Shulou(Shulou.com)06/02 Report--

Today, I will talk to you about how to find out that there should be no malicious or backdoor files on the Linux server, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

I noticed a problem when I was writing on APT some time ago. I found that the Internet is mostly about Windows malware detection articles and tutorials, but there is very little information on how to find malware on Linux systems. Therefore, the main purpose of this article is to introduce some tips and methods for checking malware on Linux systems. Without saying much, let's get down to business.

Check binary file

One thing to check to confirm is that the binaries that are not running have been modified. This type of malware can be supported with a version of sshd to allow you to connect to the system using a specific password, or even a modified version of some binaries, which runs as root and only needs to listen to the original socket of the trigger packet. To do this, we will take Redhat and Debian as examples.

Look for binaries that do not belong

Find / proc/*/exe-exec readlink {} + | xargs rpm-qf | grep "not owned" find / proc/*/exe-exec readlink {} + | xargs dpkg-S | grep "no path" verify whether the running binary files match the files in the package find / proc/*/exe-exec readlink {} + | xargs rpm-qf | xargs rpm-Vfind / proc/*/exe-exec readlink {} + | xargs dpkg-S | cut-d:-F1 | xargs dpkg-V verify all package files

Another thing to check and confirm is that all binaries belonging to the package have not been modified. This process may take some time to complete, but it is worth it. We can set up a cron jobs to run it at a specified time.

Verify all package files

Rpm-Vadpkg-V output result

The output should display any binaries belonging to the package, calculate the hash value of the binaries, and compare it with the values saved when the package is installed or updated. Here is the output based on the Redhat system. Debian systems that use dpkg do not validate most of them, so if you modify the binaries, only "5" is displayed.

S file size is different

M mode is different (including permissions and file types)

5 Summary (previous MD5 sum) is different

D device primary / secondary key mismatch

L readLink (2) path mismatch

U user ownership is different

Group G has different ownership.

T mTime is different

P caPabilities is different

Check RAW sockets

We can often see the back door of RAW socket. They listen for incoming packets and trigger events, such as the recently discovered "Chaos" backdoor, and an example that pops up when searching for raw socket backdoors on github. For this check, we will only look at the process of using RAW sockets. There are not many common programs that use them, so we can narrow down the range of processes we want to view.

Use raw sockets listening to check binaries

Netstat-lwp or ss-lwplsof | grep RAW

Check for possible injected memory

There may be all kinds of false positives here. RWX memory (read and write execution) is used by many programs, most of which are interpreted languages, so this is normal for people like python and java, or those who use any library parsing script. If you find many entries in RWX memory and the process is not python or java, you should take a closer look. This command lists the process id for RWX memory. You can see that cron is listed below, which is obviously an abnormal process.

Command to find pid

Grep-r "rwx" / proc/*/maps | cut-d /-f 3 | uniq-c | sort-nr checks the modified PAM module

A common backdoor is to insert or replace PAM modules for authentication. This allows remote access and also allows an attacker to obtain root privileges from any user. The backdoor also doesn't care about changes to / etc/passwd, so all the original and modified passwords are still valid. In my opinion, this is a very dangerous type of backdoor because of the type of access it provides. You can use the normal protocol for legitimate login entries, so it obviously looks like there is no malicious network activity.

Check PAM module

Find / lib64/security/ | xargs rpm-qf | grep "not owned" find / lib64/security/ | xargs rpm-qf | grep-v "not" | xargs rpm-V

SSH access

A very simple way to maintain access without deleting binaries is to simply add the ssh key to a specific user's authorized_keys file and allow an attacker to enter ssh like a normal user. This is also one of the most difficult methods to detect, because you need to determine whether the ssh key is legitimate or malicious, which requires users to verify that only their keys are in the file. Attackers can also steal users' keys if they have been stolen before.

List the .ssh folders for all users

Cat / etc/passwd | cut-d:-f 6 | xargs-I @ / bin/sh-c "echo @; ls-al @ / .ssh / 2 > / dev/null"

There are many different ways to maintain privileged access to the Linux server. The above search list is not complete, but it is some of the more common ways to find backdoors, including other common backdoors found on Meterpreter and github.

After reading the above, do you have any further understanding of how to find out that there should be no malicious or backdoor files on the Linux server? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.