Shulou(Shulou.com)06/01 Report--

This article will explain in detail the example analysis of the emergency response of linux server intrusion. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

I. confirm the security incident

In case of emergency, we must first confirm the authenticity of the security incident. After communicating with the server operation and maintenance staff, I learned that the business is only applied in the private network, but the server is unexpectedly open to the public network, can ping directly in the public network, and opened 22 remote ports. From this point, we can basically confirm that the server has been compromised.

Second, log analysis

Guess that the hacker may have broken into the server through SSH. Looking at the log under / var/log, it is found that most of the log information has been cleared, but the secure log has not been destroyed. You can see a large number of SSH login failure logs, and there are records of root users logging in successfully after multiple login failures, which accords with the characteristics of brute force cracking.

By looking at threat intelligence, it is found that multiple IP cracked by violence have malicious scanning behavior.

III. System analysis

Check the key configuration, account number and history of the system to confirm the impact on the system.

It is found that the history in / root/.bash_history has been cleared, and there are no other anomalies.

IV. Process analysis

Troubleshoot current active processes, network connections, startup items, scheduled tasks, etc.

The following problems were found:

1) abnormal network connection

By looking at the network connection of the system, it is found that there is a Trojan back door program te18 network outreach.

Online killing this file is a Linux backdoor program.

2) abnormal timing task

By looking at the crontab scheduled task, it is found that there is an abnormal scheduled task.

Analyze the running file and startup parameters of the scheduled task

The documents related to online inspection and killing are mining procedures.

View the pool profile

V. document analysis

Malicious code and related operation files implanted by hackers were found in the / root directory.

Hackers create a hidden folder / root/.s/, to store mining-related programs.

VI. Back door investigation

Finally, use RKHunter to scan the back door of the system.

VII. Summary

Through the above analysis, it can be judged that the hacker explodes the root user password through SSH blasting, and logs in to the system to carry out mining procedures and Trojan horse back door implantation.

Reinforcement suggestion

1) Delete crontab scheduled tasks (delete files / var/spool/cron/root contents) and delete malicious files implanted by hackers on the server.

2) modify all system user passwords and meet the password complexity requirements: more than 8 bits, including uppercase and lowercase letters + numbers + special symbol combinations

3) if it is not necessary to prohibit the opening of the SSH port to the public network, or modify the SSH default port and restrict access to IP

This is the end of the article on "sample Analysis of linux Server intrusion Emergency response". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.