Shulou(Shulou.com)06/01 Report--

How to judge whether the Linux system is illegally entered, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

For business systems running online, security is a crucial issue. The most common manifestations of illegal entry of servers are: sending a large number of data packets from inside to outside (DDOS broilers), server resources being exhausted (mined), abnormal port connections (reverse shell), server logs being maliciously deleted, etc. To rule out the improper operation of the Linux system administrator, how to detect whether your system has been illegally entered? Here are a few practical tips to share with you.

Check the system log

1.1 check the login log of the system and count the number of IP retries to log in.

For malicious login system behavior, will leave clues in the log, by checking the system login log, statistics of the number of retry login, which IP and which users can be seen in the malicious login system.

# lastb root | awk'{print $3}'| sort | uniq-c | sort-nr | more

Description:

Lastb command, which requires root permission, can display all login information, can also display the information of the specified user, followed directly with the relevant users.

Check the users of the system

For illegal entry behavior, often by checking the system users, you can find some clues, such as whether there are abnormal new users and rights users. Through the inspection of system users, it is an important aspect of detection.

2.1 check to see if there are any abnormal system users

Cat / etc/passwd

2.2 check whether there are any new users, especially those with UID and GID of 0

Awk-F ":'{if ($3 = = 0) {print $1}}'/ etc/passwd

2.3 check if there is an empty password account

Awk-F:'{if (length ($2) = = 0) {print $1}}'/ etc/passwd

Check the abnormal process of the system

For the illegally entered system, you can check the processes to confirm which abnormal non-system and non-business processes are running, and through the inspection of these abnormal processes to find the source of malicious programs.

3.1 use the ps-ef command to view the process

Ps-ef

Pay special attention to processes where UID is root

3.2 View the ports and files opened by the process

Lsof-p pid

3.3 check for hidden processes

Ps-ef | awk'{print $2}'| sort-n | uniq > 1; ls / proc | sort-n | uniq > 2X diff-y-W 40 12 description:

All processes of lunux are recorded in / proc, it should be noted that the information here is the most detailed.

4. Check the system exception file

For the illegally entered system, by checking the system exception files, you can track the illegal entry information, such as checking SUID files, some space files and so on.

4.1 check the SUID files

# find /-uid 0-perm 4000-print

4.2 check files larger than 10m

# find /-size + 10000k-print

4.3 check blank files

# find /-name "…" -print # find /-name ".."-print # find /-name "."-print # find /-name ""-print

4.4 check the core file in the system

# find /-name core-exec ls-l {} ()

5. Check the integrity of system files

The integrity of system files is an important aspect of illegal entry detection, especially by checking the MD5 value of some commonly used system commands, we can judge whether the system has been illegally entered. For example, after these commonly used commands such as ls,ping have been tampered with by malicious programs, we are actually executing malicious programs when we execute these system commands.

5.1 check the integrity of linux system files

Pay special attention to the following directories / sbin,/bin,/usr/bin

For example: # whereis ls # md5sum / usr/bin/ls

Of course, it can also be written in the form of a script to compare the MD5 value of the batch generation system file with the normal system, if the MD5 value is different from the normal system. That means your system may have been hacked into.

5.2 check the integrity of system files using the tool AIDE

It is not very efficient to check the md5 of system files manually. You can use AIDE software to check the integrity of system files. For more information on how to use this software, please see the official documentation.

VI. Check the network

On the network side, by checking whether the network card is in mixed mode, check the network monitoring ports in the system, especially for some non-system, non-business ports.

6.1 check the network card mode

# ip link | grep PROMISC (normal Nic should not be in promisc promiscuous mode, there may be sniffer) the Nic is in promiscuous mode, so all traffic passing through the Nic will be monitored

6.2 check open ports and open files of malicious programs

# netstat-ntlup # lsof-I: Port number

7. Check the planned tasks of the system

The timing task of the system is also an important aspect of illegal entry detection. Some malicious programs schedule tasks regularly through the planning tasks of the system. Through the inspection of timing tasks, we can find some important information that has been illegally entered.

# crontab-u root-l # cat / etc/crontab # ls / etc/cron.*

Note:

Root and UID are schedule of 0

VIII. Check system services

Version 8.1 centos 6

View the services started by the system

# chkconfig-list8.2 centos 7 version

This mainly detects the startup service. At present, systemd is used to manage the corresponding service above centos7. Systemd is a collection of system management daemons, tools, and libraries to replace the System V initial process. The function of Systemd is to centrally manage and configure UNIX-like systems.

View all available units # systemctl list-unit-files

IX. Check rootkit

9.1 pass rkhunter check

The information hint output by rkhunter is an important means to judge whether the system is rootkit or not, and the hint except OK is the key object.

# rkhunter-c

Parameter description:

-c: check the local file system

9.2 pass chkrootkit check

# chkrootkit-Q is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.