Shulou(Shulou.com)06/02 Report--

How to check the CVM to see if it has been attacked? In view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

How to judge whether your server has been invaded? here take LINUX and solaris as examples to take a look at some intrusion detection methods on the UNIX system.

Check the system password file

Starting with the obvious, take a look at the passwd file to see the date the file was modified. Check which privileged users are in the passwd file, and users with a uid of 0 in the CVM system will be displayed.

Check to see if there are any strange processes

Inetd is the daemon of the UNIX system, and the pid of normal inetd is relatively high. If you see a process like inetd-s / tmp/.xxx output, focus on the content behind inetd-s. Hide the process under UNIX, sometimes by replacing the ps file, this method involves checking the integrity of the file.

Check the system daemon

A general intruder can create a backdoor by directly replacing the in.xxx program, such as replacing in.telnetd with / bin/sh, and then restarting the inetd service, then all users who telnet to the server will get a rootshell without entering a username and password.

Check the system log

Command last | more to view the history of all users logged on to this machine under normal circumstances. However, the last command depends on the syslog process, which has become an important target for intruders. The intruder will usually stop the syslog of the system, check the syslog process of the system, and determine whether the last time the syslog was started is normal, because the syslog is executed as root. If it is found that the syslog has been illegally moved, it means that there is a major intrusion.

Check the core file in the system

It is a conventional intrusion method to invade the system by sending abnormal requests to attack a service of the server, and a typical RPC attack is in this way. This method has a certain success rate, that is, it does not guarantee a successful intrusion into the system, and usually generates core files in the corresponding directory of the server, globally looks for core files in the system, and determines whether there is an intrusion according to the directory where the core is located and querying the core file.

The answer to the question about how to check whether the CVM has been attacked or not is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.