Shulou(Shulou.com)05/31 Report--

This article mainly introduces the Linux system server is hacked how to solve the relevant knowledge, the content is detailed and easy to understand, the operation is simple and fast, has a certain reference value, I believe that after reading this Linux system server is hacked how to solve the article will have a harvest, let's take a look.

I. principles of analysis

Important data should be backed up before analysis. Try not to analyze it in the original system.

Systems that have been hacked are no longer secure. If conditions permit, it is best to use third-party systems for analysis.

Second, analyze the goal

Find the source of the attack, IP, find the way to invade.

Analyze the scope of influence

Quantify the impact level

III. Data backup and collection

1. Trace data is always the most important data for analyzing security incidents.

In the process of analysis, trace data is always the most important data. So the first thing of course is to back up the relevant trace data. The trace data mainly includes the following points:

Syslog: message, secure, cron, mail, etc.

Application log: Apache log, Nginx log, FTP log, MySQL log, etc.

Custom log: many program logs are customized during development, and these logs are also very important data, which can help us analyze information such as intrusion routes; bash_history: this is the bash log information recorded during bash execution, which can help us see which commands bash has executed. Log records related to other security events

When analyzing these logs, be sure to back up first. We can compress and back up these logs through tar, and then analyze them. If you encounter large logs, you can analyze them through massive log analysis tools such as splunk as far as possible.

The following is the command to fully back up all files under the var/log path, and other logs can refer to this command:

# backup Syslog and default httpd service log tar-cxvflogs.tar.gz/var/html

# backup lastlast > last.log

# online users w > w.log at this time

two。 System statu

The system state is mainly the backup of network, service, port, process and other status information:

# system service backup chkconfig--list > services.log

# process backup ps-ef > ps.log

# listening port backup netstat-utnpl > port-listen.log

# netstat-ano > port-all.log for all ports in the system

3. View system, file exception

Mainly aimed at the file change time, group master information, new users and other issues, others can be analogous:

# View user information: cat/etc/passwd

# find find-typef-mtime-5 files that have changed in the last 5 days

4. Finally, scan rootkit.

Both RootkitHunter and chkrootkit are fine.

IV. Methods of analysis

Bold guess is the most important, guess the way of invasion, and then analyze will generally get twice the result with half the effort. Generally speaking, analyzing logs can find many things, for example, secure logs can view Accept keywords; last can view login information; bash_history can view command execution information, and so on. Different logs can be viewed in different ways, preferably accompanied by a system administrator, who knows his server system best. I won't go into much detail here.

Fifth, analyze the impact

According to the use of the server, file content, confidential information combined with data leakage, loss risk, the impact of system users are quantified, and relevant security events are recorded, summarized and analyzed for later summary. If it has been infiltrated into the intranet, it is also necessary to check the security risks of the intranet machines and deal with them in a timely manner.

VI. Reinforcement methods

Machines that have been hacked can be labeled as dangerous. The most direct and effective way is to reinstall the system or restore the system. So frequent backup operations are essential, especially source code and database data. Through the analysis of the intrusion approaches, further reinforcement can be carried out, such as weak passwords and application vulnerabilities.

This is the end of the article on "how to solve the problem when the Linux system server is hacked". Thank you for reading! I believe that everyone has a certain understanding of the knowledge of "how to solve the problem when the Linux system server is hacked". If you still want to learn more knowledge, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.