running ps regularly (which is a good habit) can help you find strange processes.

Check 6-check the network usage of the process

Iftop functions like top in that it arranges the processes that send and receive network data as well as their source and destination addresses. Processes such as DoS attacks or spam robots are easily displayed at the top of the list.

Check 7-which processes are listening for network connections?

Usually an attacker will install a backdoor program that specifically listens to the network port to receive instructions. The process does not consume CPU and bandwidth while waiting, so it is not easy to find through commands such as top.

Both the lsof and netstat commands list all networking processes. I usually ask them to take the following parameters:

Lsof-inetstat-plunt

You need to pay attention to processes in LISTEN and ESTABLISHED states that are either waiting for a LISTEN or already connected (ESTABLISHED). If you encounter a process you don't know, use strace and lsof to see what they are doing.

What should I do after being invaded?

First of all, don't be nervous, especially when the attacker is logged in. You need to regain control of the machine before the attacker is aware that you have found him. If he finds out that you have found him, then he may lock you up and prevent you from logging in to the server and start destroying the body.

If you're not good at it, just turn it off. You can run either shutdown-h now or systemctl poweroff on the server. You can also log in to the host provider's control panel to turn off the server. After shutting down, you can start to configure the firewall or consult the supplier.

If you are confident in yourself and your hosting provider provides an upstream firewall, you only need to create and enable the following two rules:

Login to SSH is only allowed from your IP address. Block everything else, not only SSH, but also any protocol on any port.

This will immediately close the attacker's SSH session, leaving only you with access to the server.

If you do not have access to the upstream firewall, you need to create and enable these firewall policies on the server itself, and then use the kill command to close the attacker's SSH session after the firewall rules take effect. (LCTT translation note: local firewall rules may not block established SSH sessions, so just to be on the safe side, you need to kill the session manually. )

Finally, there is another way, if supported, to log in to the server through an out-of-band connection such as the serial console, and then stop the network functionality through systemctl stop network.service. This shuts down network connections on all servers so that you can slowly configure those firewall rules.

After regaining control of the server, don't think that everything will be all right.

Do not try to repair this server and then continue to use it. You never know what an attacker has done, so you can never guarantee that the server is secure.

The best way is to copy all the data and reinstall the system.

This is the end of the article on "how to quickly determine whether the Linux server has been compromised". Thank you for reading! I believe that everyone has a certain understanding of the knowledge of "how to quickly judge whether the Linux server has been compromised or not". If you want to learn more knowledge, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.