Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to understand Linux search backdoor ideas and shell scripts". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Each process will have a PID, and each PID will have a corresponding directory under the / proc directory, which is the implementation of the linux (current kernel 2.6) system.

General backdoor programs can not be found in ps and other process viewing tools, because these common tools and even system libraries have basically been tampered with after the system has been invaded (there are a lot of rootkit circulating on the Internet. If it is a kernel-level Trojan horse, then this method is invalid.

Because the modification of the system kernel is relatively complex (if the kernel has been modified, or a kernel-level Trojan horse, it is more difficult to find), so the traces of Trojans can basically be found under / proc.

Train of thought:

There must be a problem with the process ID that exists in / proc and cannot be seen (hidden) in ps.

The code is as follows:

#! / bin/bash

Str_pids= "`ps-A | awk'{print $1}'`"

For i in / proc/ [[: digit:]] *

Do

If echo "$str_pids" | grep-qs `basename "$I" `

Then

:

Else

Echo "Rootkit's PID: $(basename" $I ")"

Fi

Done

Discussion:

The complexity of checking whether the Linux is hacked depends largely on whether the intruder has done enough "clean-up work". For a well-done intrusion, getting rid of it will be a delicate and painful thing, which usually requires the use of professional third-party tools (open source, such as tripwire, such as aide) to do this.

Professional tools are relatively troublesome to deploy and use, and not all administrators can use them skillfully.

In fact, the Linux system itself has provided a set of "verification" mechanism, and the program on the check system has not been modified. For example, the-V function provided by the rpm package management system:

The code is as follows:

Rpm-Va

You can verify all the packages on the system and output the files and related information that have been modified during installation. But the rpm system may also be broken, such as modified.

"how to understand Linux search backdoor ideas and shell script" content is introduced here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.