Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "what to do if the Linux command is hijacked". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

In some emergency scenarios, we often encounter Trojans that replace commonly used system commands for camouflage, even if we clean up the Trojans and start the Trojan process when executing ps, netstat and other system commands.

This method is relatively hidden and difficult to troubleshoot. This article shares two relatively simple troubleshooting techniques.

1. AIDE intrusion detection

AIDE is an intrusion detection tool, the main purpose is to check the integrity of documents. Through the construction of a benchmark database, the various properties of the document are saved. Once the system is invaded, the file change record can be obtained by comparing the benchmark database.

(1) aide installation configuration

# directly install aide yum install aide-y # production initialization database sudo aide-- init # generates a new database file according to the configuration file naming convention, which needs to be renamed for AIDE to read. Sudo mv / var/lib/aide/aide.db.new.gz / var/lib/aide/aide.db.gz

(2) carry out detection and comparison

Sudo aide-check

As mentioned above, you can quickly find that the system command PS has been tampered with by comparison.

2. RPM check

Use rpm-Va to check the integrity of the installed rpm package to prevent rpm from being replaced. You can upload a safe, clean and stable version of the rpm binary file to the server for check.

If everything is checked properly, no output will be produced, and if there are any inconsistencies, it will be displayed. The output format is an 8-bit long string, and each character is used to represent the comparison between the file and an attribute in the RPM database, if so. (dot) indicates that the test passed.

The details of the 8 pieces of information in the verification content are as follows:

Whether the size of the S file changes the type of the M file or whether the permissions (rwx) of the file are changed. 5 whether the file MD5 check is changed (can be seen as whether the content of the file has changed) D device From whether the code changes the path of the L file, whether the owner (owner) of the U file changes, whether the group of the G file changes, whether the modification time of the T file changes.

As above, T is displayed on the left side of the ps command, indicating that the modification time of this system file has been changed.

That's all for the content of "what to do if the Linux command is hijacked". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.