Shulou(Shulou.com)06/02 Report--

This article mainly explains "what are the disposal methods of the enemy-occupied host". The content of the explanation in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought. Let's study and learn what are the disposal methods of the enemy-occupied host.

SETP1: isolate the host from the current business network

Operational significance: isolate the occupied host from the business environment to prevent hackers from infiltrating through the host.

Method 1: shutdown the server interface on the direct switch

Instance setting method: int G0Accord 0Accord 24 shutdown (G0Accord 24 is the example API)

Method 2: close the network card on the direct server

Instance setting method: ifdown eth0 (eth0 is the example API)

Method 3: disconnect the network cable

Example operation: remove the cable from the server network port

SETP2: access to an isolated environment with a network (recommended) and capture and check the traffic.

Operational significance: record the network connection of the current occupied host to facilitate tracing to the source and checking for abnormal communication programs.

Method 1: directly access the environment with network and grab the packet locally through TCPDUMP or Wireshark

Actual operation: tcpdump-I eth20-c 10000-w eth2.cap

Or directly select the interface on Wireshark to start capturing packets, then save a copy of the connection information through netstat-anob > > 1.txt, and finally analyze and filter the captured packets (for example, if your application uses TCP8080 port, you can use the filter not tcp.port = = 8080 to view non-business traffic)

Method 2: capture packets through port image

Practical operation: collect the traffic by introducing the server traffic to the packet grabbing host by using the port mirroring command

Then save a copy of the connection information through netstat-anob > > 1.txt, and finally analyze and filter the captured data packets

SETP3: log saving and analysis

Operational significance: check the log server log and local log (not limited to the server) to find signs of intrusion.

Priority check secure log, and system application log, cron, btmp log, etc.

/ var/log/message system information and error log after startup

/ var/log/secure security-related log information

/ var/log/maillog Mail-related log information

/ var/log/cron log information related to scheduled tasks

/ var/log/spooler log information related to UUCP and news devices

Log messages related to / var/log/boot.log daemon start and stop

/ var/log/httpd,/var/log/mysqld.log application log (the httpd is just an example)

/ var/run/utmp records the users who are logged in now

/ var/log/lastlog records each user's last login information

/ var/log/btmp logs incorrect login attempts

/ var/log/dmesg kernel log

Processing information of / var/log/cpus CPU

/ var/log/syslog event logging Monitor Log

/ var/log/auth.log user authentication log

/ var/log/daemon.log system process log

SETP4: check whether the application server has been tampered with by the application copy file

Operational significance: check whether the application is infected.

Method 1: compare the MD5 gap between the normal copy and the current server copy through the MD5sum command. Check to see if the application is infected.

Method 2: compare files differently through files like Beyond Compare.

SETP5: check general user and file rights configuration and system configuration

Operational significance: check the abnormal performance of the system and speculate the means of intrusion.

Check the account

# less / etc/passwd

# grep: 0: / etc/passwd (check whether new users are generated, and users whose UID and GID are 0)

# ls-l / etc/passwd (view file modification date)

# awk-F:'$3 = = 0 {print $1}'/ etc/passwd (check to see if a privileged user exists)

# awk-F: 'length ($2) = = 0 {print $1}' / etc/shadow (check if there is an empty password account)

(it can be viewed by net user command under window)

Check the process

# ps-aux (note that UID is 0)

# lsof-p pid (view the ports and files opened by the process)

# cat / etc/inetd.conf | grep-v "^ #" (check daemon)

Check for hidden processes

# ps-ef | awk'{print}'| sort-n | uniq > 1

# ls / porc | sort-n | uniq > 2

Check the back door.

# cat / etc/crontab

# ls / var/spool/cron/

# cat / etc/rc.d/rc.local

# ls / etc/rc.d

# ls / etc/rc3.d

# find /-type f-perm 4000

(windows can be checked through tools such as ICESWORD and Task Manager)

Check scheduled tasks

Notice that root and UID are schedule of 0

# crontab-u root-l

# cat / etc/crontab

# ls / etc/cron.*

Check the loaded kernel module

# lsmod

Check system services

Chkconfig

Check directory permissions

Ls-l

(rights management of windows right mouse button)

SETP6: server antivirus

Operational significance: detect the back door through the antivirus program

Operation example: directly install less popular and more powerful antivirus software, such as McCoffee, Little Red Umbrella avast! Kind of. (more than two models are recommended to avoid killing).

SETP7: business data backup (4 pages can be expanded)

Operational significance: backing up business data for recovery

Operation example: see whether the business environment can be directly backed up through replication or through related devices or software.

SETP8: operating system reinstallation, with the latest patches (system and service software), system hardening and business recovery

Operational significance: resume business operation and strengthen the system

Operation example: by reinstalling the officially downloaded operating system and service programs, put on the latest patch to ensure that the host will not be trapped by the old loophole, and set the user rights to the lowest through the minimum permission rule method.

SETP9: service security reevaluation

Operational significance: to test the defense capability of the server under the optimal state of reinforcement

Operation example: all kinds of scanners, various penetration tests.

Thank you for your reading. The above is the content of "what are the disposal methods of the enemy-occupied mainframe?" after the study of this article, I believe you have a deeper understanding of the disposal methods of the enemy-occupied mainframe. The specific use of the situation also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.