Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge about "what are the methods to check whether Linux is invaded". In the actual case operation process, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

This article gives you a collection of methods to review whether Linux systems are compromised. These methods can be added to your operations routine inspection.

1. check the account

The code is as follows:

# less /etc/passwd

# grep :0: /etc/passwd (check if new users are generated, and users with UID and GID 0)

# ls -l /etc/passwd (see file modification date)

# awk -F: '$3= =0 {print $1}'/etc/passwd (see if privileged users exist)

# awk -F: 'length($2)= =0 {print $1}'/etc/shadow (see if empty password account exists)

2. check the log

The code is as follows:

# last

(View the history of all users who normally log in to this machine)

Note "entered promiscuous mode"

Pay attention to error messages

Note Remote Procedure Call (rpc) programs with a log entry that includes a large number (> 20) strange characters(-^PM-^PM)

3. check process

The code is as follows:

# ps -aux (note UID is 0)

# lsof -p pid (see ports and files opened by the process)

# cat /etc/inetd.conf |grep -v "^#"(check daemons)

Check hidden processes

# ps -ef|awk ‘{print }’|sort -n|uniq >1

# ls /porc |sort -n|uniq >2

# diff 1 2

4. check the file

The code is as follows:

# find / -uid 0 –perm -4000 –print

# find / -size +10000k –print

# find / -name "…" –print

# find / -name ".. " –print

# find / -name ". " –print

# find / -name " " –print

Note SUID files, suspicious files greater than 10M and spaces

# find / -name core -exec ls -l {} \

(Check core files in the system)

Check system file integrity

# rpm –qf /bin/ls

# rpm -qf /bin/login

# md5sum-b filename

# md5sum-t filename

5. Check RPM

The code is as follows:

# rpm –Va

Output format:

S – File size differs

M – Mode differs (permissions)

5 – MD5 sum differs

D – Device number mismatch

L – readLink path mismatch

U – user ownership differs

G – group ownership differs

T – modification time differs

Note the associated/sbin, /bin, /usr/sbin, and /usr/bin

6. check the network

The code is as follows:

# ip link |grep PROMISC (normal NIC should not be in promisc mode, there may be sniffer)

# lsof –i

# netstat-nap (look for TCP/UDP ports that are not open properly)

# arp –a

7. Inspection plan tasks

The code is as follows:

Note that root and UID are 0 schedules

# crontab –u root –l

# cat /etc/crontab

# ls /etc/cron.*

8. Check the back door.

The code is as follows:

# cat /etc/crontab

# ls /var/spool/cron/

# cat /etc/rc.d/rc.local

# ls /etc/rc.d

# ls /etc/rc3.d

# find / -type f -perm 4000

9. Check the kernel module

The code is as follows:

# lsmod

10. Check system services

The code is as follows:

# chkconfig

# rpcinfo -p (see RPC service)

11. Check rootkit

The code is as follows:

# rkhunter -c

# chkrootkit -q

"Check whether Linux is invaded by what methods" content is introduced here, thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.